Paradoxically, you should remove the smart card when logging on with a smart card

re: Paradoxically, you should remove the smart card when logging on with a smart card

Cody — Mon, 20 Nov 2006 18:09:37 GMT

Any info on how this got diagnosed in the first place?

re: Paradoxically, you should remove the smart card when logging on with a smart card

Troy — Mon, 20 Nov 2006 18:49:28 GMT

Has anyone submitted a bug report?

I know that when these sort of things happen to me, I always find myself shaking my fist and thinking "doesn't anyone at Microsoft notice these problems!". Looks like it does but that doesn't always help :)

[My guess is that it's a feature, not a bug. If you have a smart card inserted, then it joins the "search path" for authentication. After all, if you put your floppy drive in the PATH, you shouldn't be surprised that path searches are slow. -Raymond]

re: Paradoxically, you should remove the smart card when logging on with a smart card

Mike — Mon, 20 Nov 2006 19:18:03 GMT

Is this for all (NT4/5/.x+?) operating systems, or is it some Vista specific screwup (I did btw have a chance to try Vista RTM now, and my first and probably lasting impression is that Microsoft is its own worst enemy; given a chance I want back the NT4/Win95 Explorer.exe - seriously!).

re: Paradoxically, you should remove the smart card when logging on with a smart card

Nawak — Mon, 20 Nov 2006 19:26:10 GMT

Of course, the only good solution is to not work from home!! Often you have better keep work and personal lives separated.

re: Paradoxically, you should remove the smart card when logging on with a smart card

mathh — Mon, 20 Nov 2006 20:04:43 GMT

Well, it certainly should be a bug if the floppy drive was in the PATH by default.

What is the alternative authentication mechanism the rest of the validation uses?

[You know, NTLM, Kerberos, all the other security packages. If the smart card were not in the search path of authentication providers, then how could you log on with a smart card? -Raymond]

re: Paradoxically, you should remove the smart card when logging on with a smart card

Patrick — Mon, 20 Nov 2006 20:12:25 GMT

Wow... You found a behaviour that is know since years now. But it seems that MS was not interested in fixing this. Maybe now we get a solution. Btw. i develop applications that take massive usage of smartcard and pki. It´s really nice if you have inserted round about 200 cards allready, and all the public certificates are stored in your crypto container. When enumerating the store for a sign certificate it checks all those 200 certificates if the card where the private key is stored may be available... Thsi takes normaly between 5-10 seconds per certificate

Remote working

Steve Loughran — Mon, 20 Nov 2006 20:14:12 GMT

First, the MS VPN software is way better than the nortel stuff I used before, smartcard or not. Second, yes, there is wierdness with Smartcards and the OS itself. Like if you boot with one, it brings up a different login dialog from normal.

What is most annoying for me is that Domain authentication at login time happens before you are on the network, so you can't easily renew your domain password *and have the laptop update its cached value*. There's an assumption in the domain code that you bring your machine back in to the office regularly. Which means that a domained VMWare image at home every so often has to traipse into work on the hard disk of a laptop, then back again.

re: Paradoxically, you should remove the smart card when logging on with a smart card

Kevin — Mon, 20 Nov 2006 20:40:02 GMT

As the slowest authentication provider, the smart card should be at the END of the search path, then this workaround wouldn't be necessary.

[I don't know whether there's a way to ask a provider how fast it is, and the speed of a provider is often quite variable. NTLM is really slow if the domain controller is unavailable. (The timeout is what, 30 seconds?) -Raymond]

re: Paradoxically, you should remove the smart card when logging on with a smart card

Cooney — Mon, 20 Nov 2006 22:38:26 GMT

> After all, if you put your floppy drive in the PATH, you shouldn't be surprised that path searches are slow. -Raymond

I'd be surprised - you can cache filesystem metadata and flush it when the disk is removed. Not so with smartcards.

re: Paradoxically, you should remove the smart card when logging on with a smart card

wireless floppy — Tue, 21 Nov 2006 00:23:23 GMT

How do you flush a unwritten data to an already ejected floppy?

re: Paradoxically, you should remove the smart card when logging on with a smart card

James — Tue, 21 Nov 2006 00:36:18 GMT

wireless floppy: Write-through caching - cache the stuff you *read*, keeping that in memory to speed up those PATH searches, but write everything out straight away (so you never lose data that way).

Or you start throwing 'delayed write failed ... data lost' errors during backups, even when write caching is disabled. That made for a fun weekend, trying to get backups working properly again on that server :-(

re: Paradoxically, you should remove the smart card when logging on with a smart card

Richard Berg — Tue, 21 Nov 2006 02:23:17 GMT

Even with this trick, the quarantine process still took 5+ minutes on my machine. Thank god for the TS gateway!

re: Paradoxically, you should remove the smart card when logging on with a smart card

John — Tue, 21 Nov 2006 02:58:28 GMT

(Disclaimer: I'm not a windows user and don't know this subsystem)

What about parallelizing authentication? If search order doesn't matter this could be a huge win. If search order does matter then this could still be a win, albeit a smaller one. This sounds especially apropos here where it sounds like the smart card is a local resource so you don't have to worry about overtaxing it with requests.

re: Paradoxically, you should remove the smart card when logging on with a smart card

Cooney — Tue, 21 Nov 2006 04:31:49 GMT

How about caching NAKs? Assuming you're validating distinguishable entities, you can short circuit a failure for a while (say, about 5-10 minutes)

re: Remote working

David Rawling — Tue, 21 Nov 2006 06:54:29 GMT

Steve Loughran wrote, "What is most annoying for me is that Domain authentication at login time happens before you are on the network, so you can't easily renew your domain password *and have the laptop update its cached value*. There's an assumption in the domain code that you bring your machine back in to the office regularly. Which means that a domained VMWare image at home every so often has to traipse into work on the hard disk of a laptop, then back again."

I'd like to point out that once you change your password on XP on MachineA, MachineB (logged in with the same username and old password) can be updated by locking and unlocking the workstation (assuming a DC is available either on the LAN, on a VPN connection or on a dialup connection.

You could therefore just VPN in from the VM, lock it and unlock it - cached credential update now complete.

re: Paradoxically, you should remove the smart card when logging on with a smart card

Neil — Tue, 21 Nov 2006 17:47:39 GMT

>You could therefore just VPN in from the VM, lock it and unlock it - cached credential update now complete.

Or more simply, establish the VPN during logon.

re: Paradoxically, you should remove the smart card when logging on with a smart card

Zilley — Wed, 22 Nov 2006 09:29:05 GMT

Just forget about the crappy VPN. The TS Gateway works much better for me (and it's really all I need) - https://redmondts.microsoft.com

re: Paradoxically, you should remove the smart card when logging on with a smart card

Jim — Wed, 22 Nov 2006 12:21:35 GMT

>>You could therefore just VPN in from the VM, lock it and unlock it - cached credential update now complete.

>Or more simply, establish the VPN during logon.

Not much use if you're not connected to a network yet.

I'm doing a lot of travelling between different companies/sites at the moment and pretty much everywhere has an "internet-only" wireless LAN setup that non-employees can use to connect back-to-base when they're working with the company. So I need to boot up the laptop, login using cached credentials, find the right WLAN, do the WEP/WPA dance, login to VPN, and then finally I'm on the domain. Logging straight into VPN from the Windows login is fairly impractical (apart from the fact that I generally hibernate the laptop over night, and it's normally only rebooted once a month after patch Tuesday).

The lock workstation and unlock with your new password trick works perfectly, and only takes a few seconds once a month.

re: Paradoxically, you should remove the smart card when logging on with a smart card

e.thermal — Wed, 22 Nov 2006 16:56:56 GMT

I ran into a problem here where one of our Japanese executives (at a Canadian company) would log into a TS session with a server in Japan. It would just sit a blue screen and would never bring up the login screen. All the other executives could get in just fine except this one. I got loucky I just went down the list of services running and for some strange reason Smard Card service was running and it stood out in my mind. I killed it then re-launched the TS connection and instantly the login screen came up. It appears that just having the service running will cause other connections to slow down as well.

re: Paradoxically, you should remove the smart card when logging on with a smart card

RandomMicrosoftie — Wed, 22 Nov 2006 22:27:18 GMT

If the smart card is left in, how long should it typically take to authenticate? I find I can remove the smart card after as little as two seconds and it will complete the authentication, but if I leave the smart card in I have never had the authentication complete, even after letting it go for as long as ten minutes. It seems like the smart card driver is holding onto some sort of lock which stops the connection manager from doing anything, which makes it piss-poor software.

re: Paradoxically, you should remove the smart card when logging on with a smart card

Ryan — Thu, 23 Nov 2006 11:35:11 GMT

<i>I find I can remove the smart card after as little as two seconds and it will complete the authentication, but if I leave the smart card in I have never had the authentication complete, even after letting it go for as long as ten minutes.</i>

Let me guess, you're connecting from a machine with > 1 netowrk connection. Disable the interface you're not using.

re: Paradoxically, you should remove the smart card when logging on with a smart card

Igor — Fri, 24 Nov 2006 05:37:44 GMT

Raymond>

"If the smart card were not in the search path of authentication providers, then how could you log on with a smart card?"

Ah, but why it has to be in the path after login?

Why an application can't chose to ignore slow authentication devices?

Why all this is not user-configurable?

Disable your wireless network card to speed up VPN'ing

The Old New Thing — Wed, 15 Oct 2008 17:21:18 GMT

So the VPN software won't try to mess with it.