Spat's WebLog (Steve Patrick)

When things go wrong...

So, you want to use smart cards?

So, you want to use smart cards?

  • Comments 38

Smartcards, password elimination projects ... etc... all good fun.

Well, I got around to compiling a number of challenges which may arise should you decide to get rid of passwords and move to smartcards only.

I dont claim that this list is complete, and I may do another post where I add some to this.. but it's a good place to start.  You will notice that some of these are not public articles, just call in to PSS and ask for it if you really want it.

One more thing.. I am very interested in those who seem to be running into any problems like these:

Smartcard cached logons - do you randomly seem to lose cached logons?

Slow logons - after implementing smartcards you saw logon times explode.

thanks!

 

spatdsg

 

 

Here is my list:

 

887196 http://support.microsoft.com/default.aspx?scid=kb;en-us;887196 XP - SP2
=======================================================================================
Summary of changes to the CryptoAPI certificate chain validation logic in Windows XP Service Pack 2 

 

895325 http://support.microsoft.com/default.aspx?scid=kb;EN-US;895325 XP - post SP2
=======================================================================================
Lsass.exe crashes soon after you log on to a computer that is running Windows XP Service Pack 2 (SP2) by using a smart card 

"If the domain component of the subject field is not in the last few attributes you can crash LSASS:
like CN=""SCLogon"", OU=TEST, O=MyOrg, DC=spat, DC=com, C=US"



894069 http://support.microsoft.com/default.aspx?scid=kb;EN-US;894069 XP - post SP2
======================================================================================

You receive the Change Password dialog box when you try to use a smart card to log on to a Windows Server 2003 domain in Windows XP Professional  

When you login on with a Smart Card to a Windows 2003 domain account which has expired, the windows displayed that prompts the user for changing his password contains misleading information:

The “User name” field is empty and the “Old Password” is filled in.

However, you cannot simply punch in your new password.

The user needs to enter the UPN form in the Username zone (like user@domain.com ). Generally, users (especially the ones that use a smart card for login on don't know anything about the UPN form of their user account), so they don't know what to enter.

Also, the fact that the old password field is filled in makes the user think he doesn't need to enter it. This is wrong, he needs to clear its content and then enter it since it initially contains no useful values.

When you install this fix, it is made clearer that you should logon:

"Your password has expired and must be changed. Please logon using your password in order to change it."

892647  ( not a public article yet ) XP - post SP2
======================================================================================

Smartcard logon fails after installing WinXP SP2 

After upgrading WinXP Pro to SP2, smart card logon fails.

Uninstall SP2 and sclogon works again.

This problem appears when the sAMAccountName doesn't match the name part of the UPN.
This problem also appears when an alternate UPN suffix is configured.

With default UPN, and when the sAMAccountName == name in UPN, sclogon succeeds even with SP2.  
 

923401  ( not a public article yet ) Win2k3 - post SP1  AND XP -post SP2
======================================================================================
 Smartcard over TS  fails. 

 

 


915832 http://support.microsoft.com/default.aspx?scid=kb;EN-US;915832 XP - post SP2
======================================================================================
Error message when you try to initiate a dial-up networking connection by using a smart card: "Error 0x80090016 - NTE_BAD_KEYSET"  

When you try to initiate a dial-up networking smart card connection, you may receive the following error message:


Error 0x80090016 - NTE_BAD_KEYSET 

 

 

875506 http://support.microsoft.com/?id=875506 XP - post SP2
======================================================================================

The PIN dialog box may not be displayed when you use a smart card to log on to a Windows Server 2003 Terminal Services session 

 

When you use a smart card to log on to a Microsoft Windows Server 2003 Terminal Services session, the smart card personal identification number (PIN) dialog box may not be displayed. This problem occurs if the following Group Policy settings are configured on the destination computer:

• Interactive logon: Message text for users attempting to log on
• Interactive logon: Message title for users attempting to log on  

 


915428 http://support.microsoft.com/?id=915428  XP - post SP2    
=======================================================

You do not receive an error message that states that you used the wrong PIN when you connect to a wireless 802.1X network by using EAP-TLS on Windows XP-based computer 

Consider the following scenario.

On a Microsoft Windows XP-based computer, you connect to a wireless 802.1X network by using a smart card together with Extensible Authentication Protocol with Transport Level Security (EAP-TLS) and certificates for authentication.

When you log on by using the correct personal identification number (PIN), you can connect successfully. When you log on by using the wrong PIN, you cannot connect. However, in this scenario, you do not receive an error message that states that you used the wrong PIN.

After this fix you will get a balloon popup and you have less chance of a PIN lockout

 

890937 http://support.microsoft.com/kb/890937  XP - post SP2
=======================================================


Computer authentication cannot complete successfully when you use a smart card to log on to a wireless network in Windows XP or...  "What if you need to use a machine certificate on the machine (soft token) for machine authentication and a user certificate on a smart card for user authentication."

The issue is that same EAP configuration is user for both machine and user authentication. If a user configures EAP-TLS (with Smartcard option), both machine and user authentication will be performed using smartcards.

Machine authentication using smartcard is not possible because it accessing smartcard will require PIN and during machine auth, we have no way to show the pin dialogue while doing machine auth(there is no user logged in). As a result, machine authentication is broken if someone wants to user smartcards for user authentication. 

"To enable this hotfix, follow these steps:

1. Click Start, click Run, type regedit, and then click OK.
2. Locate and then click to select the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP\13
3. After you select the key that is specified in step 3, on the Edit menu, point to New, and then click DWORD Value.
4. Type UseSoftTokenWithMachineAuthentication, and then press ENTER.
5. Right-click UseSoftTokenWithMachineAuthentication, and then click Modify.
6. In the Value data box, type 1, and then click OK.
7. Quit Registry Editor.


329433 http://support.microsoft.com/default.aspx?scid=kb;EN-US;329433 XP - post SP1
======================================================================================= 
A Revoked Certificate Is Selected If a Certification Authority in the Chain Has Two Certificates 

Just a hotfix with many general good changes in crypto - not all documented rightly in the article text.


 

885423 http://support.microsoft.com/default.aspx?scid=kb;EN-US;885423 XP - post SP2
=======================================================================================

The network provider may not function as expected on your Windows XP-based computer 

"SYMPTOMS
When you manually log on to your Microsoft Windows XP-based computer with a user name and a password, the Winlogon.exe process may prematurely end the Mpnotify.exe process. The Mpnotify.exe process hosts network provider .dll files. Specifically, the Mpnotify.exe process calls the NPLogonNotify function of the network provider .dll file. Therefore, the network provider may not function as expected.
 Back to the top

CAUSE
This problem may occur if the following conditions are true:

• You have a smart card reader attached to the workstation.
• The Winlogon.exe process detects the smart card reader in the background during the logon process. The Winlogon.exe process incorrectly ends the Mpnotify.exe process when any secure attention sequence (SAS) events are detected in the background." 

 


887578 http://support.microsoft.com/?kbid=887578 Win2k3 - post RTM  AND XP -post SP2
===================================================================================================
You receive a "Logon failure" message when you use a smart card on a Windows Server 2003-based computer This problem occurs when the certificate revocation list (CRL) is outdated and a new CRL is not available.

A public key infrastructure (PKI) that is not working can cause the distribution server of the CRL not to publish a new CRL. If a new CRL is not published, logons to client computers are not allowed. 

"HKEY_Local_Machine\System\CurrentControlSet\Services\KDC\CRLValidityExtensionPeriod

This DWORD value lets you to extend the CRL validity period by a specified number of hours. When you set this value to a non-zero value, the certificate status checking code for smart card logons ignores any validity period errors as long as the CRL is not expired by more than the number of specified hours. This extension of the validity period only applies to CRLs that are used during the evaluation of certificates used for smart card logon.

For example, this extension would apply to a certificate that is issued by a certification authority (CA) that is populated in the NTAuth store and to any certificates that are part of the trust chain used to verify the NTAuth store certificate.

HKEY_Local_Machine\System\CurrentControlSet\Services\KDC\CRLTimeoutPeriod

This DWORD value lets you to specify the CRL time-out period to reduce false positives. The Key Distribution Center (KDC) passes this value to the certificate policy checking code. By default, the KDC specifies a time-out value of 90 seconds even if this registry value is not set.

HKEY_Local_Machine\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters\CRLTimeoutPeriod

This DWORD value lets you to specify the CRL time-out period to reduce false positives. The Kerberos client passes this value to the certificate policy checking code. By default, the Kerberos client specifies a time-out value of 90 seconds even if this registry value is not set.

 

 


906681 http://support.microsoft.com/?kbid=906681 XP - post SP2
========================================================================
A user can log on to a Windows XP-based computer by using a user name and a password, even though the "Smart card is required for interactive logon" user account property is set 

Consider the following scenario:

• The Smart card is required for interactive logon user account property is set on a computer that is running Microsoft Windows XP. 
• The smart card is lost or damaged. The user is temporarily permitted to log on by entering a user name and a password. 
• Later, a new smart card is issued to the user. The user is again required to log on only by using a smart card. 

In this scenario, the user can still log on offline with the temporary user name and password.

CAUSE
This problem occurs because the user name and the password are cached on the computer.   " 

This fix will delete the previously cached standard username and password - which makes sense if you have set the account to "Smart card is required for interactive logon user account property is set"    

 

IMPORTANT NOTE ( UNDOCUMENTED )


Win2k3 - post 887578
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters
UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors

XP - post 906681
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos
UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors

What does this do?
Default value is 0. When this value is non-zero, Kerberos Client will use cached CRL only and ignore revocation unknown errors. If this value is not present it is interpreted as if it is 0.

This setting is valid for 2k3 and XP as noted above."

 

887535 http://support.microsoft.com/?id=887535 XP - post SP2
========================================================================

A user may log on successfully after a smart card certificate is revoked or after their user account is disabled in Windows XP 

"A user may log on successfully to a computer when either of the following conditions is true even though their smart card certificate has been revoked or their user account has been disabled in Microsoft Windows XP:

• If the smart card certificate of the user has been revoked and the user has tried unsuccessfully to log on online at least one time, the user may still be able to log on offline and have access to network resources by using the NET USE command.
• If the account of the user has been disabled in the Active Directory directory service and the user has tried unsuccessfully to log on online at least one time, the user may successfully log on offline.

If we detect that the smartcard cert is revoked - we then will delete the current cached credentials.

 

906524 http://support.microsoft.com/?id=906524 XP - post SP2    
========================================================================

Error message when you try to connect to a remote share by using NTLM authentication on a Windows XP-based computer: "Logon failure: unknown user name or bad password"


When you use  “runas /smartcard cmd” to start a cmd window, then run “dir \\server_ip_address\share”, the following error was returned, "Logon failure:

unknown user name or bad password" and the bad password count was increased for the user account.

Why?

The article is not very clear, but what it means is that when you use runas /smartcard , the OS does not use the correct supplemental credentials which ought to be gathered when you use the smartcard to do the "logon" performed with runas /smartcard.

 


898061  ( not yet a public article ) Win2k3 - post SP1  
========================================================================

Scenario: You have a  wireless networking deployment and wants to use PKI issued certificates for EAP-TLS-based authentication, but do not have the server\client EKU in the certs.

The current EAP-TLS implementation requires the server auth EKU and client auth EKU to be present in certificates. If the customer's certificates do not contain the required server or client auth EKU then it will fail.

Correspondingly, Customer cannot use EAP-TLS for authentication with the PKI certificates."


In order to use this you must set the following on the server:
Location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP\13
Name: TlsServerUseAllPurposeCert
Type: REG_DWORD
Values: 0, 1

When TlsServerUseAllPurposeCert is not present or is 0: EAPTLS UI in server role will display only certs containing server auth EKU.


When TlsServerUseAllPurposeCert is 1: EAPTLS will display only general purpose certs (containing no EKU whatsoever)

 

 

893226 http://support.microsoft.com/?id=893226 XP - post SP2 
========================================================================
A user receives an "Unable to log you on because it is required that you use a smart card" message when the user tries to log on to your Windows XP-based computer by using Remote Assistance.

Consider the following scenario.

You enable the ""Interactive logon: Require smart card"" security setting on your Microsoft Windows XP-based computer so that users have to use a smart card to log on to the local computer. To do this, you follow the steps that are described in the following article in the Microsoft Knowledge Base:

834875 (http://support.microsoft.com/kb/834875/) Update for the ""Interactive logon: Require smart card" security setting in Windows XP

After you enable the security setting, users cannot log on to your computer by using Remote Assistance. When a user on a remote computer tries to log on to your computer by using Remote Assistance, the user receives the following message:

Unable to log you on because it is required that you use a smart card to log on, please contact your administrator" 

 


835746 http://support.microsoft.com/?id=835746 XP - post SP1
========================================================================

A delay may occur before the logon text changes to "Insert card or press Ctrl-Alt-Delete to begin" when you use a smart card reader with a Windows XP-based computer.

Prior to this fix ( which is also in Sp2 ) it may take 20-30 seconds for the msgina display to change to include "insert smartcard." After applying the hotfix, the logon display should be significantly lower.

 


890042 http://support.microsoft.com/?id=890042 XP - post SP2 
========================================================================    

You lose access to network resources after you resume your Windows XP-based computer from standby  

If you logon with a smartcard, and then go to standby- when you resume your Microsoft Windows XP-based computer from standby while your network is either disconnected or down. After network connectivity is restored, you lose access to your network resources. Additionally, if your Windows XP-based computer is moved to a different network while the computer is on standby, you lose access to network resources when you resume the computer.

890837 http://support.microsoft.com/?id=890837 XP - post SP2
========================================================================

You are prompted to press CTRL+ALT+DEL to unlock your computer when you use a smart card to log on to your Windows XP-based computer 

A bit confusing to see a prompt for CAD  - the user may press this and then enter his PIN or something, so we changed the strings to say something like

"Insert card to begin" etc..

To enable this hotfix, follow these steps:


1. Click Start, click Run, type regedit, and then click OK.
2. Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
3. With the registry subkey from step 2 selected, on the Edit menu, point to New, and then click DWORD Value.
4. Type AltSCMessages, and then press ENTER.
5. Right-click AltSCMessages, and then click Modify.
6. In the Value data box, type 1, and then click OK.
7. Quit Registry Editor.

 


893376 http://support.microsoft.com/default.aspx?scid=kb;EN-US;893376 XP - post SP2
========================================================================

Stack corruption occurs if you remove and insert a smart card during a user log on process in Windows XP Service Pack 1 or Windows XP Service Pack 2 "

SYMPTOMS

Consider the following scenario:

• You use a smart card for user authentication on a computer that is running either Microsoft Windows XP Service Pack 1 (SP1) or Windows XP Service Pack 2 (SP2).
• You insert the smart card in to the reader and type the PIN to initiate the log on process.
• You remove the smart card before the log on process is completed.
• You insert the smart card again.

In this scenario, a stack corruption occurs, and the computer stops responding (hangs).

Additionally, you receive the following error message:

STOP: 0xc000021a {Fatal System Error"

 

 


910482 http://support.microsoft.com/default.aspx?scid=kb;EN-US;910482 XP - post SP2
======================================================================================

After you remove a smart card from a Windows XP-based computer, you are not logged off, or the workstation is not locked

On a Microsoft Windows XP-based computer, you remove a smart card after the logon window appears. After you do this, you are not logged off, or the

workstation is not locked.

The behavior occurs even if the value of the ScRemoveOption registry entry is set to 2 (Force logoff) or to 1 (Lock workstation).

Note You can locate the ScRemoveOption registry entry under the following registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

 


883529 http://support.microsoft.com/default.aspx?scid=kb;EN-US;883529 XP - post SP2
======================================================================================

Removing a smart card immediately after you log off a Windows XP-based computer may cause the computer to stop responding 


If you remove your smart card immediately after you log off a Microsoft Windows XP-based computer, the computer may stop responding (hang) and you cannot log back on.   


 

Leave a Comment
  • Please add 7 and 6 and type the answer here:
  • Post
  • Hi all,

    We have implemented a smartcard logon in our enterprise. We have a standalone certification autorithy, and a Enterprise Subordinate CA together our active directory. The standalone CA enroll a CA certificate for the subordinate, and this enroll certificates to end users.

    We have an issue on slow logons to user stations. The user turn on the PC, and insert the smartcard to logon. All runs ok. The user can lock and unlock the station with the smartcard without any issue.

    In some moment (we can't reproduce the problem), when the station is locked by the screensaver, our users can't logon with smartcard. When they insert the card in the USB reader, the computer appears as hanged, and the screen appears in blue colour (the desktop wallpaper). After one or two minutes (aprox), the PIN window appears. The user introduces his PIN and the logon process unlock the station, and finally all runs ok as normal.

    We're using a Starcos Smartcard, and different smartcard readers (SCR and Cherry). All the hardware and software is certified for the Windows Environment.

  • Interesting. Seeing as how I have not seen this , you could potentially get some userdumps of Winlogon.exe while it is "hung" and I could look at them. But an easier route may be to call the CSP vendor and ensure you areon the latest and greatest CSP -- as a first step.

    spat

  • Hi Spat, thanks for the response.

    Yes, we contact CSP vendor, but support response was that always in CSP is OK ;). We have the latest version, and this issue is not reported in vendor KB. I will send you a dump for your reference.

    Regards

  • When users try to sign an email using their smart card it takes up to 20 seconds to prompt them for a pin then up to 10 seconds after that to actually send the email any ideas on what is causing this delay? it only occurs on select machines my machine can promptand send thesigned email in under 5 seconds.

  • interesting. Not over RDP it sounds like.  Same hardware on the machines, driver versions and CSP or card module?

  • same hardware on machines same driver versions and some machines still work correctly. i am checking my GPO that forces out the config file for Tumbleweed desktop validator but finding that it is ok also. got it down to 15 machines so i am thinking they are not getting the GPO somehow.

  • I get an unknown certificate error form tumbleweed.  "The details are: Missing or bad CRL-DP extentions".  I googled this and didnt see much about it.  Does the users certificates on the CAC card need to be renewed?  or maby a setting I need to check or uncheck?

  • Are you testing against a production DOD OCSP responder? I know some have firewalls which block native Windows calls - but this should not matter if you are using the Tumbleweed client as well - so I guess before I can comment further - which OCSP client are you using?

Page 3 of 3 (38 items) 123