Smart Card Logon on Windows Vista


Differences in Vista


Smart card logon under Windows Vista has changed in several key aspects.  The primary differences are highlighted below:


·         Logon is no longer triggered to smart card insertion.  Users are required to press Cntrl+Alt+Del (CAD) to start the logon process


·         Valid certificates are enumerated and displayed from all smartcards and presented to the user.


·         Keys are no longer restricted to being in the default container and certificates in different smart cards can be chosen


·         The CSP is opened in the both the logonUI.exe and lsass.exe.  The CSP is never loaded into the winlogon process.


·         Multiple TS sessions are supported in a single process.  Since Windows Vista is tightly integrated with Terminal Services to provide fast user switching, this fact should not be overlooked.


Certificate enumeration


When a smart card is inserted, the following steps are followed in order:


(Note: Unless otherwise mentioned, all operations are performed silently (CRYPT_SILENT is passed to CryptAcquireContext)


1.       The Cryptographic Services Provider for that smart card is queried from the Smart card Resource Manager database.


2.       A qualified container name is constructed using the reader name and is passed to the CSP.  The format for that name is as follows:  \\.\<Reader name>\


3.       CryptAcquireContext is called to retrieve a context to the default container.  A failure here would cause the smart card be unusable for smart card logon


4.       The name of the container is retrieved by requesting the PP_CONTAINER parameter using CryptGetProvParam


5.        Using the context acquired in 3 the CSP is queried for the PP_USER_CERTSTORE parameter, which was added in Vista (See Section on new CAPI properties for more information).  On success, a certificate store is returned and program flow skips to step 8.


6.       If 5. Fails, then the default container context (from 3) is queried for the AT_KEYEXCHANGE key.


7.       The certificate is then queried from the key context using KP_CERTIFICATE.  The certificate is added to an in memory certificate store.


8.       For each certificate in the certificate store (Either from 5 or 7), the following checks are performed.  These are the same requirements as in Windows 2003 but they are performed before the user enters their PIN.  Many of these can be overridden using group policy settings:


a.       The certificate must be valid based on the computer system clock.  (Not expired or valid in the future)


b.      The certificate must not be in the AT_SIGNATURE part of a container


c.       The certificate must have a valid UPN.


d.      The certificate must have the Digital Signature Key Usage


e.      The certificate must have the smart card logon EKU


Certificates which meet the above are displayed to the user display the certificates Common Name in large text along with the certificates UPN (or email address or subject depending on presence of the extensions).


9.       A certificate is then chosen and the PIN is entered.


10.       LogonUI.exe packages up the information and sends the information to lsass.exe to process the logon attempt.  See the section below for its usage there.


11.       If successful, logonUI.exe is torn down causing the context acquired in 3 to be released.


New session management in Windows Vista


In order for smart card applications to work properly under Vista, the correct handling of sessions must be observed.   The first user account gets session 1, the second gets session 2.  Temporary sessions (used when the user chooses disconnect instead of log off) are also assigned a session number.  Sessions last for the length of the user logon.  On a reconnect (such as over TS or in a Fast User Switching (FUS) scenarios), the temporary session will be destroyed.


A key distinction is that a disconnected logon session is treated identically to a disconnected remote session.  Also sessions can transfer between local and remote without requiring a process restart.


Winscard enforcement of session separation


By default, the smart card readers on the local machine are only available to the current active console.  This is handled by restricting access to the smart card resource manager and is enforced by the winscard layer. Consider the following example:


1.       User A logs in and is assigned a session of 1.


2.       User A launches Application XYZ which monitors for smart card removal.


3.       User A then locks the computer and presses the FUS button so others can use the computer.


4.       A new session (2) is created which launches logonUI.exe.


5.        At this point all smart card contexts acquire in session 1 are invalid due to the session change.  Any use of the contexts will result in an error.  These contexts should be closed.


6.       Application XYZ receives the error SCARD_E_SYSTEM_CANCELLED from their SCardGetStatusChange call.  Performs any actions based on this return.


7.       Application XYZ then calls SCardAccessStartedEvent () and waits for the smart card resource manager to “start up” again.


8.       User A returns to the computer and logs on and is reconnected to session 1.


9.        The next two operations occur at the same time


a.       All contexts associated with session 2 are invalidated in the same way as those contexts for session 1 where in Number 5.


b.      The event from 7 is signaled and Application XYZ can call SCardEstablishContext to communicate with the smart card.


10.       User A calls “run as /smartcard” when he is returned to the desktop


Smart card logon in the LSA using Kerberos


The operations performed in smart card logon are very similar to the ones performed in previous versions of Windows.  The primary exception is that previously the smart card operations were done via a call back into winlogon.  Now with the improved session handling in the Smart Card Resource Manager, CSP contexts are used directly in the LSA.


All CSP calls are made impersonating the caller.  This means initial logon will under the system context but operations such as runas /smartcard will be performed under the context of the current user.


The majority of trouble in getting authentications will occur due to the session behavior.  Also, the LSA does not reacquire the Context instead relying on the CSP to handle the session change.  In the above example, step 8 would have caused a context to be acquired by Kerberos under a session 2 impersonation token (under system context).  In Step 10, that same context would be reused but under a different impersonation token (the user token).  This could cause trouble with some CSP implementations.


(thanks to Dan Sledz for information)

Comments (23)

  1. jspooren says:

    Hi Shivaram,

    Many thanks for this post, which has cleared up (or at least shed a different light on) a few things I have been struggling with during the past couple of weeks!

    Do you know if there is a way to switch on logging for smart card events in Vista?  I don’t seem to be able to find any logging options in the Event Log (Applications and Services Logs / Microsoft / Windows / …) nor in the auditpol.exe settings…

    Best regards,

     Jan.

  2. jspooren says:

    Thanks Shivaram, but I didn’t refer to smart card logon events, for which Kerberos and CAPI2 tracing is indeed very helpful. I really meant smart card events, such as the starting and stopping of the smart card resource manager in a particular session.

    The information (also in your whitepaper) is very scarce on the topic of how the smart card manager behaves when sessions are switched, despite the remark that session switching should not be overlooked.  I definitely don’t want to overlook this (since it’s causing a lot of headaches) but I need more information on the do’s and don’t’s.

    E.g., when using smart card transactions, it’s not uncommon to see smart card API calls get blocked when a session change occures, e.g. when the user typed the SAS.  This cannot be solved by using the SCardAccesStartedEvent(), which sometimes still indicates the SRM is up; nor by using SCardIsValidContext() which will block by itself.  The result is a hanging application, until the user withdraws the smart card.

    Hence, any information on the changes to the smart card environment in Vista would be greatly appreciated…

    Thanks,

     Jan.

  3. COULD PLEAES ARRAGES THAT WHEN I USE MY CARD COULD YOU PLEASE ARRAGES THAT I CAN REMOVE FROM THE CARD   BANK CASH A SUM OF NIL LESS THAN $1000 TO PAY CARD ONLY OR OTHER WAY ECT REVERT TO GLOBAL MATTERS FOR MENTIONED  

    ASK FOR LBR REVERT TO NOTES. CASH REQUIRED. FORM CAR WHEN WITH DRAWING. ECT CARD USE ECT .

    WILL PAY $ 150.000 TO COMPLEATE  AND $ 25.00 DOLLOURS WITH DRAW FROM CARD .

    TO SPEAK TO GLOBAL LBR.

  4. Robert says:

    There appears to be a problem with smartcard removal behavior on Vista, since regardless of the configration or type of logon (w/wo smatcard) nothing happens with the card is removed from the reader. Is there a work-around?

  5. Steven Hope says:

    Unlike previous versions of Windows, Vista requires the "Smart Card Removal Policy" service be running in order for the GPO settings to actually do anything.

    So you have to include in your GPO another setting to force the service to run, and set it to automatic as the service is on Manual by default – not very smart MSFT, this should be a core OS feature as it always has been, not a service bolt on!

  6. Jonas Öholm says:

    Very happy to see that you can logon your domain without certificates containing EKU or UPN but I wonder if this feature in Vista requires a change from W2003Server to W2008Server?

    Best regards,

    Jonas

  7. nanci says:

    I have a computer with the vista program. I need to work from home and be able to get into the citrix program that is used at work. I would just like to get my e-mail for work which I have to go through the citrix to do so.

    I downlaoad all the iformation for the Adtive client. it’s ok to that point but when I try to logon to citrix with the home citrix address

    it tells me That I am not authorized user. and I need a certicate can you help me.

  8. staier says:

    Shivaram , can you point me to a good guide or source code illuminating how exactly the LogonUser api gets called using  sertificate read from smartcard . i am completely lost.

    thanx in advance.

  9. Fred says:

    First, – Thanks for the good posts!

    Question: Can a Vista credential provider be launched during a session that is already started? Consider the following scenario. A user logon and then want to sign an email in outlook. To be allowed to sign the email one more user verification is needed before using the certificate (lets say the certificate is retreived from a smart card). How would this extra credential be collected? Should the CSP collect it or could a credential provider be launched again?

  10. Mike Hayes says:

    Shivaram,

    I am experiencing a problem with smartcard behavior that I can’t find any information on elsewhere.  After I pull my smartcard and the computer locks, most of the time, when I reinsert the card and enter the passphrase, the O/S logs me back on, I then see the user screen for about a second and the O/S locks the screen again, as if I had removed the smartcard.

    Any thoughts?

  11. Mike Hayes says:

    Shivaram,

    I am experiencing a problem with smartcard behavior that I can’t find any information on elsewhere.  After I pull my smartcard and the computer locks, most of the time, when I reinsert the card and enter the passphrase, the O/S logs me back on, I then see the user screen for about a second and the O/S locks the screen again, as if I had removed the smartcard.

    Any thoughts?

  12. glosoria says:

    I am having problems setting up a scenario in which I can log on to an account configured for smart card logon in Windows Vista.  

    I think I comply with all the specified requirements pointed out

    in the paper published by Microsoft that is titled ‘Windows Vista Smart Card Infrastructure'(http://www.microsoft.com/downloads/details.aspx?FamilyID=AC201438-3317-44D3-9638-07625FE397B9&displaylang=en).

    When I try to log on I get an error saying "The system could not log you on. Your credentials could not be verified" and in event viewer I can see the following error:

    – <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"&gt;

    – <System>

     <Provider Name="Smart Card Logon" />

     <EventID Qualifiers="1">7</EventID>

     <Level>2</Level>

     <Task>0</Task>

     <Keywords>0x80000000000000</Keywords>

     <TimeCreated SystemTime="2008-06-29T12:32:12.000Z" />

     <EventRecordID>414</EventRecordID>

     <Channel>Application</Channel>

     <Computer>gloriasLaptop.cyum.es</Computer>

     <Security />

     </System>

    – <EventData>

     <Data>El proveedor no pudo realizar la acción ya que el contexto se adquirió de forma silenciosa.</Data>

     <Binary>22000980</Binary>

     </EventData>

     </Event>

    The error message in english is: error in the signature using the inserted smart card: the provider couldn’t do such operation because the

    context was acquired in a silent way.

    Any clues why this is happening?

    Thanks in advance.

  13. Moises Zamora says:

    I have a problem with smartcard loggon too.

    Im using a third party software to Winlogon. Well when I try lo logon thru Smartcard option the Win Vista displays "Reading smartcard" and some seconds later display “No valid certificates found. Check that the card is inserted correctly and fits tighly.” I don’t why.

    In Win XP works perfectly the smartcard logon and the Smart Card Removal Policy too.

    Any clue?

  14. Amit Goel says:

    Hi Moises,

    I am facing the same problem. Which company card you are using? Are your sofwtare using BaseCSP to enumarate the certificates?

  15. Moises Zamora says:

    Amit, Im using a safenet smartcard 330 and the third party software is from safenet too.

    I don’t know if the software using BaseCSP, how can I verify that?

  16. tugak says:

    Shivaram,

    thank you for this informative blog.  btw, just 1 question.  if i get the blob directly from the card and i put it in ‘MY’ certificate store using its PCCERT_CONTEXT handle, is there a way i can get the CA root of this certificate by using its handle?

    more power.

    tugak

  17. rienks says:

    I’m receiving "An untrusted certificate used for authentication…" when trying to logon with a smartcard to my Vista workstation connected to a 2003 domain.  Any suggestions?

  18. Flc says:

    Hi there,

    With BaseCsp, What is the file format for ksc00,

    kxc00 certificats? should we return der encoded certificat when CardReadFile request ksc00 file, other format?

    Thank you for help.

  19. 5_Fathom_Bank says:

    Our Family Computer which has Vista Ultimate installed is used by all.

    One of our sons’ friends has a very good computer Operating System knowledgebase & he has been caught going through other members of the family data stored on the computer.

    Even though our data is encrypted and we each have a ‘User Login’ he still somehow got to do what he was doing through the Guest Account.  My wife’s and my second son’s personal files were not encrypted, but thankfully my daughter’s & mine were.

    My Question is, I have a new hp Smart Card Terminal keyboard that is still in it’s box but has not been used before, should I plug it in and employ that sort of Security system so that each family member has their own Smart Card to Login including the Guest Account and would that help cripple this individuals hacking ability?

    Note, there is nothing of a security nature within now as my daughter has taken off all of her personal files and stored them on a small removable drive, it’s just to curb this sort of happenings when we are not about as my second son hasn’t gone back on since…

    If you may think so, what sorts of packages are available for the Mr. Joe Average to employ on their computer?  We will be Updating to Windows V7.

    Guidance appreciated.

  20. Dave says:

    Is there a way to restore the Automated logon process when a smart card is inserted? I have a user whose mobility is limited and has a hard time try to perform CTRL+ALT+DELETE key strokes. Will I be able to find this feature in Accessibility options?

    Respectfully,

    Dave

  21. Saravanan says:

    Hi.

    When i try to enroll a certificate with Microsoft Enhanced Crptographic Provider v1.0 and it is successfull but if i try to enroll a certificate using Smart Card (Microsoft Base Smart Card Crypto Provider) it is giving error as 0x8010001D ( The Smart card resource manager is not running) but i have checked that the smart card service is running in services.

    Could you help me to solve this problem?.

    Thanks in Advance

  22. A.Nadeem says:

    Dear

    Moises Zamora

    When I insert smart card, it demands for PIN in windowsXP but when I provide PIN(either it is correct or I provide wrong one) it says " the system could not log you on. the smart card was removed. But smart card is inserted. how can i successfully login to windows XP successfully?

    Regards