PKCS#11 interface support on Windows 2000/Server 2003

alejacma — Thu, 06 Mar 2008 09:07:00 GMT

Hi all, welcome back,

I recently had some issues involving PKCS#11 interface on Windows, and it seems quite clear that we don't support it, at least on Windows 2000 & Server 2003, and as far as I know on any other version of Windows:

Public Key Interoperability
"
Hardware Support
...
Windows 2000 uses CryptoAPI to abstract hardware-based key management from applications and uses the PC/SC standard instead of PKCS#11 to communicate with smart cards and readers. Entrust, Netscape and Baltimore have their own cryptographic APIs and use PKCS#11 to interface to hardware tokens like smart cards. IBM uses CDSA as its cryptographic framework that includes support for hardware devices. Because Windows 2000 requires hardware devices to also support Plug and Play and Power Management features, and Microsoft's implementation of PC/SC includes support for these ease-of-use features, there are no plans to add support for PKCS#11 in Windows 2000.
"

Evaluating Factors That Affect Extended Trusts
"
Algorithm Support
...
Windows Server 2003 uses CryptoAPI to abstract hardware-based key management from applications, and it uses the PC/SC standard instead of PKCS#11 to communicate with smart cards and readers. Many third-party CAs have their own cryptographic APIs and use PKCS#11 to interface to hardware tokens such as smart cards. Because Windows 2000 and Windows Server 2003 require hardware devices to support Plug and Play and power management features, and PC/SC includes support for these ease-of-use features, Windows Server 2003 does not support PKCS#11.
Note
• The Windows Server 2003 PKI can use third-party CSPs, and can enroll users for certificates that have keys that were generated by third-party CSPs.
"

So if you have any issues with a PKCS#11 interface, Microsoft Technical Support is not the one you should contact, but the provider of the interface instead.

I hope this helps.

Cheers,

Alex (Alejandro Campos Magencio)

SCardGetStatusChange fails with SCARD_E_NO_SERVICE error

alejacma — Mon, 17 Dec 2007 12:41:00 GMT

Hi, welcome back,

Smart Card Redirection on Microsoft Remote Desktop Protocol (RDP) client 6.0 may cause SCardGetStatusChange to fail with error 0x8010001d - SCARD_E_NO_SERVICE - "The Smart card resource manager is not running.".

When a user connects from her machine A (i.e. Windows XP SP2) to a remote machine B (i.e. Windows Vista) using Microsoft RDP client, she can use her smart card inserted in a reader on machine A to perform operations on remote machine B. This is called smart card redirection and is enabled by default.

However, from RDP client 6.0 on, there appears to be a problem with applications on machine B which call SCardGetStatusChange() in order to monitor smart card status changes, such as smart card insertions and removals. SCardGetStatusChange API fails with the error shown above. Previous versions of the RDP client did not exhibit this problem.

Well, I've seen that this issue happens when some fields of the rgReaderStates structure being passed to SCardGetStatusChange are not being initialized, so they contain invalid values that SCardGetStatusChange tries to use unsuccessfully.

A piece of advice: clean up the fields of the rgReaderStates structure before calling SCardGetStatusChange, so all unused fields are set to 0.

I hope this helps.

Cheers,

Alex (Alejandro Campos Magencio)

Decrypt my World : SCard API

PKCS#11 interface support on Windows 2000/Server 2003

SCardGetStatusChange fails with SCARD_E_NO_SERVICE error