Spat's WebLog (Steve Patrick)

When things go wrong...

So, you want to use smart cards?

So, you want to use smart cards?

  • Comments 38

Smartcards, password elimination projects ... etc... all good fun.

Well, I got around to compiling a number of challenges which may arise should you decide to get rid of passwords and move to smartcards only.

I dont claim that this list is complete, and I may do another post where I add some to this.. but it's a good place to start.  You will notice that some of these are not public articles, just call in to PSS and ask for it if you really want it.

One more thing.. I am very interested in those who seem to be running into any problems like these:

Smartcard cached logons - do you randomly seem to lose cached logons?

Slow logons - after implementing smartcards you saw logon times explode.

thanks!

 

spatdsg

 

 

Here is my list:

 

887196 http://support.microsoft.com/default.aspx?scid=kb;en-us;887196 XP - SP2
=======================================================================================
Summary of changes to the CryptoAPI certificate chain validation logic in Windows XP Service Pack 2 

 

895325 http://support.microsoft.com/default.aspx?scid=kb;EN-US;895325 XP - post SP2
=======================================================================================
Lsass.exe crashes soon after you log on to a computer that is running Windows XP Service Pack 2 (SP2) by using a smart card 

"If the domain component of the subject field is not in the last few attributes you can crash LSASS:
like CN=""SCLogon"", OU=TEST, O=MyOrg, DC=spat, DC=com, C=US"



894069 http://support.microsoft.com/default.aspx?scid=kb;EN-US;894069 XP - post SP2
======================================================================================

You receive the Change Password dialog box when you try to use a smart card to log on to a Windows Server 2003 domain in Windows XP Professional  

When you login on with a Smart Card to a Windows 2003 domain account which has expired, the windows displayed that prompts the user for changing his password contains misleading information:

The “User name” field is empty and the “Old Password” is filled in.

However, you cannot simply punch in your new password.

The user needs to enter the UPN form in the Username zone (like user@domain.com ). Generally, users (especially the ones that use a smart card for login on don't know anything about the UPN form of their user account), so they don't know what to enter.

Also, the fact that the old password field is filled in makes the user think he doesn't need to enter it. This is wrong, he needs to clear its content and then enter it since it initially contains no useful values.

When you install this fix, it is made clearer that you should logon:

"Your password has expired and must be changed. Please logon using your password in order to change it."

892647  ( not a public article yet ) XP - post SP2
======================================================================================

Smartcard logon fails after installing WinXP SP2 

After upgrading WinXP Pro to SP2, smart card logon fails.

Uninstall SP2 and sclogon works again.

This problem appears when the sAMAccountName doesn't match the name part of the UPN.
This problem also appears when an alternate UPN suffix is configured.

With default UPN, and when the sAMAccountName == name in UPN, sclogon succeeds even with SP2.  
 

923401  ( not a public article yet ) Win2k3 - post SP1  AND XP -post SP2
======================================================================================
 Smartcard over TS  fails. 

 

 


915832 http://support.microsoft.com/default.aspx?scid=kb;EN-US;915832 XP - post SP2
======================================================================================
Error message when you try to initiate a dial-up networking connection by using a smart card: "Error 0x80090016 - NTE_BAD_KEYSET"  

When you try to initiate a dial-up networking smart card connection, you may receive the following error message:


Error 0x80090016 - NTE_BAD_KEYSET 

 

 

875506 http://support.microsoft.com/?id=875506 XP - post SP2
======================================================================================

The PIN dialog box may not be displayed when you use a smart card to log on to a Windows Server 2003 Terminal Services session 

 

When you use a smart card to log on to a Microsoft Windows Server 2003 Terminal Services session, the smart card personal identification number (PIN) dialog box may not be displayed. This problem occurs if the following Group Policy settings are configured on the destination computer:

• Interactive logon: Message text for users attempting to log on
• Interactive logon: Message title for users attempting to log on  

 


915428 http://support.microsoft.com/?id=915428  XP - post SP2    
=======================================================

You do not receive an error message that states that you used the wrong PIN when you connect to a wireless 802.1X network by using EAP-TLS on Windows XP-based computer 

Consider the following scenario.

On a Microsoft Windows XP-based computer, you connect to a wireless 802.1X network by using a smart card together with Extensible Authentication Protocol with Transport Level Security (EAP-TLS) and certificates for authentication.

When you log on by using the correct personal identification number (PIN), you can connect successfully. When you log on by using the wrong PIN, you cannot connect. However, in this scenario, you do not receive an error message that states that you used the wrong PIN.

After this fix you will get a balloon popup and you have less chance of a PIN lockout

 

890937 http://support.microsoft.com/kb/890937  XP - post SP2
=======================================================


Computer authentication cannot complete successfully when you use a smart card to log on to a wireless network in Windows XP or...  "What if you need to use a machine certificate on the machine (soft token) for machine authentication and a user certificate on a smart card for user authentication."

The issue is that same EAP configuration is user for both machine and user authentication. If a user configures EAP-TLS (with Smartcard option), both machine and user authentication will be performed using smartcards.

Machine authentication using smartcard is not possible because it accessing smartcard will require PIN and during machine auth, we have no way to show the pin dialogue while doing machine auth(there is no user logged in). As a result, machine authentication is broken if someone wants to user smartcards for user authentication. 

"To enable this hotfix, follow these steps:

1. Click Start, click Run, type regedit, and then click OK.
2. Locate and then click to select the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP\13
3. After you select the key that is specified in step 3, on the Edit menu, point to New, and then click DWORD Value.
4. Type UseSoftTokenWithMachineAuthentication, and then press ENTER.
5. Right-click UseSoftTokenWithMachineAuthentication, and then click Modify.
6. In the Value data box, type 1, and then click OK.
7. Quit Registry Editor.


329433 http://support.microsoft.com/default.aspx?scid=kb;EN-US;329433 XP - post SP1
======================================================================================= 
A Revoked Certificate Is Selected If a Certification Authority in the Chain Has Two Certificates 

Just a hotfix with many general good changes in crypto - not all documented rightly in the article text.


 

885423 http://support.microsoft.com/default.aspx?scid=kb;EN-US;885423 XP - post SP2
=======================================================================================

The network provider may not function as expected on your Windows XP-based computer 

"SYMPTOMS
When you manually log on to your Microsoft Windows XP-based computer with a user name and a password, the Winlogon.exe process may prematurely end the Mpnotify.exe process. The Mpnotify.exe process hosts network provider .dll files. Specifically, the Mpnotify.exe process calls the NPLogonNotify function of the network provider .dll file. Therefore, the network provider may not function as expected.
 Back to the top

CAUSE
This problem may occur if the following conditions are true:

• You have a smart card reader attached to the workstation.
• The Winlogon.exe process detects the smart card reader in the background during the logon process. The Winlogon.exe process incorrectly ends the Mpnotify.exe process when any secure attention sequence (SAS) events are detected in the background." 

 


887578 http://support.microsoft.com/?kbid=887578 Win2k3 - post RTM  AND XP -post SP2
===================================================================================================
You receive a "Logon failure" message when you use a smart card on a Windows Server 2003-based computer This problem occurs when the certificate revocation list (CRL) is outdated and a new CRL is not available.

A public key infrastructure (PKI) that is not working can cause the distribution server of the CRL not to publish a new CRL. If a new CRL is not published, logons to client computers are not allowed. 

"HKEY_Local_Machine\System\CurrentControlSet\Services\KDC\CRLValidityExtensionPeriod

This DWORD value lets you to extend the CRL validity period by a specified number of hours. When you set this value to a non-zero value, the certificate status checking code for smart card logons ignores any validity period errors as long as the CRL is not expired by more than the number of specified hours. This extension of the validity period only applies to CRLs that are used during the evaluation of certificates used for smart card logon.

For example, this extension would apply to a certificate that is issued by a certification authority (CA) that is populated in the NTAuth store and to any certificates that are part of the trust chain used to verify the NTAuth store certificate.

HKEY_Local_Machine\System\CurrentControlSet\Services\KDC\CRLTimeoutPeriod

This DWORD value lets you to specify the CRL time-out period to reduce false positives. The Key Distribution Center (KDC) passes this value to the certificate policy checking code. By default, the KDC specifies a time-out value of 90 seconds even if this registry value is not set.

HKEY_Local_Machine\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters\CRLTimeoutPeriod

This DWORD value lets you to specify the CRL time-out period to reduce false positives. The Kerberos client passes this value to the certificate policy checking code. By default, the Kerberos client specifies a time-out value of 90 seconds even if this registry value is not set.

 

 


906681 http://support.microsoft.com/?kbid=906681 XP - post SP2
========================================================================
A user can log on to a Windows XP-based computer by using a user name and a password, even though the "Smart card is required for interactive logon" user account property is set 

Consider the following scenario:

• The Smart card is required for interactive logon user account property is set on a computer that is running Microsoft Windows XP. 
• The smart card is lost or damaged. The user is temporarily permitted to log on by entering a user name and a password. 
• Later, a new smart card is issued to the user. The user is again required to log on only by using a smart card. 

In this scenario, the user can still log on offline with the temporary user name and password.

CAUSE
This problem occurs because the user name and the password are cached on the computer.   " 

This fix will delete the previously cached standard username and password - which makes sense if you have set the account to "Smart card is required for interactive logon user account property is set"    

 

IMPORTANT NOTE ( UNDOCUMENTED )


Win2k3 - post 887578
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters
UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors

XP - post 906681
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos
UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors

What does this do?
Default value is 0. When this value is non-zero, Kerberos Client will use cached CRL only and ignore revocation unknown errors. If this value is not present it is interpreted as if it is 0.

This setting is valid for 2k3 and XP as noted above."

 

887535 http://support.microsoft.com/?id=887535 XP - post SP2
========================================================================

A user may log on successfully after a smart card certificate is revoked or after their user account is disabled in Windows XP 

"A user may log on successfully to a computer when either of the following conditions is true even though their smart card certificate has been revoked or their user account has been disabled in Microsoft Windows XP:

• If the smart card certificate of the user has been revoked and the user has tried unsuccessfully to log on online at least one time, the user may still be able to log on offline and have access to network resources by using the NET USE command.
• If the account of the user has been disabled in the Active Directory directory service and the user has tried unsuccessfully to log on online at least one time, the user may successfully log on offline.

If we detect that the smartcard cert is revoked - we then will delete the current cached credentials.

 

906524 http://support.microsoft.com/?id=906524 XP - post SP2    
========================================================================

Error message when you try to connect to a remote share by using NTLM authentication on a Windows XP-based computer: "Logon failure: unknown user name or bad password"


When you use  “runas /smartcard cmd” to start a cmd window, then run “dir \\server_ip_address\share”, the following error was returned, "Logon failure:

unknown user name or bad password" and the bad password count was increased for the user account.

Why?

The article is not very clear, but what it means is that when you use runas /smartcard , the OS does not use the correct supplemental credentials which ought to be gathered when you use the smartcard to do the "logon" performed with runas /smartcard.

 


898061  ( not yet a public article ) Win2k3 - post SP1  
========================================================================

Scenario: You have a  wireless networking deployment and wants to use PKI issued certificates for EAP-TLS-based authentication, but do not have the server\client EKU in the certs.

The current EAP-TLS implementation requires the server auth EKU and client auth EKU to be present in certificates. If the customer's certificates do not contain the required server or client auth EKU then it will fail.

Correspondingly, Customer cannot use EAP-TLS for authentication with the PKI certificates."


In order to use this you must set the following on the server:
Location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP\13
Name: TlsServerUseAllPurposeCert
Type: REG_DWORD
Values: 0, 1

When TlsServerUseAllPurposeCert is not present or is 0: EAPTLS UI in server role will display only certs containing server auth EKU.


When TlsServerUseAllPurposeCert is 1: EAPTLS will display only general purpose certs (containing no EKU whatsoever)

 

 

893226 http://support.microsoft.com/?id=893226 XP - post SP2 
========================================================================
A user receives an "Unable to log you on because it is required that you use a smart card" message when the user tries to log on to your Windows XP-based computer by using Remote Assistance.

Consider the following scenario.

You enable the ""Interactive logon: Require smart card"" security setting on your Microsoft Windows XP-based computer so that users have to use a smart card to log on to the local computer. To do this, you follow the steps that are described in the following article in the Microsoft Knowledge Base:

834875 (http://support.microsoft.com/kb/834875/) Update for the ""Interactive logon: Require smart card" security setting in Windows XP

After you enable the security setting, users cannot log on to your computer by using Remote Assistance. When a user on a remote computer tries to log on to your computer by using Remote Assistance, the user receives the following message:

Unable to log you on because it is required that you use a smart card to log on, please contact your administrator" 

 


835746 http://support.microsoft.com/?id=835746 XP - post SP1
========================================================================

A delay may occur before the logon text changes to "Insert card or press Ctrl-Alt-Delete to begin" when you use a smart card reader with a Windows XP-based computer.

Prior to this fix ( which is also in Sp2 ) it may take 20-30 seconds for the msgina display to change to include "insert smartcard." After applying the hotfix, the logon display should be significantly lower.

 


890042 http://support.microsoft.com/?id=890042 XP - post SP2 
========================================================================    

You lose access to network resources after you resume your Windows XP-based computer from standby  

If you logon with a smartcard, and then go to standby- when you resume your Microsoft Windows XP-based computer from standby while your network is either disconnected or down. After network connectivity is restored, you lose access to your network resources. Additionally, if your Windows XP-based computer is moved to a different network while the computer is on standby, you lose access to network resources when you resume the computer.

890837 http://support.microsoft.com/?id=890837 XP - post SP2
========================================================================

You are prompted to press CTRL+ALT+DEL to unlock your computer when you use a smart card to log on to your Windows XP-based computer 

A bit confusing to see a prompt for CAD  - the user may press this and then enter his PIN or something, so we changed the strings to say something like

"Insert card to begin" etc..

To enable this hotfix, follow these steps:


1. Click Start, click Run, type regedit, and then click OK.
2. Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
3. With the registry subkey from step 2 selected, on the Edit menu, point to New, and then click DWORD Value.
4. Type AltSCMessages, and then press ENTER.
5. Right-click AltSCMessages, and then click Modify.
6. In the Value data box, type 1, and then click OK.
7. Quit Registry Editor.

 


893376 http://support.microsoft.com/default.aspx?scid=kb;EN-US;893376 XP - post SP2
========================================================================

Stack corruption occurs if you remove and insert a smart card during a user log on process in Windows XP Service Pack 1 or Windows XP Service Pack 2 "

SYMPTOMS

Consider the following scenario:

• You use a smart card for user authentication on a computer that is running either Microsoft Windows XP Service Pack 1 (SP1) or Windows XP Service Pack 2 (SP2).
• You insert the smart card in to the reader and type the PIN to initiate the log on process.
• You remove the smart card before the log on process is completed.
• You insert the smart card again.

In this scenario, a stack corruption occurs, and the computer stops responding (hangs).

Additionally, you receive the following error message:

STOP: 0xc000021a {Fatal System Error"

 

 


910482 http://support.microsoft.com/default.aspx?scid=kb;EN-US;910482 XP - post SP2
======================================================================================

After you remove a smart card from a Windows XP-based computer, you are not logged off, or the workstation is not locked

On a Microsoft Windows XP-based computer, you remove a smart card after the logon window appears. After you do this, you are not logged off, or the

workstation is not locked.

The behavior occurs even if the value of the ScRemoveOption registry entry is set to 2 (Force logoff) or to 1 (Lock workstation).

Note You can locate the ScRemoveOption registry entry under the following registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

 


883529 http://support.microsoft.com/default.aspx?scid=kb;EN-US;883529 XP - post SP2
======================================================================================

Removing a smart card immediately after you log off a Windows XP-based computer may cause the computer to stop responding 


If you remove your smart card immediately after you log off a Microsoft Windows XP-based computer, the computer may stop responding (hang) and you cannot log back on.   


 

Leave a Comment
  • Please add 4 and 6 and type the answer here:
  • Post
  • We're using smart card to login users into citrix on a 2k3 server, running presentation server 4, from a linux touch screen terminal. It all works fine & we have a custom app that requests the pin, before the the session launches, then passes it into the pin dialog box (as there is no on screen keyboard until the session opens)

    The problem is, if the user inserts an incorrect pin, they have no on-screen keyboard to type one in. Is there a setting that would close the connection attempt after one incorrect pin entry? Have looked through GP & registry of 2k3 server for this... no luck

  • I dont think there is a setting for this. You can look at the TS Session policies perhaps there is one for:

    This policy setting allows you to specify whether the client will establish a connection to the terminal server when the client cannot authenticate the terminal server. If you enable this policy setting, you must specify one of the following settings:

    Do not connect if authentication fails: The client establishes a connection to the terminal server only if the terminal server can be authenticated.

    I have not tested this though...

    spat

  • Our organization is using smart card logins for student laptops. The students log on to the network to cache their accounts and then have 50 cached logins before they have to physically log back into the network. We have had a few incidents were a student can log in with the cached account, but then when the system locks resuming from the screensaver, they are unable to log back in resulting in a few locked out smart cards requiring resets. The message given is that an incorrect PIN was entered even though it is the correct pin. Has anyone else experienced this issue and if so, is there a fix available?

  • 1. how do you enforce they will\can only logon 50 times as cached creds?

    2. If the SC logon is failing with the incorrect PIN message - how do they recover and are able to logon again?

    spat

  • 1. how do you enforce they will\can only logon 50 times as cached creds?

    There is a setting in Group Policy that sets the maximum number of cached logins. I believe 50 is the max. It can be found at Computer Configuration/Windows Settings/Local Policies/Security Options. It is one of the Interactive Logon settings.

    [spat] this is not how many times a single user JOE can logon - it is how many individuals can logon - joe, mike, david, bob etc.. however if only joe ever logs on to the machine then joe will be able to logon cached as many times as he wants to.

    2. If the SC logon is failing with the incorrect PIN message - how do they recover and are able to logon again?

    We have had a couple that actually had their SCs locked and required a reset. I believe it may be another interactive logon setting pertaining to unlocking a workstation although our GPO has the correct setting. We will need to wait for this problem to occur again and do a check to see if the GPO is somehow outdated.

  • I am having a problem when using smart cards in a VDI scenario. The smart cards work fine to a 2003 rs TS session, but when connecting to an XP Sp2 vdi session, they work and lock the work station on removal, but on re- insertion of the smart card i get the error "Cannot log on . smart card not present"

  • I dont know anything about VDI - looks like a VMWare redirection subsystem?

  • I know you cannot use smart cards on a machine not joined to a domain but can you use smart cards over RDP if the client machine isnt joined to the domain? We have a lot of machines that use smart cards and we need to use RDP to support them. I have tried connecting a smart card reader to my machine (which isnt joined to the domain) and I can establish an RDP connection to the remote machine but I cant get it to see the smart card so it wont prompt for a pin. I am using XP with SP2 and the latest (6.1) remote desktop software from Microsoft. I've enabled the option to allow smart cards over the RDP connection and the smart card reader is installed ok. Also, this works fine from a machine that is on the domain.

  • yes.. you should be able to redirect from a machine which is not domain joined. Do you have the CSP and drivers etc. installed OK?

     A real test of course is to simply join the SAME machine to the domain and see :)

    But, it should work from a non domain joined machine.

    spat

  • Hmmn, Well, i'm not experienced with this so I dont really know what the CSP is, I am assuming you mean the Cryptographic Services, which are installed and running (and I have dowloaded an updated version of Cyrptographic Service Provider Package from Microsoft KB909520)I also have the driver's installed. Device Manager shows three items - 'e-gate USB Smart card', 'e-gate Virtual Reader Enumerator' and 'e-gate USB smart card reader'. All installed and running ok. The Cryptographic Services servie is running and so is the smart card service but it still wont work. A colleague has a similar setup with the same reader on a machine not joined to the domain and it works fine on his. Just as a though, when I run the RDP connection there is an option so 'save credentials' which will present me with a box to enter username and password. The 'username' box is a dropdown and when I click the arrow there is no option to use the certificate from the smart card, whereas there is on my colleagues which makes me think my machine isnt accessing the card properly. Any ideas?

  • Can you run certutil.exe -scinfo on the client?

    Does it prompt for a PIN and give you info?

  • We are also implementing smart cards and have experience cached credential issues.  Our security policy is currently set to cache 4 credentials.  In an attempt to recreate the issue on a test machine, unsuccessfully, I now am seeing unusual behavior with the HKLM\Security\Cache key.  Typically if you export the Cache key to a text file, the format is NT$1, NT$2, NT$3...and so on.  Now when I export the Cache key to a text file the format is NT$5, NT$6....NT#10, NT#1, NT$2, NT$3, NT$4.  Cached credentials appear to be working fine, it's just odd now that my exported keys start at 5 and end at 4.  Are there other registry keys involved that affect the Cache rgistry key?  BTW, I replaced my Cache key with a clean Cache key from a freshly installed OS that had no cached credentials at all, and the exported text file still starts at 5 and ends with 4.

    Hopefully soon, we'll have an answer to the question of why cached credentials do not work when the user is not connected to the domain...I understand a number of people in our org. have a problem ticket in with Microsoft...haha...we'll see.

    I have lots of troubleshooting documentation on this issue for any one interested.  Didn't want to bore anyone with too many details here :)

  • I am a little confused. You said:

    "Cached credentials appear to be working fine"

    then you said:

    "we'll have an answer to the question of why cached credentials do not work when the user is not connected to the domain"

    If the user cannot logon when not connected to the domain, cached cred are not working fine.. am I missing something?

    spat

  • We use smart cards to logon to our laptops.  While the laptops are connected to the network, we can use the smart cards to logon to the laptops.  However, when the laptops are disconnected from the network, we can't use smart cards to logon to some of the laptops.  The laptops that won't allow off-network smart card logon also will not accept the smart card to resume operation after the laptop is in locked mode.

    I thought the "UseSoftTokenWithMachineAuthentication" registry fix mentioned above might fix the problem, but it didn't.

    Any assistance or suggestions will be greatly appreciated.  An E-Mail reply to Milton.Bell@us.army.mil would be appreciated.  However,if an E-Mail isn't possible, I'll check back here frequently.

    Thanks,

    Milton Bell

    San Antonio, TX

  • Milton - I shot you some mail..

Page 2 of 3 (38 items) 123