Spat's WebLog (Steve Patrick)

When things go wrong...

So, you want to use smart cards?

So, you want to use smart cards?

  • Comments 38

Smartcards, password elimination projects ... etc... all good fun.

Well, I got around to compiling a number of challenges which may arise should you decide to get rid of passwords and move to smartcards only.

I dont claim that this list is complete, and I may do another post where I add some to this.. but it's a good place to start.  You will notice that some of these are not public articles, just call in to PSS and ask for it if you really want it.

One more thing.. I am very interested in those who seem to be running into any problems like these:

Smartcard cached logons - do you randomly seem to lose cached logons?

Slow logons - after implementing smartcards you saw logon times explode.

thanks!

 

spatdsg

 

 

Here is my list:

 

887196 http://support.microsoft.com/default.aspx?scid=kb;en-us;887196 XP - SP2
=======================================================================================
Summary of changes to the CryptoAPI certificate chain validation logic in Windows XP Service Pack 2 

 

895325 http://support.microsoft.com/default.aspx?scid=kb;EN-US;895325 XP - post SP2
=======================================================================================
Lsass.exe crashes soon after you log on to a computer that is running Windows XP Service Pack 2 (SP2) by using a smart card 

"If the domain component of the subject field is not in the last few attributes you can crash LSASS:
like CN=""SCLogon"", OU=TEST, O=MyOrg, DC=spat, DC=com, C=US"



894069 http://support.microsoft.com/default.aspx?scid=kb;EN-US;894069 XP - post SP2
======================================================================================

You receive the Change Password dialog box when you try to use a smart card to log on to a Windows Server 2003 domain in Windows XP Professional  

When you login on with a Smart Card to a Windows 2003 domain account which has expired, the windows displayed that prompts the user for changing his password contains misleading information:

The “User name” field is empty and the “Old Password” is filled in.

However, you cannot simply punch in your new password.

The user needs to enter the UPN form in the Username zone (like user@domain.com ). Generally, users (especially the ones that use a smart card for login on don't know anything about the UPN form of their user account), so they don't know what to enter.

Also, the fact that the old password field is filled in makes the user think he doesn't need to enter it. This is wrong, he needs to clear its content and then enter it since it initially contains no useful values.

When you install this fix, it is made clearer that you should logon:

"Your password has expired and must be changed. Please logon using your password in order to change it."

892647  ( not a public article yet ) XP - post SP2
======================================================================================

Smartcard logon fails after installing WinXP SP2 

After upgrading WinXP Pro to SP2, smart card logon fails.

Uninstall SP2 and sclogon works again.

This problem appears when the sAMAccountName doesn't match the name part of the UPN.
This problem also appears when an alternate UPN suffix is configured.

With default UPN, and when the sAMAccountName == name in UPN, sclogon succeeds even with SP2.  
 

923401  ( not a public article yet ) Win2k3 - post SP1  AND XP -post SP2
======================================================================================
 Smartcard over TS  fails. 

 

 


915832 http://support.microsoft.com/default.aspx?scid=kb;EN-US;915832 XP - post SP2
======================================================================================
Error message when you try to initiate a dial-up networking connection by using a smart card: "Error 0x80090016 - NTE_BAD_KEYSET"  

When you try to initiate a dial-up networking smart card connection, you may receive the following error message:


Error 0x80090016 - NTE_BAD_KEYSET 

 

 

875506 http://support.microsoft.com/?id=875506 XP - post SP2
======================================================================================

The PIN dialog box may not be displayed when you use a smart card to log on to a Windows Server 2003 Terminal Services session 

 

When you use a smart card to log on to a Microsoft Windows Server 2003 Terminal Services session, the smart card personal identification number (PIN) dialog box may not be displayed. This problem occurs if the following Group Policy settings are configured on the destination computer:

• Interactive logon: Message text for users attempting to log on
• Interactive logon: Message title for users attempting to log on  

 


915428 http://support.microsoft.com/?id=915428  XP - post SP2    
=======================================================

You do not receive an error message that states that you used the wrong PIN when you connect to a wireless 802.1X network by using EAP-TLS on Windows XP-based computer 

Consider the following scenario.

On a Microsoft Windows XP-based computer, you connect to a wireless 802.1X network by using a smart card together with Extensible Authentication Protocol with Transport Level Security (EAP-TLS) and certificates for authentication.

When you log on by using the correct personal identification number (PIN), you can connect successfully. When you log on by using the wrong PIN, you cannot connect. However, in this scenario, you do not receive an error message that states that you used the wrong PIN.

After this fix you will get a balloon popup and you have less chance of a PIN lockout

 

890937 http://support.microsoft.com/kb/890937  XP - post SP2
=======================================================


Computer authentication cannot complete successfully when you use a smart card to log on to a wireless network in Windows XP or...  "What if you need to use a machine certificate on the machine (soft token) for machine authentication and a user certificate on a smart card for user authentication."

The issue is that same EAP configuration is user for both machine and user authentication. If a user configures EAP-TLS (with Smartcard option), both machine and user authentication will be performed using smartcards.

Machine authentication using smartcard is not possible because it accessing smartcard will require PIN and during machine auth, we have no way to show the pin dialogue while doing machine auth(there is no user logged in). As a result, machine authentication is broken if someone wants to user smartcards for user authentication. 

"To enable this hotfix, follow these steps:

1. Click Start, click Run, type regedit, and then click OK.
2. Locate and then click to select the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP\13
3. After you select the key that is specified in step 3, on the Edit menu, point to New, and then click DWORD Value.
4. Type UseSoftTokenWithMachineAuthentication, and then press ENTER.
5. Right-click UseSoftTokenWithMachineAuthentication, and then click Modify.
6. In the Value data box, type 1, and then click OK.
7. Quit Registry Editor.


329433 http://support.microsoft.com/default.aspx?scid=kb;EN-US;329433 XP - post SP1
======================================================================================= 
A Revoked Certificate Is Selected If a Certification Authority in the Chain Has Two Certificates 

Just a hotfix with many general good changes in crypto - not all documented rightly in the article text.


 

885423 http://support.microsoft.com/default.aspx?scid=kb;EN-US;885423 XP - post SP2
=======================================================================================

The network provider may not function as expected on your Windows XP-based computer 

"SYMPTOMS
When you manually log on to your Microsoft Windows XP-based computer with a user name and a password, the Winlogon.exe process may prematurely end the Mpnotify.exe process. The Mpnotify.exe process hosts network provider .dll files. Specifically, the Mpnotify.exe process calls the NPLogonNotify function of the network provider .dll file. Therefore, the network provider may not function as expected.
 Back to the top

CAUSE
This problem may occur if the following conditions are true:

• You have a smart card reader attached to the workstation.
• The Winlogon.exe process detects the smart card reader in the background during the logon process. The Winlogon.exe process incorrectly ends the Mpnotify.exe process when any secure attention sequence (SAS) events are detected in the background." 

 


887578 http://support.microsoft.com/?kbid=887578 Win2k3 - post RTM  AND XP -post SP2
===================================================================================================
You receive a "Logon failure" message when you use a smart card on a Windows Server 2003-based computer This problem occurs when the certificate revocation list (CRL) is outdated and a new CRL is not available.

A public key infrastructure (PKI) that is not working can cause the distribution server of the CRL not to publish a new CRL. If a new CRL is not published, logons to client computers are not allowed. 

"HKEY_Local_Machine\System\CurrentControlSet\Services\KDC\CRLValidityExtensionPeriod

This DWORD value lets you to extend the CRL validity period by a specified number of hours. When you set this value to a non-zero value, the certificate status checking code for smart card logons ignores any validity period errors as long as the CRL is not expired by more than the number of specified hours. This extension of the validity period only applies to CRLs that are used during the evaluation of certificates used for smart card logon.

For example, this extension would apply to a certificate that is issued by a certification authority (CA) that is populated in the NTAuth store and to any certificates that are part of the trust chain used to verify the NTAuth store certificate.

HKEY_Local_Machine\System\CurrentControlSet\Services\KDC\CRLTimeoutPeriod

This DWORD value lets you to specify the CRL time-out period to reduce false positives. The Key Distribution Center (KDC) passes this value to the certificate policy checking code. By default, the KDC specifies a time-out value of 90 seconds even if this registry value is not set.

HKEY_Local_Machine\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters\CRLTimeoutPeriod

This DWORD value lets you to specify the CRL time-out period to reduce false positives. The Kerberos client passes this value to the certificate policy checking code. By default, the Kerberos client specifies a time-out value of 90 seconds even if this registry value is not set.

 

 


906681 http://support.microsoft.com/?kbid=906681 XP - post SP2
========================================================================
A user can log on to a Windows XP-based computer by using a user name and a password, even though the "Smart card is required for interactive logon" user account property is set 

Consider the following scenario:

• The Smart card is required for interactive logon user account property is set on a computer that is running Microsoft Windows XP. 
• The smart card is lost or damaged. The user is temporarily permitted to log on by entering a user name and a password. 
• Later, a new smart card is issued to the user. The user is again required to log on only by using a smart card. 

In this scenario, the user can still log on offline with the temporary user name and password.

CAUSE
This problem occurs because the user name and the password are cached on the computer.   " 

This fix will delete the previously cached standard username and password - which makes sense if you have set the account to "Smart card is required for interactive logon user account property is set"    

 

IMPORTANT NOTE ( UNDOCUMENTED )


Win2k3 - post 887578
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters
UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors

XP - post 906681
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos
UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors

What does this do?
Default value is 0. When this value is non-zero, Kerberos Client will use cached CRL only and ignore revocation unknown errors. If this value is not present it is interpreted as if it is 0.

This setting is valid for 2k3 and XP as noted above."

 

887535 http://support.microsoft.com/?id=887535 XP - post SP2
========================================================================

A user may log on successfully after a smart card certificate is revoked or after their user account is disabled in Windows XP 

"A user may log on successfully to a computer when either of the following conditions is true even though their smart card certificate has been revoked or their user account has been disabled in Microsoft Windows XP:

• If the smart card certificate of the user has been revoked and the user has tried unsuccessfully to log on online at least one time, the user may still be able to log on offline and have access to network resources by using the NET USE command.
• If the account of the user has been disabled in the Active Directory directory service and the user has tried unsuccessfully to log on online at least one time, the user may successfully log on offline.

If we detect that the smartcard cert is revoked - we then will delete the current cached credentials.

 

906524 http://support.microsoft.com/?id=906524 XP - post SP2    
========================================================================

Error message when you try to connect to a remote share by using NTLM authentication on a Windows XP-based computer: "Logon failure: unknown user name or bad password"


When you use  “runas /smartcard cmd” to start a cmd window, then run “dir \\server_ip_address\share”, the following error was returned, "Logon failure:

unknown user name or bad password" and the bad password count was increased for the user account.

Why?

The article is not very clear, but what it means is that when you use runas /smartcard , the OS does not use the correct supplemental credentials which ought to be gathered when you use the smartcard to do the "logon" performed with runas /smartcard.

 


898061  ( not yet a public article ) Win2k3 - post SP1  
========================================================================

Scenario: You have a  wireless networking deployment and wants to use PKI issued certificates for EAP-TLS-based authentication, but do not have the server\client EKU in the certs.

The current EAP-TLS implementation requires the server auth EKU and client auth EKU to be present in certificates. If the customer's certificates do not contain the required server or client auth EKU then it will fail.

Correspondingly, Customer cannot use EAP-TLS for authentication with the PKI certificates."


In order to use this you must set the following on the server:
Location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP\13
Name: TlsServerUseAllPurposeCert
Type: REG_DWORD
Values: 0, 1

When TlsServerUseAllPurposeCert is not present or is 0: EAPTLS UI in server role will display only certs containing server auth EKU.


When TlsServerUseAllPurposeCert is 1: EAPTLS will display only general purpose certs (containing no EKU whatsoever)

 

 

893226 http://support.microsoft.com/?id=893226 XP - post SP2 
========================================================================
A user receives an "Unable to log you on because it is required that you use a smart card" message when the user tries to log on to your Windows XP-based computer by using Remote Assistance.

Consider the following scenario.

You enable the ""Interactive logon: Require smart card"" security setting on your Microsoft Windows XP-based computer so that users have to use a smart card to log on to the local computer. To do this, you follow the steps that are described in the following article in the Microsoft Knowledge Base:

834875 (http://support.microsoft.com/kb/834875/) Update for the ""Interactive logon: Require smart card" security setting in Windows XP

After you enable the security setting, users cannot log on to your computer by using Remote Assistance. When a user on a remote computer tries to log on to your computer by using Remote Assistance, the user receives the following message:

Unable to log you on because it is required that you use a smart card to log on, please contact your administrator" 

 


835746 http://support.microsoft.com/?id=835746 XP - post SP1
========================================================================

A delay may occur before the logon text changes to "Insert card or press Ctrl-Alt-Delete to begin" when you use a smart card reader with a Windows XP-based computer.

Prior to this fix ( which is also in Sp2 ) it may take 20-30 seconds for the msgina display to change to include "insert smartcard." After applying the hotfix, the logon display should be significantly lower.

 


890042 http://support.microsoft.com/?id=890042 XP - post SP2 
========================================================================    

You lose access to network resources after you resume your Windows XP-based computer from standby  

If you logon with a smartcard, and then go to standby- when you resume your Microsoft Windows XP-based computer from standby while your network is either disconnected or down. After network connectivity is restored, you lose access to your network resources. Additionally, if your Windows XP-based computer is moved to a different network while the computer is on standby, you lose access to network resources when you resume the computer.

890837 http://support.microsoft.com/?id=890837 XP - post SP2
========================================================================

You are prompted to press CTRL+ALT+DEL to unlock your computer when you use a smart card to log on to your Windows XP-based computer 

A bit confusing to see a prompt for CAD  - the user may press this and then enter his PIN or something, so we changed the strings to say something like

"Insert card to begin" etc..

To enable this hotfix, follow these steps:


1. Click Start, click Run, type regedit, and then click OK.
2. Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
3. With the registry subkey from step 2 selected, on the Edit menu, point to New, and then click DWORD Value.
4. Type AltSCMessages, and then press ENTER.
5. Right-click AltSCMessages, and then click Modify.
6. In the Value data box, type 1, and then click OK.
7. Quit Registry Editor.

 


893376 http://support.microsoft.com/default.aspx?scid=kb;EN-US;893376 XP - post SP2
========================================================================

Stack corruption occurs if you remove and insert a smart card during a user log on process in Windows XP Service Pack 1 or Windows XP Service Pack 2 "

SYMPTOMS

Consider the following scenario:

• You use a smart card for user authentication on a computer that is running either Microsoft Windows XP Service Pack 1 (SP1) or Windows XP Service Pack 2 (SP2).
• You insert the smart card in to the reader and type the PIN to initiate the log on process.
• You remove the smart card before the log on process is completed.
• You insert the smart card again.

In this scenario, a stack corruption occurs, and the computer stops responding (hangs).

Additionally, you receive the following error message:

STOP: 0xc000021a {Fatal System Error"

 

 


910482 http://support.microsoft.com/default.aspx?scid=kb;EN-US;910482 XP - post SP2
======================================================================================

After you remove a smart card from a Windows XP-based computer, you are not logged off, or the workstation is not locked

On a Microsoft Windows XP-based computer, you remove a smart card after the logon window appears. After you do this, you are not logged off, or the

workstation is not locked.

The behavior occurs even if the value of the ScRemoveOption registry entry is set to 2 (Force logoff) or to 1 (Lock workstation).

Note You can locate the ScRemoveOption registry entry under the following registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

 


883529 http://support.microsoft.com/default.aspx?scid=kb;EN-US;883529 XP - post SP2
======================================================================================

Removing a smart card immediately after you log off a Windows XP-based computer may cause the computer to stop responding 


If you remove your smart card immediately after you log off a Microsoft Windows XP-based computer, the computer may stop responding (hang) and you cannot log back on.   


 

Leave a Comment
  • Please add 4 and 6 and type the answer here:
  • Post
  • We are currently experiencing random lockout issues when accessing shares that are NTLM based. This is only an issue for those using smartcard based remote access.  The shares are all on W2K Advanced + SP4 based 2-node clusters. We are in the process of enabling Kerberos on all network names so the shares are accessible using kerberos. kerberos doesnt seem to cause issues.

    I didnt realise runas had a /smartcard switch. But this error is happening without using cmd launched using runas. We are accessing UNCs directly using explorer.

    My personal suspicion was that because the user has never logged on to the PC using a password and no passwords seemed to be cached for shares based on the "stored user names and passwords" tool, I assume its trying to send something across as a password. Not sure what. I have a network trace I can send if you like.

    I have also had issues where sometimes the user cannot logon using smartcard based cached credentials. Its generally very rare.

    I seeme to also vaguely recall there were issues sometimes unlocking an already established logon session and the laptop is on the network. But as we arent certain if the RAS link has been dropped (timedout), they may not be able to unlock as it cant contact a DC. Therefore we remove the cable and then try to unlock. Very rarely I think this also can fail. But I am not certain and I could be telling lies here ;-)
  • We are currently experiencing random lockout issues when accessing shares that are NTLM based. This is only an issue for those using smartcard based remote access.  The shares are all on W2K Advanced + SP4 based 2-node clusters. We are in the process of enabling Kerberos on all network names so the shares are accessible using kerberos. kerberos doesnt seem to cause issues.

    I didnt realise runas had a /smartcard switch. But this error is happening without using cmd launched using runas. We are accessing UNCs directly using explorer.

    My personal suspicion was that because the user has never logged on to the PC using a password and no passwords seemed to be cached for shares based on the "stored user names and passwords" tool,


    [***  spatdsg *** ] this list of users stored passwords and usernames are not the same creds one would use when accessing an NTLM resource. When we do a smartcard logon, we actually store the nt hash info as well as the Kerberos ticket info in order to access ntlm resources. This shouldn’t matter if the user has logged on to the workstation or not. However, I am curious if you set the users account  bit for “Smartcard is required for interactive logon”?

    I assume its trying to send something across as a password. Not sure what. I have a network trace I can send if you like.

    [***  spatdsg *** ] It would use the data I mentioned previously for the ntlm negotiations. If you have set “Smartcard is required for interactive logon” then the users password has been scrambled and he has no idea what his password really is. Is this the case? If so, perhaps there is another resource which has the previous password cached and is using it from somewhere?
    The netlogon logs  see http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/bpactlck.mspx -  would assist here, we could identify which machine the bad password attempts were actually coming from. If you look at that url see the section "Netlogon Log File Walkthrough"


    I have also had issues where sometimes the user cannot logon using smartcard based cached credentials. Its generally very rare.

    [***  spatdsg *** ] are these incidents from users who VPN in?


    I seeme to also vaguely recall there were issues sometimes unlocking an already established logon session and the laptop is on the network. But as we arent certain if the RAS link has been dropped (timedout), they may not be able to unlock as it cant contact a DC. Therefore we remove the cable and then try to unlock. Very rarely I think this also can fail. But I am not certain and I could be telling lies here ;-)

    [***  spatdsg *** ] if this fails – are we lumping into the same scenario as lost cached credentials?
  • Yes we did have the “Smartcard is required for interactive logon” bit set. The users who couldnt logon using cached credentials were VPN users. We dont logon to the domain direct over the VPN. Instead, the users use cached credentials to logon, establish the VPN and then pull and reinsert card to simulate a logon. And yes if the last scenario does happen where a session cant be unlocked, I would lump it with lost credentials.

    I am trying to get some info from our main VPN users. Once I do, I'll keep you posted.
  • OK - well read over that link to netlogon logging there and then we can take this offline to work on it once you have the logs

  • I am in the middle of a smart card pilot, and I noticed a few things. First, with smart cards, logon goes from about 1 second to 4-5 seconds directly, and up to 20 seconds on Remote Desktop w/ smart card. Also, I noticed that I'm still able to connect to NT 4 boxes with when I logon with a smart card. How's that happening? Does the DC send the NTLM hash to the workstation when I do a smart card logon?

    Thanks
  • Smartcard logon will introduce some additonal time due to the certificate validation process. The longer times via remote desktop can be attributed to the roundtrips to the client for CSP processing.

    This is (kind of) explained here:

    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnscard/html/smartcardcspcook.asp


    In a terminal server session, calls from the CSP on the remote machine to the local smart card reader need to be redirected, as shown in Figure 4, below. WinScard.dll deals with the redirection and since all smart card subsystem calls must go through WinScard.dll there is no need for the CSP to deal with this directly.

    I will say, that some CSP's handle this better than others.

    And yes, you are correct, that the DC sends the NTLM hash info during a smartcard logon.

  • Thanks for the information. It explains the delay with terminal servers. Do you have a link or any info about what happens on the wire during a smart card logon?

    Thanks again
  • Logon went to 4-5 minutes for Activcard logon to server via RDP - I'm looking for help with what to get from USERENV, traces, etc. What should we be looking for in the traces?
  • Regarding the Terminal Server scenario and smartcard delays.

    Network traces probably wont help to analyze this because the data is sent via the rdp session which is not parsed. The userenv ( from the server side ) only gets you the information after logon has initiated - there may be some interesting info there, but nothing which reveals info about the SC logon session (at least that I can think of right now )

    Ill do a short post later ( maybe next week ) about the flow for this redirected SC logon. Unforuntately, there is not tracing or logging in these components.

    spatdsg
  • In a recent post I outlined a number of ‘challenges’ to implementing smartcards. I also asked about people

  • hello

    (sorry for my bad english !)

    i'm trying to devellop an 'elevation tool' for my company, using secondary logon programatically (createprocesswithlogon in c++) with the current user credentials previously stored in the registry.

    (first i had user to the local admin group, then run process with the stored user account and finally remove the user from group : the app runs now with 'admin' privileges under same profile, very usefull !!!)

    Eveything works fine with normal credentials, even offline. but with smartcards, user can logon offline without problem,  but the secondary logon does not work. (both in windows and in my program)

    It read the card but i get an 'incorrect pincode', seems to be a probleme with cached credentials or  certificates maybe...

    Is there any way to get this work ?

    domain policy tweaks, etc..

    we're using XP SP2 and AD domain under 2003 SP1.

    Thanks in advance for any help ! :p

  • sice my message i updated the pki2 client software on my company computers and the problem is solved. :p

  • I have a windows XP professional stand-alone workstation that I would like to enable smaart card logon.  Is it possible to use smart card login on a computer that is not part of a domain, with only local users?

    Everything I have found is for active directory rather than professional.

    Thanks in advance for any help.

  • you cannot use smartcards on a machine not part of a domain ( at least not in the native OS ) there may be some 3rd party product. You can get one of those machines which does fingerprint logon though.

  • This is the best source of info for smartcards. Great Job! I bookmarked this and I'm sending it to my collegues.

Page 1 of 3 (38 items) 123