It seems I do spend a fair bit of time with smartcards lately, but I have some other interesting posts planned as well. Anyway, this is kind of a heads up to an interesting issue with Vista.
We changed some of the way things work ( for the better ) in Vista. You may have noticed that scredir.dll no longer exists in Vista - much of that code was moved into Winscard.dll. We also changed the way we call the CSP previously ( see http://blogs.msdn.com/spatdsg/archive/2006/10/06/Smartcards-and-cached-logons_2E002E002E00_.aspx ) we called from LSASS into winlogon.exe but we no longer do this in Vista - we go straight to the CSP.
Anyway - this post is marginally related to my other post Smartcard logon over Terminal Services ( RDP redirection )
Remember that the "server" will call back to the client via the RDP protocol ( virtual channel ) and MSTSC.EXE loads winscard.dll on the client in order to process these IO requests. Well in this case the calls never made it up to that level of the code. In fact, they died in the RDP client.
If you have a CSP which calls SCardUIDlgSelectCardW, it may fail due to this issue. The RDP session is initaited from Vista...
Vista --> Vista : works OL
Vista --> XP: FAILURE
XP--> XP: works OK
XP--> Vista : works OK
Error on XP:
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 537
Time: 12:32:26 PM
User: NT AUTHORITY\SYSTEM
Reason: An error occurred during logon
Logon Type: 10
Logon Process: User32
Authentication Package: Kerberos
Workstation Name: XPDEBUG
Status code: 0xC000006D à STATUS_LOGON_FAILURE
Substatus code: 0xC0000321 -> STATUS_SMARTCARD_SUBSYSTEM_FAILURE
Anyway - I hate leaving people in the dark with issues they may assume are due to the ISV's software .. so, even tho no fix is out yet... I have this FYI.
Fix is pending.. but again, if the behavior isnt changed, dont shoot the messenger.
[added on July 10,2007 ]Whooo hooo! It was fixed -public KB article is coming but if you need the fix now ask for the fix for article 939682
That explains the issue somewhat to me.
I use smart card authentication to servers and I cant go Vista -> Server (win2k3) as there is a smart card error. I can however MSTSC to a non-smart card server, and then hop from there to a smart card server, but keeping my smart card in my Vista box.
I now know Im not going mad. Looking forward to the fix.
Some more success found. I guess this is a "use at own risk" as Ive not fully tested, but FYI.
According to: http://blogs.msdn.com/ts/archive/2007/01/22/vista-remote-desktop-connection-authentication-faq.aspx#_When_to_use
You can edit an RDP file (or default.rdp in Documents folder, hidden file) to use the
flag. Not recommended, but I can now use CryptoFLEX smart cards formatted for XP to connect FROM vista TO Windows 2003 servers.
I have seen this problem with ActivCard Middleware (software) and can solve the problem by introducing the registry entries for the new type of smart card.
Check "Getting Started with the Microsoft Remote Desktop Client and Smart Card Authentication" at http://www.tekworkshop.com/
Step by step configuration is provided and some of the issues of connecting to legacy systems are addressed.