Paradoxically, you should remove the smart card when logging on with a smart card


To connect to the Microsoft corporate network from home, employees need to use smartcard authentication. But, somewhat paradoxically, you do better if you remove the smart card.

A colleague of mine tipped me off to this. To initiate the connection, you have to insert the smart card and provide the smart card password. Then the system connects to Microsoft and validates both the smart card and password. During this time, you can see the smart card access light blink on and off, and an "elapsed time" meter will start running.

Once the elapsed time reaches five seconds, remove the smart card. The actual authentication happens in five seconds; the rest of the time is doing other validation, quarantining your system, confirming that you have all the necessary patches, that sort of thing. Some of those operations in turn require authentication, and if you leave your smart card in the reader, the system will try to authenticate with the smart card (slow) even though that isn't the authentication it needs.

If you remove the card, then the system won't try to use the smart card, and the rest of the logon process will go much faster.

This tip may not work for other people who use smart cards for authentication, but it works for me to connect to Microsoft. What used to take thirty seconds now takes just seven.

Comments (23)
  1. Anonymous says:

    Any info on how this got diagnosed in the first place?

  2. Anonymous says:

    Has anyone submitted a bug report?

    I know that when these sort of things happen to me, I always find myself shaking my fist and thinking “doesn’t anyone at Microsoft notice these problems!”. Looks like it does but that doesn’t always help :)

    [My guess is that it’s a feature, not a bug. If you have a smart card inserted, then it joins the “search path” for authentication. After all, if you put your floppy drive in the PATH, you shouldn’t be surprised that path searches are slow. -Raymond]
  3. Anonymous says:

    Is this for all (NT4/5/.x+?) operating systems, or is it some Vista specific screwup (I did btw have a chance to try Vista RTM now, and my first and probably lasting impression is that Microsoft is its own worst enemy; given a chance I want back the NT4/Win95 Explorer.exe – seriously!).

  4. Anonymous says:

    Of course, the only good solution is to not work from home!! Often you have better keep work and personal lives separated.

  5. mathh says:

    Well, it certainly should be a bug if the floppy drive was in the PATH by default.

    What is the alternative authentication mechanism the rest of the validation uses?

    [You know, NTLM, Kerberos, all the other security packages. If the smart card were not in the search path of authentication providers, then how could you log on with a smart card? -Raymond]
  6. Anonymous says:

    Wow… You found a behaviour that is know since years now. But it seems that MS was not interested in fixing this. Maybe now we get a solution. Btw. i develop applications that take massive usage of smartcard and pki. It´s really nice if you have inserted round about 200 cards allready, and all the public certificates are stored in your crypto container. When enumerating the store for a sign certificate it checks all those 200 certificates if the card where the private key is stored may be available… Thsi takes normaly between 5-10 seconds per certificate

  7. Anonymous says:

    As the slowest authentication provider, the smart card should be at the END of the search path, then this workaround wouldn’t be necessary.

    [I don’t know whether there’s a way to ask a provider how fast it is, and the speed of a provider is often quite variable. NTLM is really slow if the domain controller is unavailable. (The timeout is what, 30 seconds?) -Raymond]
  8. Anonymous says:

    After all, if you put your floppy drive in the PATH, you shouldn’t be surprised that path searches are slow. -Raymond

    I’d be surprised – you can cache filesystem metadata and flush it when the disk is removed. Not so with smartcards.

  9. Anonymous says:

    How do you flush a unwritten data to an already ejected floppy?

  10. richardb says:

    Even with this trick, the quarantine process still took 5+ minutes on my machine.  Thank god for the TS gateway!

  11. Anonymous says:

    (Disclaimer: I’m not a windows user and don’t know this subsystem)

    What about parallelizing authentication? If search order doesn’t matter this could be a huge win. If search order does matter then this could still be a win, albeit a smaller one. This sounds especially apropos here where it sounds like the smart card is a local resource so you don’t have to worry about overtaxing it with requests.

  12. Anonymous says:

    First, the MS VPN software is way better than the nortel stuff I used before, smartcard or not. Second, yes, there is wierdness with Smartcards and the OS itself. Like if you boot with one, it brings up a different login dialog from normal.

    What is most annoying for me is that Domain authentication at login time happens before you are on the network, so you can’t easily renew your domain password *and have the laptop update its cached value*. There’s an assumption in the domain code that you bring your machine back in to the office regularly. Which means that a domained VMWare image at home every so often has to traipse into work on the hard disk of a laptop, then back again.

  13. Anonymous says:

    How about caching NAKs? Assuming you’re validating distinguishable entities, you can short circuit a failure for a while (say, about 5-10 minutes)

  14. Anonymous says:

    wireless floppy: Write-through caching – cache the stuff you *read*, keeping that in memory to speed up those PATH searches, but write everything out straight away (so you never lose data that way).

    Or you start throwing ‘delayed write failed … data lost’ errors during backups, even when write caching is disabled. That made for a fun weekend, trying to get backups working properly again on that server :-(

  15. Anonymous says:

    Steve Loughran wrote, "What is most annoying for me is that Domain authentication at login time happens before you are on the network, so you can’t easily renew your domain password *and have the laptop update its cached value*. There’s an assumption in the domain code that you bring your machine back in to the office regularly. Which means that a domained VMWare image at home every so often has to traipse into work on the hard disk of a laptop, then back again."

    I’d like to point out that once you change your password on XP on MachineA, MachineB (logged in with the same username and old password) can be updated by locking and unlocking the workstation (assuming a DC is available either on the LAN, on a VPN connection or on a dialup connection.

    You could therefore just VPN in from the VM, lock it and unlock it – cached credential update now complete.

  16. Anonymous says:

    You could therefore just VPN in from the VM, lock it and unlock it – cached credential update now complete.

    Or more simply, establish the VPN during logon.

  17. Anonymous says:

    Just forget about the crappy VPN. The TS Gateway works much better for me (and it’s really all I need) – https://redmondts.microsoft.com

  18. Anonymous says:

    >You could therefore just VPN in from the VM, lock it and unlock it – cached credential update now complete.

    Or more simply, establish the VPN during logon.

    Not much use if you’re not connected to a network yet.

    I’m doing a lot of travelling between different companies/sites at the moment and pretty much everywhere has an "internet-only" wireless LAN setup that non-employees can use to connect back-to-base when they’re working with the company. So I need to boot up the laptop, login using cached credentials, find the right WLAN, do the WEP/WPA dance, login to VPN, and then finally I’m on the domain. Logging straight into VPN from the Windows login is fairly impractical (apart from the fact that I generally hibernate the laptop over night, and it’s normally only rebooted once a month after patch Tuesday).

    The lock workstation and unlock with your new password trick works perfectly, and only takes a few seconds once a month.

  19. Anonymous says:

    I ran into a problem here where one of our Japanese executives (at a Canadian company) would log into a TS session with a server in Japan.  It would just sit a blue screen and would never bring up the login screen.  All the other executives could get in just fine except this one. I got loucky I just went down the list of services running and for some strange reason Smard Card service was running and it stood out in my mind.  I killed it then re-launched the TS connection and instantly the login screen came up.  It appears that just having the service running will cause other connections to slow down as well.

  20. Anonymous says:

    If the smart card is left in, how long should it typically take to authenticate?  I find I can remove the smart card after as little as two seconds and it will complete the authentication, but if I leave the smart card in I have never had the authentication complete, even after letting it go for as long as ten minutes.  It seems like the smart card driver is holding onto some sort of lock which stops the connection manager from doing anything, which makes it piss-poor software.

  21. Anonymous says:

    <i>I find I can remove the smart card after as little as two seconds and it will complete the authentication, but if I leave the smart card in I have never had the authentication complete, even after letting it go for as long as ten minutes.</i>

    Let me guess, you’re connecting from a machine with > 1 netowrk connection. Disable the interface you’re not using.

  22. Anonymous says:

    Raymond>

    "If the smart card were not in the search path of authentication providers, then how could you log on with a smart card?"

    Ah, but why it has to be in the path after login?

    Why an application can’t chose to ignore slow authentication devices?

    Why all this is not user-configurable?

  23. Anonymous says:

    So the VPN software won’t try to mess with it.

Comments are closed.