Welcome to MSDN Blogs Sign in | Join | Help
Tuesday, May 27, 2008 3:57 PM

Buying Smart Cards that work with Windows XP/Vista

Developers need to test test their code with real Smart Cards that can work with Windows.  Here are some manufacturers who can provide the same.  If you are a manufacturer and not listed here, please drop me a note and I will include the same.

 Raak Technologies

They have 2 types of MiniDriver cards for general sale. (for our OEM channel a larger selection is available).  For developers I would recommend the C2-40, which is a Javacard (IBM JCOP Card OS) that supports both RSA 1024 and 2048. 

For small quantities, price can range from $14-17 per card and you can expect a 24-hour turnaround.

Gemalto

Smart Cards can be purchased online.  From their web site, select "BUY ON-LINE" at the top.  There are two families of cards that support the minidriver architecture:

  1. Classic TPC is our Java card-based solution
  2. Gemalto .NET is our .NET-based solution.  This has the minidriver built into Vista.

 For the “monolithic” CSP-based solution there is:

  1. Access TPC that requires the TOP IM (what used to be called ACS) software package that includes the CSP.  This software cannot be ordered from the webstore but through a Gemalto sales representative.
  2. Classic TCP (as above) that (optionally) requires Classic Client software package for the CSP

 From the web store, you can select “Smart Cards” in the right-hand column to view and order the Classic and Access TPC cards.  Select “.Net Solutions” to order the Gemalto .NET cards and development kit.  Also, the Gemalto .NET cards can be managed through some utilities at www.netsolutions.gemalto.com.  Select “Utilities” in the bar at the top.

Individual .NET cards can cost around $55-$60 and the SDK can cost around $300

 

Posted by Shivaram Mysore | 0 Comments
Sunday, November 25, 2007 8:32 PM

Smart Card Authentication with ASP.NET

Here is an interesting link that I found on implementing Smart Card Authentication with ASP.NET - http://blogs.msdn.com/healthblog/archive/2006/11/22/the-connected-health-framework-a-service-oriented-architecture-for-health-it.aspx
Posted by Shivaram Mysore | 0 Comments
Thursday, August 16, 2007 6:50 PM

Smart Card Infrastructure Whitepaper Published

The Smart Card Infrastructure White paper has been published on the download center - http://www.microsoft.com/downloads/details.aspx?FamilyID=ac201438-3317-44d3-9638-07625fe397b9&displaylang=en.  This paper has detailed information on Windows Smart Card Infrastrucure.  Feel free to use this blog to send in your comments, suggestions and enhancements.

Posted by Shivaram Mysore | 10 Comments
Tuesday, July 17, 2007 12:33 PM

Smart Card MiniDrivers and Reader Drivers

Summary list of information related to Smart Card Readers and Card Mini-Drivers 

Smart Card Mini-Driver

Smart Card Readers:

 

Posted by Shivaram Mysore | 2 Comments
Wednesday, May 23, 2007 1:25 PM

Smart Card Credential Providers

Vista ships with "Password" and "Smart Card" Credential Providers.  Some vendors are interested in writing custom credential providers.  Check out http://shellrevealed.com/ for latest and up-to-date information on how to write Credential Providers. 

Credential Provider Samples are available here: http://www.microsoft.com/downloads/details.aspx?FamilyID=1287ec56-77b4-48c4-8b58-35b7295d6c2c&displaylang=enFor comments or questions about these samples, please contact credprov@microsoft.com.

If you are writing a custom Smart Card credential provider and would like to use the features such as the ones for removal policy, feel free to use the Group Policy settings for the corresponding registry key settings.  Note that you will have to implement the corresponding logic in your code to appropriately log-off or lock work stations which may include removing cached information, etc.

Posted by Shivaram Mysore | 2 Comments
Filed under:
Thursday, March 22, 2007 2:19 PM

PC/SC Standards support and Windows Logo for Smart Card Readers and Drivers

Windows (upto and including Vista) supports only PC/SC v1.0.  As a part of Windows Vista, there is a standard USB-CCID class driver in-box.  This means that any USB Smart Card reader which is USB-CCID compliant, will not need any additional drivers - they just work when plugged in.  To get a Windows Logo for the Smart Card Reader and the corresponding driver to be on Windows Update, one has to comply with the WHQL logo program.  They wll also need PC/SC test cards for the same which can be obtained from PC/SC workgroup.

Posted by Shivaram Mysore | 1 Comments
Monday, February 26, 2007 12:28 PM

Turning on S/MIME (Digital Signature/Encryption) in Outlook 2007

Digital Signature and Encryption can use Smart Card based Certificates in Outlook. 

In Office 2007, Select “Tools” à “Trust Center” à “Email Security”

See the attached image for configuration.

 

If you have had an email change from user@exchange.example.com to user@example.com and so the email address is different on your certificate compared to your exchange information. You will not be able to encrypt because Outlook does not allow it.

 

For Configuring Outlook 2003 on XP for the same,

1.    Select the 'Tools' button at the top and then select 'Options'.

2.    Next, select the 'Security' tab.

3.    Under 'Secure-email', select the 'Settings...' button. This will bring up the 'Change Security Settings' window.

4.    Make sure you have a name listed under 'Security Settings Name:'. If there isn't one, please enter something that will be easy for you to remember. But, be sure that there is a name listed like: My S/MIME Settings (smysore@example.com). Also, make sure that in either case, both 'Default Security Setting for this Secure Message Format' and 'Default Security Setting for all secure messages' are selected and that being for the S/MIME Secure Message Format.

5.    Leave the 'Secure Message format' as S/MIME.

6.    Now, under 'Certificates and Algorithms' select the 'Choose...' button located across from the 'Signing Certificate:' header. This will bring up a 'Select Certificate' window listing any available signing certificates that you have installed on your machine. Please select a certificate and then click the 'Ok' button.

7.    Next, do the same for the 'Encryption Certificate:' section. The certificates listed in the 'Select Certificate' window of this section will be certificates that are installed on your machine and good for encrypting.

8.    For the 'Hash algorithm' and 'Encryption Algorithm' sections listed at the bottom of this window, you leave it as is using the defaults. The 'Encryption Algorithms' are the encryption preferences/strengths that you want to use. These are sent to the recipient of a signed mail that you send when Outlook XP is configured for encrypting. It lets them know what encryption strength you prefer. Typical algorithms used are RC2 (40bit), DES, RC2 (64bit), RC2 (128bit), and 3DES. These are listed in order of strength capabilities with 3DES being the strongest.

9.    Make sure the 'Send these certificates with signed messages' dialogue box is checked. This just sends your encrypting certificate along with your signing certificate every time you send a signed email to somebody. This will be explained later.

10.  Now, select 'OK' to apply your changes in the 'Change Security Settings' window.

Posted by Shivaram Mysore | 2 Comments
Filed under:

Attachment(s): enabling_smime_office2007.jpg
Monday, February 26, 2007 12:17 PM

Smart Card Logon on Windows Vista

Differences in Vista

Smart card logon under Windows Vista has changed in several key aspects.  The primary differences are highlighted below:

·         Logon is no longer triggered to smart card insertion.  Users are required to press Cntrl+Alt+Del (CAD) to start the logon process

·         Valid certificates are enumerated and displayed from all smartcards and presented to the user.

·         Keys are no longer restricted to being in the default container and certificates in different smart cards can be chosen

·         The CSP is opened in the both the logonUI.exe and lsass.exe.  The CSP is never loaded into the winlogon process.

·         Multiple TS sessions are supported in a single process.  Since Windows Vista is tightly integrated with Terminal Services to provide fast user switching, this fact should not be overlooked.

Certificate enumeration

When a smart card is inserted, the following steps are followed in order:

(Note: Unless otherwise mentioned, all operations are performed silently (CRYPT_SILENT is passed to CryptAcquireContext)

1.       The Cryptographic Services Provider for that smart card is queried from the Smart card Resource Manager database.

2.       A qualified container name is constructed using the reader name and is passed to the CSP.  The format for that name is as follows:  \\.\<Reader name>\

3.       CryptAcquireContext is called to retrieve a context to the default container.  A failure here would cause the smart card be unusable for smart card logon

4.       The name of the container is retrieved by requesting the PP_CONTAINER parameter using CryptGetProvParam

5.        Using the context acquired in 3 the CSP is queried for the PP_USER_CERTSTORE parameter, which was added in Vista (See Section on new CAPI properties for more information).  On success, a certificate store is returned and program flow skips to step 8.

6.       If 5. Fails, then the default container context (from 3) is queried for the AT_KEYEXCHANGE key.

7.       The certificate is then queried from the key context using KP_CERTIFICATE.  The certificate is added to an in memory certificate store.

8.       For each certificate in the certificate store (Either from 5 or 7), the following checks are performed.  These are the same requirements as in Windows 2003 but they are performed before the user enters their PIN.  Many of these can be overridden using group policy settings:

a.       The certificate must be valid based on the computer system clock.  (Not expired or valid in the future)

b.      The certificate must not be in the AT_SIGNATURE part of a container

c.       The certificate must have a valid UPN.

d.      The certificate must have the Digital Signature Key Usage

e.      The certificate must have the smart card logon EKU

Certificates which meet the above are displayed to the user display the certificates Common Name in large text along with the certificates UPN (or email address or subject depending on presence of the extensions).

9.       A certificate is then chosen and the PIN is entered.

10.       LogonUI.exe packages up the information and sends the information to lsass.exe to process the logon attempt.  See the section below for its usage there.

11.       If successful, logonUI.exe is torn down causing the context acquired in 3 to be released.

New session management in Windows Vista

In order for smart card applications to work properly under Vista, the correct handling of sessions must be observed.   The first user account gets session 1, the second gets session 2.  Temporary sessions (used when the user chooses disconnect instead of log off) are also assigned a session number.  Sessions last for the length of the user logon.  On a reconnect (such as over TS or in a Fast User Switching (FUS) scenarios), the temporary session will be destroyed.

A key distinction is that a disconnected logon session is treated identically to a disconnected remote session.  Also sessions can transfer between local and remote without requiring a process restart.

Winscard enforcement of session separation

By default, the smart card readers on the local machine are only available to the current active console.  This is handled by restricting access to the smart card resource manager and is enforced by the winscard layer. Consider the following example:

1.       User A logs in and is assigned a session of 1.

2.       User A launches Application XYZ which monitors for smart card removal.

3.       User A then locks the computer and presses the FUS button so others can use the computer.

4.       A new session (2) is created which launches logonUI.exe.

5.        At this point all smart card contexts acquire in session 1 are invalid due to the session change.  Any use of the contexts will result in an error.  These contexts should be closed.

6.       Application XYZ receives the error SCARD_E_SYSTEM_CANCELLED from their SCardGetStatusChange call.  Performs any actions based on this return.

7.       Application XYZ then calls SCardAccessStartedEvent () and waits for the smart card resource manager to “start up” again.

8.       User A returns to the computer and logs on and is reconnected to session 1.

9.        The next two operations occur at the same time

a.       All contexts associated with session 2 are invalidated in the same way as those contexts for session 1 where in Number 5.

b.      The event from 7 is signaled and Application XYZ can call SCardEstablishContext to communicate with the smart card.

10.       User A calls "run as /smartcard" when he is returned to the desktop

Smart card logon in the LSA using Kerberos

The operations performed in smart card logon are very similar to the ones performed in previous versions of Windows.  The primary exception is that previously the smart card operations were done via a call back into winlogon.  Now with the improved session handling in the Smart Card Resource Manager, CSP contexts are used directly in the LSA.

All CSP calls are made impersonating the caller.  This means initial logon will under the system context but operations such as runas /smartcard will be performed under the context of the current user.

The majority of trouble in getting authentications will occur due to the session behavior.  Also, the LSA does not reacquire the Context instead relying on the CSP to handle the session change.  In the above example, step 8 would have caused a context to be acquired by Kerberos under a session 2 impersonation token (under system context).  In Step 10, that same context would be reused but under a different impersonation token (the user token).  This could cause trouble with some CSP implementations.

(thanks to Dan Sledz for information)

Posted by Shivaram Mysore | 13 Comments
Filed under:
Monday, February 26, 2007 9:43 AM

Smart Card Tools and debugging

CertUtil is a tool available on Windows Vista and Windows 2003 Server Admin Pack

CertUtil (tool available on Vista and W2K3 Admin pack)

Listing Certificates available on the card:

Command to list Certificates available on the Smart Card: certutil –scinfo

Entering PIN is not required for this operation.  Hitting Escape at each PIN dialog will work as the objective is to read the public certificates on the card.

 

Deleting Certificates on the card:

To delete a certificate on the card, you are actually deleting a container corresponding to that certificate.  Each certificate is enclosed in a container.  The following command is used to delete container:

Certutil –delkey –csp “Microsoft Base Smart Card Crypto Provider”  “38f813f2-ec3b-4e96-ba19-38b830923be9”

 

Kerberos debugging and trace

The Kerberos Authentication in Windows portal (https://www.microsoft.com/kerberos) is a good place to start. There are two troubleshooting docs:

Smart Card Service (SCardSvr.exe – XP and SVCHost - Vista)

To restart “SCardSvr” services, the following commands from a Windows Command window will help.

C:\> net stop SCardSvr

C:\> net start SCardSvr

 

To findout if Smart Card Service is running (Note: the state field tells if the service is running or stopped):

C:\>sc queryex scardsvr

SERVICE_NAME: scardsvr
        TYPE               : 20  WIN32_SHARE_PROCESS
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
        PID                : 1320
        FLAGS              :

C:\>

CAPI2 Diagnostics

CAPI2 Diagnostics is a feature in Microsoft® Windows® Vista and Microsoft® Windows® Server code name “Longhorn” which helps administrators with troubleshooting PKI problems. CAPI2 Diagnostics logs events in the Windows Event Log containing detailed information about certificate chain validation, certificate store operations and signature verification. This makes it easier to identify the root cause of problems and reduces the time required for diagnosis.

For more information on CAPI2 Diagnostics, refer to this whitepaper on "Trouble Shooting PKI problems on Windows Vista"

Posted by Shivaram Mysore | 5 Comments
Filed under:
Monday, February 26, 2007 9:38 AM

Smart Card Resource Manager Service

The Smart Card Resource Manager (SCRM) provides the basic infrastructure that all other smart card components.  It manages smart card readers on the system and application interactions.  It is fully PC/SC 1.0 compliant.

 

The smart card resource manager is implemented as a shared service living in an svchost process.  It runs in the context of Local Service.

 

The smart card resource manager service has the following service description:

  <serviceData name="SCardSvr"

displayName="@%SystemRoot%\System32\SCardSvr.dll,-1"

errorControl="normal" group="SmartCardGroup"

imagePath="%SystemRoot%\system32\svchost.exe /k

LocalService" start="demand" tag=""

type="win32ShareProcess" security=""

description="@%SystemRoot%\System32\SCardSvr.dll,-5

requiredPrivileges="SeCreateGlobalPrivilege,SeChangeNotifyPrivilege,SeImpersonatePrivilege"

dependOnGroup="" dependOnService="PlugPlay"

objectName="NT AUTHORITY\LocalService">

          <failureActions resetPeriod="900">

              <actions>

                 <action type="restartService" delay="120000"/>

                 <action type="restartService" delay="300000"/>

                 <action type="none" delay="0"/>

              </actions>

          </failureActions>

          <registryKeys>

             <registryKey keyName="HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SCardSvr\Parameters">

                <registryValue name="ServiceDll" valueType="REG_EXPAND_SZ" value="%SystemRoot%\System32\SCardSvr.dll" buildFilter=""></registryValue>

                <registryValue name="ServiceMain" valueType="REG_SZ" value="CalaisMain" buildFilter=""></registryValue>

                <registryValue name="ServiceDllUnloadOnStop" valueType="REG_DWORD" value="1" buildFilter=""></registryValue>

             </registryKey>

             <securityDescriptor name="ServiceXKeySecurity"/>

          </registryKeys>

          <securityDescriptor name="ServiceXSecurity" buildFilter=""/>

    </serviceData>

 

By default, the service is set into manual mode.  It is the responsibility of any smart card driver author to set the service state of Automatic and call a predefined entry point in winscard.dll that will start the service.  This ensures that the service is enabled when needed but is also disabled for the vast majority of users that don’t use smart cards.

When the service is started it performs several book keeping functions.  The first function it performs is registers itself for service notifications.  In addition, it registers itself for PnP notifications for device removal and additions.  It also initializes its data cache and a global event that signals that the service is started.

 

All communications with smart card readers on Windows should take place through the SCRM.  It provides a rich interface to track, select, and communicate with all drivers that declare themselves as a member of the smart card reader device group. The SCRM views each smart card reader slot as a unique reader and each slot is managed separately regardless of the actual physical characteristics of the device.  The SCRM handles the following high level actions:

  • Device introduction
  • Reader initialization
  • Notify clients of new readers
  • Serializing access to readers
  • Card Access
  • Tunneling of reader specific commands
Posted by Shivaram Mysore | 3 Comments
Filed under:
Monday, February 26, 2007 9:32 AM

Smart Card related Group Policy Settings in Vista

The following table illustrates the Group Policy Settings that can be used on a per-machine basis.  There are no settings on a per user basis.  Some of these settings can be applied only to a Vista level functional domain – for example Domain Hints.  All of the keys are located under \Policies\Microsoft\Windows\SmartCardCredentialProvider and \Policies\Microsoft\Windows\CertProp hierarchy.


From the Group Policy Editor (gpedit.exe), group policy can be edited and applied to machines on the domain.  Smart Card related policies exist under:

Computer Configuration\Administrative Templates\Windows components\Smart Card

Once they are applied by the Domain Administrator, on the user’s local machine they will reside in [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\SmartCardCredentialProvider]

Key

Description

AllowSignatureOnlyKeys

Allow signature keys valid for Logon (also applies to whenever Credential UI is called)

This policy setting lets you allow signature key-based certificates to be enumerated and available for logon.

 

If you enable this policy setting then any certificates available on the smart card with a signature only key will be listed on the logon screen.

 

If you disable or do not configure this policy setting, any available smart card signature key-based certificates will not be listed on the logon screen.

AllowCertificatesWithNoEKU

This policy setting lets you allow certificates without an Extended Key Usage (EKU) set to be used for logon.

 

Under previous versions of Microsoft Windows, the EKU extension was required to have the smart card logon Object Identifier (OID) present.  This setting controls that restriction.

 

If you enable this policy setting, only those smart card based certificates that contain the smart card logon OID or no EKU extension will be listed on the logon screen.

 

If you disable or do not configure this policy setting then only those smart card based certificates that contain the smart card logon OID will be listed on the logon screen.

AllowTimeInvalidCertificates

This policy setting permits those certificates to be displayed for logon that are either expired or not yet valid.

 

Under previous versions of Microsoft Windows, certificates were required to contain a valid time and not be expired.  The certificate must still be accepted by the domain controller in order to be used.  This setting only controls the displaying of the certificate on the client machine.

 

If you enable this policy setting certificates will be listed on the logon screen regardless of whether they have an invalid time or their time validity has expired.

 

If you disable or do not configure this policy setting, certificates which are expired or not yet valid will not be listed on the logon screen.

AllowIntegratedUnblock

This policy setting lets you determine whether the integrated unblock feature will be available in the logon User Interface (UI).

 

In order to use the integrated unblock feature your smart card must support this feature.  Please check with your hardware manufacturer to see if your smart card supports this feature.

 

If you enable this policy setting, the integrated unblock feature will be available.

 

If you disable or do not configure this policy setting then the integrated unblock feature will not be available.

ReverseSubject

This policy setting lets you reverse the subject name from how it is stored in the certificate when displaying it during logon. 

         

By default the user principal name (UPN) is displayed in addition to the common name to help users distinguish one certificate from another.  For example, if the certificate subject was CN=User1, OU=Users, DN=example, DN=com and had an UPN of user1@example.com then "User1" will be displayed along with "user1@example.com."  If the UPN is not present then the entire subject name will be displayed.  This setting controls the appearance of that subject name and might need to be adjusted per organization.

 

If you enable this policy setting or do not configure this setting, then the subject name will be reversed. 

 

If you disable , the subject name will be displayed as it appears in the certificate.

X509HintsNeeded

This policy setting lets you determine whether an optional field will be displayed during logon and elevation that allows a user to enter his or her user name or user name and domain, thereby associating a certificate with that user.

 

If you enable this policy setting then an optional field that allows a user to enter their user name or user name and domain will be displayed.

 

If you disable or do not configure this policy setting, an optional field that allows a users to enter their user name or user name and domain will not be displayed.

IntegratedUnblockPromptString

This policy setting allows you to manage a specific string is displayed when a smart card is blocked.

 

If you enable this policy setting, the specified string will be displayed to the user when the smart card is blocked.  Note: The following policy setting must be enabled - Allow Integrated Unblock screen to be displayed at the time of logon.

 

If you disable or do not configure this policy setting, the default string will be displayed to the user when the smart card is blocked, if the integrated unblock feature is enabled.

CertPropEnabledString

This policy setting allows you to manage the certificate propagation that occurs when a smart card is inserted.

 

If you enable or do not configure this policy setting then certificate propagation will occur when you insert your smart card.

 

If you disable this policy setting, certificate propagation will not occur and the certificates will not be made available to applications such as Outlook.

CertPropRootEnabledString

This policy setting allows you to manage the root certificate propagation that occurs when a smart card is inserted.

 

If you enable or do not configure this policy setting then root certificate propagation will occur when you insert your smart card.  Note: For this policy setting to work the following policy setting must also be enabled: Turn on certificate propagation from smart card

 

If you disable this policy setting then root certificates will not be propagated from the smart card.

RootsCleanupOption

Configure root certificate clean up.  This option is located in HKLM\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\CertProp

This policy setting allows you to manage the clean up behavior of root certificates.  If you enable this policy setting then root certificate cleanup will occur according to the option selected. If you disable or do not configure this setting then root certificate clean up will occur on log off.

Root certificate clean up options include:

§  No cleanup (Default)

§  Clean up certificates on smart card removal

§  Clean up certificates on user log off

Note: This policy works in conjunction with HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\ProtectedRoots\Flags.  If this is set (off by default), then root certificates even from Smart Card will be disabled for propagation.

Require Smart Card (Machine Policy) – Policies for Interactive logon

Enforce Smart Card required for Logon on a per machine basis. 

 

Key is located in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Policies\System\scforceoption

 

The following are the supported values:

0 à No Action

1 à Enable Smart Card Required for Logon

Smart Card Removal Policy – Policies for Interactive logon

Note:  If Smart Card Removal Policy service is not running, then start the policy using the command: net start ScPolicySvc and set start type to Auto (sc config scpolicysvc start= auto )

 

Key is located in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\scremoveoption

If this is set (off, 0, by default), the removal of Smart Card will lock the workstation.  The following are the supported values:

0 à No Action

1 à Lock Workstation – user session locked on Smart Card removal

2 à Log Off – User logged off on Smart Card removal

3 à Disconnect from remote Terminal Server Session – removal of the smart card disconnects the session without logging the user off. This allows the user to insert the smart card and resume the session later, or at another smart card reader-equipped terminal, without having to log on again.

FilterDuplicateCertificates

This policy settings lets you configure if all your valid logon certificates are displayed.

 

During the certificate renewal period, a user can have multiple valid logon certificates issued from the same certificate template.  This can cause confusion as to which certificate to select for logon.  The common case for this behavior is when a certificate is renewed and the old one has not yet expired.  Two certificates are determined to be the same if they are issued from the same template with the same major version and they are for the same user (determined by their UPN).

         

If there are two or more of the "same" certificate on a smart card and this policy is enabled then the certificate that is used for logon on Windows 2000, Windows XP, and Windows 2003 Server will be shown, otherwise the the certificate with the expiration time furthest in the future will be shown.  Note: This setting will be applied after the following policy: "Allow time invalid certificates"

 

If you enable or do not configure this policy setting, filtering will take place.

 

If you disable this policy setting, no filtering will take place.

ForceReadingAllCertificates

(0 == default only, 1 == all certificates)

 

Force reading of all certificates from the smart card regardless of the supported feature set in the CSP.  This policy is applicable whenever Smart Card Credential Provider or Credential UI is called.

 

 

If you enable this setting, then Windows will attempt to read all certificates on the smart card regardless of the feature set in the CSP.

 

If you disable or do not configure this setting (default), Windows will only read the default container of the Smart Card for logon unless it supports retrieval of all certificates in a single call  Certificates stored other than in the default container will not be available for logon.

Note: During deployment additional policies may be required for ease of use or better security.  Some of them include:

  • Turning off Delegation for machines
  • Do not require CAD @ logon (not recommended)

Local Policy Settings for Microsoft Base Smart Card Crypto Service and Key Storage Provider

Local Policy Settings for Microsoft Base Smart Card Crypto Service Provider are located in [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Base Smart Card Crypto Provider]: (Same settings exist for Smart Card Key Storage Provider under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Providers\Microsoft Smart Card Key Storage Provider)

Key

Description

DefaultPrivateKeyLenBits

Type = dword

Default Value = 00000400

Default key generation parameter – 1024 bit keys

RequireOnCardPrivateKeyGen

Type = dword

Default Value = 00000000This sets the flag for requiring on card private key generation (default)

 

If this value is set, then key generated on a host can be imported into the card.  This is used for cards which don’t support on-card key generation or where key escrow is required.