So, you want to use smart cards?


Smartcards, password elimination projects … etc… all good fun.


Well, I got around to compiling a number of challenges which may arise should you decide to get rid of passwords and move to smartcards only.


I dont claim that this list is complete, and I may do another post where I add some to this.. but it’s a good place to start.  You will notice that some of these are not public articles, just call in to PSS and ask for it if you really want it.


One more thing.. I am very interested in those who seem to be running into any problems like these:


Smartcard cached logons – do you randomly seem to lose cached logons?


Slow logons – after implementing smartcards you saw logon times explode.


thanks!


 


spatdsg


 


 


Here is my list:


 


887196 http://support.microsoft.com/default.aspx?scid=kb;en-us;887196 XP – SP2
=======================================================================================
Summary of changes to the CryptoAPI certificate chain validation logic in Windows XP Service Pack 2 


 


895325 http://support.microsoft.com/default.aspx?scid=kb;EN-US;895325 XP – post SP2
=======================================================================================
Lsass.exe crashes soon after you log on to a computer that is running Windows XP Service Pack 2 (SP2) by using a smart card 


“If the domain component of the subject field is not in the last few attributes you can crash LSASS:
like CN=””SCLogon””, OU=TEST, O=MyOrg, DC=spat, DC=com, C=US”





894069 http://support.microsoft.com/default.aspx?scid=kb;EN-US;894069 XP – post SP2
======================================================================================


You receive the Change Password dialog box when you try to use a smart card to log on to a Windows Server 2003 domain in Windows XP Professional  


When you login on with a Smart Card to a Windows 2003 domain account which has expired, the windows displayed that prompts the user for changing his password contains misleading information:


The “User name” field is empty and the “Old Password” is filled in.


However, you cannot simply punch in your new password.


The user needs to enter the UPN form in the Username zone (like user@domain.com ). Generally, users (especially the ones that use a smart card for login on don’t know anything about the UPN form of their user account), so they don’t know what to enter.


Also, the fact that the old password field is filled in makes the user think he doesn’t need to enter it. This is wrong, he needs to clear its content and then enter it since it initially contains no useful values.


When you install this fix, it is made clearer that you should logon:


“Your password has expired and must be changed. Please logon using your password in order to change it.”


892647  ( not a public article yet ) XP – post SP2
======================================================================================


Smartcard logon fails after installing WinXP SP2 


After upgrading WinXP Pro to SP2, smart card logon fails.


Uninstall SP2 and sclogon works again.


This problem appears when the sAMAccountName doesn’t match the name part of the UPN.
This problem also appears when an alternate UPN suffix is configured.


With default UPN, and when the sAMAccountName == name in UPN, sclogon succeeds even with SP2.  
 


923401  ( not a public article yet ) Win2k3 – post SP1  AND XP -post SP2
======================================================================================
 Smartcard over TS  fails. 


 


 



915832 http://support.microsoft.com/default.aspx?scid=kb;EN-US;915832 XP – post SP2
======================================================================================
Error message when you try to initiate a dial-up networking connection by using a smart card: “Error 0x80090016 – NTE_BAD_KEYSET”  


When you try to initiate a dial-up networking smart card connection, you may receive the following error message:



Error 0x80090016 – NTE_BAD_KEYSET 


 


 


875506 http://support.microsoft.com/?id=875506 XP – post SP2
======================================================================================


The PIN dialog box may not be displayed when you use a smart card to log on to a Windows Server 2003 Terminal Services session 


 


When you use a smart card to log on to a Microsoft Windows Server 2003 Terminal Services session, the smart card personal identification number (PIN) dialog box may not be displayed. This problem occurs if the following Group Policy settings are configured on the destination computer:


• Interactive logon: Message text for users attempting to log on
• Interactive logon: Message title for users attempting to log on  


 



915428 http://support.microsoft.com/?id=915428  XP – post SP2    
=======================================================


You do not receive an error message that states that you used the wrong PIN when you connect to a wireless 802.1X network by using EAP-TLS on Windows XP-based computer 


Consider the following scenario.


On a Microsoft Windows XP-based computer, you connect to a wireless 802.1X network by using a smart card together with Extensible Authentication Protocol with Transport Level Security (EAP-TLS) and certificates for authentication.


When you log on by using the correct personal identification number (PIN), you can connect successfully. When you log on by using the wrong PIN, you cannot connect. However, in this scenario, you do not receive an error message that states that you used the wrong PIN.


After this fix you will get a balloon popup and you have less chance of a PIN lockout


 


890937 http://support.microsoft.com/kb/890937  XP – post SP2
=======================================================



Computer authentication cannot complete successfully when you use a smart card to log on to a wireless network in Windows XP or…  “What if you need to use a machine certificate on the machine (soft token) for machine authentication and a user certificate on a smart card for user authentication.”


The issue is that same EAP configuration is user for both machine and user authentication. If a user configures EAP-TLS (with Smartcard option), both machine and user authentication will be performed using smartcards.


Machine authentication using smartcard is not possible because it accessing smartcard will require PIN and during machine auth, we have no way to show the pin dialogue while doing machine auth(there is no user logged in). As a result, machine authentication is broken if someone wants to user smartcards for user authentication. 


“To enable this hotfix, follow these steps:


1. Click Start, click Run, type regedit, and then click OK.
2. Locate and then click to select the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP\13
3. After you select the key that is specified in step 3, on the Edit menu, point to New, and then click DWORD Value.
4. Type UseSoftTokenWithMachineAuthentication, and then press ENTER.
5. Right-click UseSoftTokenWithMachineAuthentication, and then click Modify.
6. In the Value data box, type 1, and then click OK.
7. Quit Registry Editor.



329433 http://support.microsoft.com/default.aspx?scid=kb;EN-US;329433 XP – post SP1
======================================================================================= 
A Revoked Certificate Is Selected If a Certification Authority in the Chain Has Two Certificates 


Just a hotfix with many general good changes in crypto – not all documented rightly in the article text.



 


885423 http://support.microsoft.com/default.aspx?scid=kb;EN-US;885423 XP – post SP2
=======================================================================================


The network provider may not function as expected on your Windows XP-based computer 


“SYMPTOMS
When you manually log on to your Microsoft Windows XP-based computer with a user name and a password, the Winlogon.exe process may prematurely end the Mpnotify.exe process. The Mpnotify.exe process hosts network provider .dll files. Specifically, the Mpnotify.exe process calls the NPLogonNotify function of the network provider .dll file. Therefore, the network provider may not function as expected.
 Back to the top


CAUSE
This problem may occur if the following conditions are true:


• You have a smart card reader attached to the workstation.
• The Winlogon.exe process detects the smart card reader in the background during the logon process. The Winlogon.exe process incorrectly ends the Mpnotify.exe process when any secure attention sequence (SAS) events are detected in the background.” 


 



887578 http://support.microsoft.com/?kbid=887578 Win2k3 – post RTM  AND XP -post SP2
===================================================================================================
You receive a “Logon failure” message when you use a smart card on a Windows Server 2003-based computer This problem occurs when the certificate revocation list (CRL) is outdated and a new CRL is not available.


A public key infrastructure (PKI) that is not working can cause the distribution server of the CRL not to publish a new CRL. If a new CRL is not published, logons to client computers are not allowed. 


“HKEY_Local_Machine\System\CurrentControlSet\Services\KDC\CRLValidityExtensionPeriod


This DWORD value lets you to extend the CRL validity period by a specified number of hours. When you set this value to a non-zero value, the certificate status checking code for smart card logons ignores any validity period errors as long as the CRL is not expired by more than the number of specified hours. This extension of the validity period only applies to CRLs that are used during the evaluation of certificates used for smart card logon.


For example, this extension would apply to a certificate that is issued by a certification authority (CA) that is populated in the NTAuth store and to any certificates that are part of the trust chain used to verify the NTAuth store certificate.


HKEY_Local_Machine\System\CurrentControlSet\Services\KDC\CRLTimeoutPeriod


This DWORD value lets you to specify the CRL time-out period to reduce false positives. The Key Distribution Center (KDC) passes this value to the certificate policy checking code. By default, the KDC specifies a time-out value of 90 seconds even if this registry value is not set.


HKEY_Local_Machine\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters\CRLTimeoutPeriod


This DWORD value lets you to specify the CRL time-out period to reduce false positives. The Kerberos client passes this value to the certificate policy checking code. By default, the Kerberos client specifies a time-out value of 90 seconds even if this registry value is not set.


 


 



906681 http://support.microsoft.com/?kbid=906681 XP – post SP2
========================================================================
A user can log on to a Windows XP-based computer by using a user name and a password, even though the “Smart card is required for interactive logon” user account property is set 


Consider the following scenario:


• The Smart card is required for interactive logon user account property is set on a computer that is running Microsoft Windows XP. 
• The smart card is lost or damaged. The user is temporarily permitted to log on by entering a user name and a password. 
• Later, a new smart card is issued to the user. The user is again required to log on only by using a smart card. 


In this scenario, the user can still log on offline with the temporary user name and password.


CAUSE
This problem occurs because the user name and the password are cached on the computer.   ” 


This fix will delete the previously cached standard username and password – which makes sense if you have set the account to “Smart card is required for interactive logon user account property is set”    


 


IMPORTANT NOTE ( UNDOCUMENTED )



Win2k3 – post 887578
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters
UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors


XP – post 906681
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos
UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors


What does this do?
Default value is 0. When this value is non-zero, Kerberos Client will use cached CRL only and ignore revocation unknown errors. If this value is not present it is interpreted as if it is 0.


This setting is valid for 2k3 and XP as noted above.”


 


887535 http://support.microsoft.com/?id=887535 XP – post SP2
========================================================================


A user may log on successfully after a smart card certificate is revoked or after their user account is disabled in Windows XP 


“A user may log on successfully to a computer when either of the following conditions is true even though their smart card certificate has been revoked or their user account has been disabled in Microsoft Windows XP:


• If the smart card certificate of the user has been revoked and the user has tried unsuccessfully to log on online at least one time, the user may still be able to log on offline and have access to network resources by using the NET USE command.
• If the account of the user has been disabled in the Active Directory directory service and the user has tried unsuccessfully to log on online at least one time, the user may successfully log on offline.


If we detect that the smartcard cert is revoked – we then will delete the current cached credentials.


 


906524 http://support.microsoft.com/?id=906524 XP – post SP2    
========================================================================


Error message when you try to connect to a remote share by using NTLM authentication on a Windows XP-based computer: “Logon failure: unknown user name or bad password”



When you use  “runas /smartcard cmd” to start a cmd window, then run “dir \\server_ip_address\share”, the following error was returned, “Logon failure:


unknown user name or bad password” and the bad password count was increased for the user account.


Why?


The article is not very clear, but what it means is that when you use runas /smartcard , the OS does not use the correct supplemental credentials which ought to be gathered when you use the smartcard to do the “logon” performed with runas /smartcard.


 



898061  ( not yet a public article ) Win2k3 – post SP1  
========================================================================


Scenario: You have a  wireless networking deployment and wants to use PKI issued certificates for EAP-TLS-based authentication, but do not have the server\client EKU in the certs.


The current EAP-TLS implementation requires the server auth EKU and client auth EKU to be present in certificates. If the customer’s certificates do not contain the required server or client auth EKU then it will fail.


Correspondingly, Customer cannot use EAP-TLS for authentication with the PKI certificates.”



In order to use this you must set the following on the server:
Location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP\13
Name: TlsServerUseAllPurposeCert
Type: REG_DWORD
Values: 0, 1


When TlsServerUseAllPurposeCert is not present or is 0: EAPTLS UI in server role will display only certs containing server auth EKU.



When TlsServerUseAllPurposeCert is 1: EAPTLS will display only general purpose certs (containing no EKU whatsoever)


 


 


893226 http://support.microsoft.com/?id=893226 XP – post SP2 
========================================================================
A user receives an “Unable to log you on because it is required that you use a smart card” message when the user tries to log on to your Windows XP-based computer by using Remote Assistance.


Consider the following scenario.


You enable the “”Interactive logon: Require smart card”” security setting on your Microsoft Windows XP-based computer so that users have to use a smart card to log on to the local computer. To do this, you follow the steps that are described in the following article in the Microsoft Knowledge Base:


834875 (http://support.microsoft.com/kb/834875/) Update for the “”Interactive logon: Require smart card” security setting in Windows XP


After you enable the security setting, users cannot log on to your computer by using Remote Assistance. When a user on a remote computer tries to log on to your computer by using Remote Assistance, the user receives the following message:


Unable to log you on because it is required that you use a smart card to log on, please contact your administrator” 


 



835746 http://support.microsoft.com/?id=835746 XP – post SP1
========================================================================


A delay may occur before the logon text changes to “Insert card or press Ctrl-Alt-Delete to begin” when you use a smart card reader with a Windows XP-based computer.


Prior to this fix ( which is also in Sp2 ) it may take 20-30 seconds for the msgina display to change to include “insert smartcard.” After applying the hotfix, the logon display should be significantly lower.


 



890042 http://support.microsoft.com/?id=890042 XP – post SP2 
========================================================================    


You lose access to network resources after you resume your Windows XP-based computer from standby  


If you logon with a smartcard, and then go to standby- when you resume your Microsoft Windows XP-based computer from standby while your network is either disconnected or down. After network connectivity is restored, you lose access to your network resources. Additionally, if your Windows XP-based computer is moved to a different network while the computer is on standby, you lose access to network resources when you resume the computer.


890837 http://support.microsoft.com/?id=890837 XP – post SP2
========================================================================


You are prompted to press CTRL+ALT+DEL to unlock your computer when you use a smart card to log on to your Windows XP-based computer 


A bit confusing to see a prompt for CAD  – the user may press this and then enter his PIN or something, so we changed the strings to say something like


“Insert card to begin” etc..


To enable this hotfix, follow these steps:



1. Click Start, click Run, type regedit, and then click OK.
2. Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
3. With the registry subkey from step 2 selected, on the Edit menu, point to New, and then click DWORD Value.
4. Type AltSCMessages, and then press ENTER.
5. Right-click AltSCMessages, and then click Modify.
6. In the Value data box, type 1, and then click OK.
7. Quit Registry Editor.


 



893376 http://support.microsoft.com/default.aspx?scid=kb;EN-US;893376 XP – post SP2
========================================================================


Stack corruption occurs if you remove and insert a smart card during a user log on process in Windows XP Service Pack 1 or Windows XP Service Pack 2 “


SYMPTOMS


Consider the following scenario:


• You use a smart card for user authentication on a computer that is running either Microsoft Windows XP Service Pack 1 (SP1) or Windows XP Service Pack 2 (SP2).
• You insert the smart card in to the reader and type the PIN to initiate the log on process.
• You remove the smart card before the log on process is completed.
• You insert the smart card again.


In this scenario, a stack corruption occurs, and the computer stops responding (hangs).


Additionally, you receive the following error message:


STOP: 0xc000021a {Fatal System Error”


 


 



910482 http://support.microsoft.com/default.aspx?scid=kb;EN-US;910482 XP – post SP2
======================================================================================


After you remove a smart card from a Windows XP-based computer, you are not logged off, or the workstation is not locked


On a Microsoft Windows XP-based computer, you remove a smart card after the logon window appears. After you do this, you are not logged off, or the


workstation is not locked.


The behavior occurs even if the value of the ScRemoveOption registry entry is set to 2 (Force logoff) or to 1 (Lock workstation).


Note You can locate the ScRemoveOption registry entry under the following registry subkey:


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon


 



883529 http://support.microsoft.com/default.aspx?scid=kb;EN-US;883529 XP – post SP2
======================================================================================


Removing a smart card immediately after you log off a Windows XP-based computer may cause the computer to stop responding 



If you remove your smart card immediately after you log off a Microsoft Windows XP-based computer, the computer may stop responding (hang) and you cannot log back on.   



 

Comments (38)

  1. M@W says:

    We are currently experiencing random lockout issues when accessing shares that are NTLM based. This is only an issue for those using smartcard based remote access.  The shares are all on W2K Advanced + SP4 based 2-node clusters. We are in the process of enabling Kerberos on all network names so the shares are accessible using kerberos. kerberos doesnt seem to cause issues.

    I didnt realise runas had a /smartcard switch. But this error is happening without using cmd launched using runas. We are accessing UNCs directly using explorer.

    My personal suspicion was that because the user has never logged on to the PC using a password and no passwords seemed to be cached for shares based on the "stored user names and passwords" tool, I assume its trying to send something across as a password. Not sure what. I have a network trace I can send if you like.

    I have also had issues where sometimes the user cannot logon using smartcard based cached credentials. Its generally very rare.

    I seeme to also vaguely recall there were issues sometimes unlocking an already established logon session and the laptop is on the network. But as we arent certain if the RAS link has been dropped (timedout), they may not be able to unlock as it cant contact a DC. Therefore we remove the cable and then try to unlock. Very rarely I think this also can fail. But I am not certain and I could be telling lies here 😉

  2. SpatDSG says:

    We are currently experiencing random lockout issues when accessing shares that are NTLM based. This is only an issue for those using smartcard based remote access.  The shares are all on W2K Advanced + SP4 based 2-node clusters. We are in the process of enabling Kerberos on all network names so the shares are accessible using kerberos. kerberos doesnt seem to cause issues.

    I didnt realise runas had a /smartcard switch. But this error is happening without using cmd launched using runas. We are accessing UNCs directly using explorer.

    My personal suspicion was that because the user has never logged on to the PC using a password and no passwords seemed to be cached for shares based on the "stored user names and passwords" tool,

    [***  spatdsg *** ] this list of users stored passwords and usernames are not the same creds one would use when accessing an NTLM resource. When we do a smartcard logon, we actually store the nt hash info as well as the Kerberos ticket info in order to access ntlm resources. This shouldn’t matter if the user has logged on to the workstation or not. However, I am curious if you set the users account  bit for “Smartcard is required for interactive logon”?

    I assume its trying to send something across as a password. Not sure what. I have a network trace I can send if you like.

    [***  spatdsg *** ] It would use the data I mentioned previously for the ntlm negotiations. If you have set “Smartcard is required for interactive logon” then the users password has been scrambled and he has no idea what his password really is. Is this the case? If so, perhaps there is another resource which has the previous password cached and is using it from somewhere?

    The netlogon logs  see http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/bpactlck.mspx –  would assist here, we could identify which machine the bad password attempts were actually coming from. If you look at that url see the section "Netlogon Log File Walkthrough"

    I have also had issues where sometimes the user cannot logon using smartcard based cached credentials. Its generally very rare.

    [***  spatdsg *** ] are these incidents from users who VPN in?

    I seeme to also vaguely recall there were issues sometimes unlocking an already established logon session and the laptop is on the network. But as we arent certain if the RAS link has been dropped (timedout), they may not be able to unlock as it cant contact a DC. Therefore we remove the cable and then try to unlock. Very rarely I think this also can fail. But I am not certain and I could be telling lies here 😉

    [***  spatdsg *** ] if this fails – are we lumping into the same scenario as lost cached credentials?

  3. M@W says:

    Yes we did have the “Smartcard is required for interactive logon” bit set. The users who couldnt logon using cached credentials were VPN users. We dont logon to the domain direct over the VPN. Instead, the users use cached credentials to logon, establish the VPN and then pull and reinsert card to simulate a logon. And yes if the last scenario does happen where a session cant be unlocked, I would lump it with lost credentials.

    I am trying to get some info from our main VPN users. Once I do, I’ll keep you posted.

  4. SpatDSG says:

    OK – well read over that link to netlogon logging there and then we can take this offline to work on it once you have the logs

  5. EGM says:

    I am in the middle of a smart card pilot, and I noticed a few things. First, with smart cards, logon goes from about 1 second to 4-5 seconds directly, and up to 20 seconds on Remote Desktop w/ smart card. Also, I noticed that I’m still able to connect to NT 4 boxes with when I logon with a smart card. How’s that happening? Does the DC send the NTLM hash to the workstation when I do a smart card logon?

    Thanks

  6. SpatDSG says:

    Smartcard logon will introduce some additonal time due to the certificate validation process. The longer times via remote desktop can be attributed to the roundtrips to the client for CSP processing.

    This is (kind of) explained here:

    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnscard/html/smartcardcspcook.asp

    In a terminal server session, calls from the CSP on the remote machine to the local smart card reader need to be redirected, as shown in Figure 4, below. WinScard.dll deals with the redirection and since all smart card subsystem calls must go through WinScard.dll there is no need for the CSP to deal with this directly.

    I will say, that some CSP’s handle this better than others.

    And yes, you are correct, that the DC sends the NTLM hash info during a smartcard logon.

  7. EGM says:

    Thanks for the information. It explains the delay with terminal servers. Do you have a link or any info about what happens on the wire during a smart card logon?

    Thanks again

  8. Pat says:

    Logon went to 4-5 minutes for Activcard logon to server via RDP – I’m looking for help with what to get from USERENV, traces, etc. What should we be looking for in the traces?

  9. SpatDSG says:

    Regarding the Terminal Server scenario and smartcard delays.

    Network traces probably wont help to analyze this because the data is sent via the rdp session which is not parsed. The userenv ( from the server side ) only gets you the information after logon has initiated – there may be some interesting info there, but nothing which reveals info about the SC logon session (at least that I can think of right now )

    Ill do a short post later ( maybe next week ) about the flow for this redirected SC logon. Unforuntately, there is not tracing or logging in these components.

    spatdsg

  10. In a recent post I outlined a number of ‘challenges’ to implementing smartcards. I also asked about people

  11. BoOst says:

    hello

    (sorry for my bad english !)

    i’m trying to devellop an ‘elevation tool’ for my company, using secondary logon programatically (createprocesswithlogon in c++) with the current user credentials previously stored in the registry.

    (first i had user to the local admin group, then run process with the stored user account and finally remove the user from group : the app runs now with ‘admin’ privileges under same profile, very usefull !!!)

    Eveything works fine with normal credentials, even offline. but with smartcards, user can logon offline without problem,  but the secondary logon does not work. (both in windows and in my program)

    It read the card but i get an ‘incorrect pincode’, seems to be a probleme with cached credentials or  certificates maybe…

    Is there any way to get this work ?

    domain policy tweaks, etc..

    we’re using XP SP2 and AD domain under 2003 SP1.

    Thanks in advance for any help ! :p

  12. BoOst says:

    sice my message i updated the pki2 client software on my company computers and the problem is solved. :p

  13. Mark says:

    I have a windows XP professional stand-alone workstation that I would like to enable smaart card logon.  Is it possible to use smart card login on a computer that is not part of a domain, with only local users?

    Everything I have found is for active directory rather than professional.

    Thanks in advance for any help.

  14. SpatDSG says:

    you cannot use smartcards on a machine not part of a domain ( at least not in the native OS ) there may be some 3rd party product. You can get one of those machines which does fingerprint logon though.

  15. J J says:

    This is the best source of info for smartcards. Great Job! I bookmarked this and I’m sending it to my collegues.

  16. jonathan black says:

    We’re using smart card to login users into citrix on a 2k3 server, running presentation server 4, from a linux touch screen terminal. It all works fine & we have a custom app that requests the pin, before the the session launches, then passes it into the pin dialog box (as there is no on screen keyboard until the session opens)

    The problem is, if the user inserts an incorrect pin, they have no on-screen keyboard to type one in. Is there a setting that would close the connection attempt after one incorrect pin entry? Have looked through GP & registry of 2k3 server for this… no luck

  17. SpatDSG says:

    I dont think there is a setting for this. You can look at the TS Session policies perhaps there is one for:

    This policy setting allows you to specify whether the client will establish a connection to the terminal server when the client cannot authenticate the terminal server. If you enable this policy setting, you must specify one of the following settings:

    Do not connect if authentication fails: The client establishes a connection to the terminal server only if the terminal server can be authenticated.

    I have not tested this though…

    spat

  18. Kenneth Miller says:

    Our organization is using smart card logins for student laptops. The students log on to the network to cache their accounts and then have 50 cached logins before they have to physically log back into the network. We have had a few incidents were a student can log in with the cached account, but then when the system locks resuming from the screensaver, they are unable to log back in resulting in a few locked out smart cards requiring resets. The message given is that an incorrect PIN was entered even though it is the correct pin. Has anyone else experienced this issue and if so, is there a fix available?

  19. SpatDSG says:

    1. how do you enforce they willcan only logon 50 times as cached creds?

    2. If the SC logon is failing with the incorrect PIN message – how do they recover and are able to logon again?

    spat

  20. Kenneth Miller says:

    1. how do you enforce they willcan only logon 50 times as cached creds?

    There is a setting in Group Policy that sets the maximum number of cached logins. I believe 50 is the max. It can be found at Computer Configuration/Windows Settings/Local Policies/Security Options. It is one of the Interactive Logon settings.

    [spat] this is not how many times a single user JOE can logon – it is how many individuals can logon – joe, mike, david, bob etc.. however if only joe ever logs on to the machine then joe will be able to logon cached as many times as he wants to.

    2. If the SC logon is failing with the incorrect PIN message – how do they recover and are able to logon again?

    We have had a couple that actually had their SCs locked and required a reset. I believe it may be another interactive logon setting pertaining to unlocking a workstation although our GPO has the correct setting. We will need to wait for this problem to occur again and do a check to see if the GPO is somehow outdated.

  21. rob crellin says:

    I am having a problem when using smart cards in a VDI scenario. The smart cards work fine to a 2003 rs TS session, but when connecting to an XP Sp2 vdi session, they work and lock the work station on removal, but on re- insertion of the smart card i get the error "Cannot log on . smart card not present"

  22. SpatDSG says:

    I dont know anything about VDI – looks like a VMWare redirection subsystem?

  23. Matt Dickens says:

    I know you cannot use smart cards on a machine not joined to a domain but can you use smart cards over RDP if the client machine isnt joined to the domain? We have a lot of machines that use smart cards and we need to use RDP to support them. I have tried connecting a smart card reader to my machine (which isnt joined to the domain) and I can establish an RDP connection to the remote machine but I cant get it to see the smart card so it wont prompt for a pin. I am using XP with SP2 and the latest (6.1) remote desktop software from Microsoft. I’ve enabled the option to allow smart cards over the RDP connection and the smart card reader is installed ok. Also, this works fine from a machine that is on the domain.

  24. SpatDSG says:

    yes.. you should be able to redirect from a machine which is not domain joined. Do you have the CSP and drivers etc. installed OK?

     A real test of course is to simply join the SAME machine to the domain and see 🙂

    But, it should work from a non domain joined machine.

    spat

  25. Matt Dickens says:

    Hmmn, Well, i’m not experienced with this so I dont really know what the CSP is, I am assuming you mean the Cryptographic Services, which are installed and running (and I have dowloaded an updated version of Cyrptographic Service Provider Package from Microsoft KB909520)I also have the driver’s installed. Device Manager shows three items – ‘e-gate USB Smart card’, ‘e-gate Virtual Reader Enumerator’ and ‘e-gate USB smart card reader’. All installed and running ok. The Cryptographic Services servie is running and so is the smart card service but it still wont work. A colleague has a similar setup with the same reader on a machine not joined to the domain and it works fine on his. Just as a though, when I run the RDP connection there is an option so ‘save credentials’ which will present me with a box to enter username and password. The ‘username’ box is a dropdown and when I click the arrow there is no option to use the certificate from the smart card, whereas there is on my colleagues which makes me think my machine isnt accessing the card properly. Any ideas?

  26. SpatDSG says:

    Can you run certutil.exe -scinfo on the client?

    Does it prompt for a PIN and give you info?

  27. BSW says:

    We are also implementing smart cards and have experience cached credential issues.  Our security policy is currently set to cache 4 credentials.  In an attempt to recreate the issue on a test machine, unsuccessfully, I now am seeing unusual behavior with the HKLMSecurityCache key.  Typically if you export the Cache key to a text file, the format is NT$1, NT$2, NT$3…and so on.  Now when I export the Cache key to a text file the format is NT$5, NT$6….NT#10, NT#1, NT$2, NT$3, NT$4.  Cached credentials appear to be working fine, it’s just odd now that my exported keys start at 5 and end at 4.  Are there other registry keys involved that affect the Cache rgistry key?  BTW, I replaced my Cache key with a clean Cache key from a freshly installed OS that had no cached credentials at all, and the exported text file still starts at 5 and ends with 4.

    Hopefully soon, we’ll have an answer to the question of why cached credentials do not work when the user is not connected to the domain…I understand a number of people in our org. have a problem ticket in with Microsoft…haha…we’ll see.

    I have lots of troubleshooting documentation on this issue for any one interested.  Didn’t want to bore anyone with too many details here 🙂

  28. SpatDSG says:

    I am a little confused. You said:

    "Cached credentials appear to be working fine"

    then you said:

    "we’ll have an answer to the question of why cached credentials do not work when the user is not connected to the domain"

    If the user cannot logon when not connected to the domain, cached cred are not working fine.. am I missing something?

    spat

  29. Milton Bell says:

    We use smart cards to logon to our laptops.  While the laptops are connected to the network, we can use the smart cards to logon to the laptops.  However, when the laptops are disconnected from the network, we can’t use smart cards to logon to some of the laptops.  The laptops that won’t allow off-network smart card logon also will not accept the smart card to resume operation after the laptop is in locked mode.

    I thought the "UseSoftTokenWithMachineAuthentication" registry fix mentioned above might fix the problem, but it didn’t.

    Any assistance or suggestions will be greatly appreciated.  An E-Mail reply to Milton.Bell@us.army.mil would be appreciated.  However,if an E-Mail isn’t possible, I’ll check back here frequently.

    Thanks,

    Milton Bell

    San Antonio, TX

  30. SpatDSG says:

    Milton – I shot you some mail..

  31. Jose Manuel says:

    Hi all,

    We have implemented a smartcard logon in our enterprise. We have a standalone certification autorithy, and a Enterprise Subordinate CA together our active directory. The standalone CA enroll a CA certificate for the subordinate, and this enroll certificates to end users.

    We have an issue on slow logons to user stations. The user turn on the PC, and insert the smartcard to logon. All runs ok. The user can lock and unlock the station with the smartcard without any issue.

    In some moment (we can’t reproduce the problem), when the station is locked by the screensaver, our users can’t logon with smartcard. When they insert the card in the USB reader, the computer appears as hanged, and the screen appears in blue colour (the desktop wallpaper). After one or two minutes (aprox), the PIN window appears. The user introduces his PIN and the logon process unlock the station, and finally all runs ok as normal.

    We’re using a Starcos Smartcard, and different smartcard readers (SCR and Cherry). All the hardware and software is certified for the Windows Environment.

  32. SpatDSG says:

    Interesting. Seeing as how I have not seen this , you could potentially get some userdumps of Winlogon.exe while it is "hung" and I could look at them. But an easier route may be to call the CSP vendor and ensure you areon the latest and greatest CSP — as a first step.

    spat

  33. Jose Manuel says:

    Hi Spat, thanks for the response.

    Yes, we contact CSP vendor, but support response was that always in CSP is OK ;). We have the latest version, and this issue is not reported in vendor KB. I will send you a dump for your reference.

    Regards

  34. Andrew Sharp says:

    When users try to sign an email using their smart card it takes up to 20 seconds to prompt them for a pin then up to 10 seconds after that to actually send the email any ideas on what is causing this delay? it only occurs on select machines my machine can promptand send thesigned email in under 5 seconds.

  35. SpatDSG says:

    interesting. Not over RDP it sounds like.  Same hardware on the machines, driver versions and CSP or card module?

  36. Andrew Sharp says:

    same hardware on machines same driver versions and some machines still work correctly. i am checking my GPO that forces out the config file for Tumbleweed desktop validator but finding that it is ok also. got it down to 15 machines so i am thinking they are not getting the GPO somehow.

  37. firesimo says:

    I get an unknown certificate error form tumbleweed.  "The details are: Missing or bad CRL-DP extentions".  I googled this and didnt see much about it.  Does the users certificates on the CAC card need to be renewed?  or maby a setting I need to check or uncheck?

  38. SpatDSG says:

    Are you testing against a production DOD OCSP responder? I know some have firewalls which block native Windows calls – but this should not matter if you are using the Tumbleweed client as well – so I guess before I can comment further – which OCSP client are you using?