ADSI SetPassword requests smart card pin

Similar Messages

• Smart card, PPTP VPN

  Hi for ALL,
  I have some trouble. I'm not very skilled in mac.
  I have gemalto smart card reader with smart card for connection to my workplace network via VPN (PPTP).
  In windows OS I just put in USB my token and creating new VPN connection where authentification is smart card (do not need this card use for login to local computer). When starting this VPN connection opening smart card pin window, enter pin, connection esabilisched.
  How do I the same on my macbook?
  P.S. VPN username is email address whith "@"
  THANKS

  any ideas please

• Firefox rejecting Smart Card certs over SSL 3.0

  Ladies and Gents,
  We are running 32 bit Windows 7 Enterprise. I have a user that is trying to access a database through Mozilla Firefox. When he is prompted to enter his smart card/PIN he recieves the error:
  "The page you are attempting to access requires your browser to have a Secure Sockets Layer (SSL) client certificate that the Web server recognizes"
  I have checked to make sure that SSL 3.0 is enabled and that the smart card is loaded under security devices.
  I have tried exporting his certificated from IE9 (Which works fine with the database) and importing them into Firefox, no success.
  The reason the user is trying to access through Firefox is for a more friendly user interface that the site only provides to Firefox.

  This can be resolved by going to services and disabling Smart card

• Smart Card Problem with AnyConnect over RDP

  Hello,
  For ASA 5545, v-8.6(1)2 and AnyConnect v-3.1.0165, I'm trying to start an AnyConnect client tunnel on a remote RDP (both ends Windows 7) machine and am having problems. The RDP is configured to proxy smart card devices which generally works fine. I'm using current SafeNet eToken with current client software. When I start AnyConnect from client machines (no RDP), the tunnel opens with no problem using the smart card. When I try to start the tunnel on the remote machine via RDP, I'm prompted for cert selection and smart card PIN, but get a popup from AnyConnect: 'VPN connection terminated, smart card removed from reader'. When I try to start the tunnel via RDP but use the ASA web server to start, the tunnel starts up fine with the smart card.
  For the problem condition, the Windows event log on the remote RDP machine shows 3 entires (see below) wrt acvpnagent show smart card removal errors but the USB device is always inserted. Also, in investigating, I changed the client profile 'server list' config to SSL instead of IPSec. Same failure but the popup does not show.
  VPN connection terminated, Smartcard removed from reader.
  Description: VPNMGR_ERROR_SMARTCARD_REMOVED:A smartcard required for the connection has been removed
  Thanks in advance for any assistance.
  Mike

  This can be resolved by going to services and disabling Smart card

• Verify user pin on a smart card & load a cap file on a card (with eclipse)

  I have been able install JCWDE (Java card development Kit) successfully on eclipse.Basically all I need to do is verify user pin on a smart card.As in first set a pin and then verify it.
  To begin with I have referred many tutorials (here: http://www.javaworld.com/jw-07-1999/jw-07-javacard.html?page=1) and implemented the wallet code in eclipse.I have the cap file generated and the scripts generated.I am not sure how to load it on the smart card with eclipse.
  I tried to deploy the cap file but it keeps saying connected.Also when we initiate the applet I get the same result.
  output:
  Java Card 2.2.2 APDU Tool, Version 1.3
  Copyright 2005 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms.
  Opening connection to localhost on port 9032.
  Connected.
  I have also tried : http://www.cs.ru.nl/E.Poll/hw/practical.html ........ but no luck.
  I have the wallet.cap ,wallet.exp ,wallet.jca ,wallet.opt create.script, select,cap-download.scripts files already generated in eclipse.
  How does a successfully implemented applet code on a smart card work?How does this wallet code work if it is successfully implemented ? Does it have like some GUI which prompts the user to enter the pin?
  Wallet code for reference :
  package com.sun.javacard.samples.wallet;
  import javacard.framework.*;
  public class Wallet extends Applet {
  /* constants declaration */
  // code of CLA byte in the command APDU header
  final static byte Wallet_CLA =(byte)0x80;
  // codes of INS byte in the command APDU header
  final static byte VERIFY = (byte) 0x20;
  final static byte CREDIT = (byte) 0x30;
  final static byte DEBIT = (byte) 0x40;
  final static byte GET_BALANCE = (byte) 0x50;
  // maximum balance
  final static short MAX_BALANCE = 0x7FFF;
  // maximum transaction amount
  final static byte MAX_TRANSACTION_AMOUNT = 127;
  // maximum number of incorrect tries before the
  // PIN is blockedd
  final static byte PIN_TRY_LIMIT =(byte)0x03;
  // maximum size PIN
  final static byte MAX_PIN_SIZE =(byte)0x08;
  // signal that the PIN verification failed
  final static short SW_VERIFICATION_FAILED =
  0x6300;
  // signal the the PIN validation is required
  // for a credit or a debit transaction
  final static short SW_PIN_VERIFICATION_REQUIRED =
  0x6301;
  // signal invalid transaction amount
  // amount > MAX_TRANSACTION_AMOUNT or amount < 0
  final static short SW_INVALID_TRANSACTION_AMOUNT = 0x6A83;
  // signal that the balance exceed the maximum
  final static short SW_EXCEED_MAXIMUM_BALANCE = 0x6A84;
  // signal the the balance becomes negative
  final static short SW_NEGATIVE_BALANCE = 0x6A85;
  /* instance variables declaration */
  OwnerPIN pin;
  short balance;
  private Wallet (byte[] bArray,short bOffset,byte bLength) {
  // It is good programming practice to allocate
  // all the memory that an applet needs during
  // its lifetime inside the constructor
  pin = new OwnerPIN(PIN_TRY_LIMIT, MAX_PIN_SIZE);
  byte iLen = bArray[bOffset]; // aid length
  bOffset = (short) (bOffset+iLen+1);
  byte cLen = bArray[bOffset]; // info length
  bOffset = (short) (bOffset+cLen+1);
  byte aLen = bArray[bOffset]; // applet data length
  // The installation parameters contain the PIN
  // initialization value
  pin.update(bArray, (short)(bOffset+1), aLen);
  register();
  } // end of the constructor
  public static void install(byte[] bArray, short bOffset, byte bLength) {
  // create a Wallet applet instance
  new Wallet(bArray, bOffset, bLength);
  } // end of install method
  public boolean select() {
  // The applet declines to be selected
  // if the pin is blocked.
  if ( pin.getTriesRemaining() == 0 )
  return false;
  return true;
  }// end of select method
  public void deselect() {
  // reset the pin value
  pin.reset();
  public void process(APDU apdu) {
  // APDU object carries a byte array (buffer) to
  // transfer incoming and outgoing APDU header
  // and data bytes between card and CAD
  // At this point, only the first header bytes
  // [CLA, INS, P1, P2, P3] are available in
  // the APDU buffer.
  // The interface javacard.framework.ISO7816
  // declares constants to denote the offset of
  // these bytes in the APDU buffer
  byte[] buffer = apdu.getBuffer();
  // check SELECT APDU command
  if (apdu.isISOInterindustryCLA()) {
  if (buffer[ISO7816.OFFSET_INS] == (byte)(0xA4)) {
  return;
  } else {
  ISOException.throwIt (ISO7816.SW_CLA_NOT_SUPPORTED);
  // verify the reset of commands have the
  // correct CLA byte, which specifies the
  // command structure
  if (buffer[ISO7816.OFFSET_CLA] != Wallet_CLA)
  ISOException.throwIt(ISO7816.SW_CLA_NOT_SUPPORTED);
  switch (buffer[ISO7816.OFFSET_INS]) {
  case GET_BALANCE:
  getBalance(apdu);
  return;
  case DEBIT:
  debit(apdu);
  return;
  case CREDIT:
  credit(apdu);
  return;
  case VERIFY:
  verify(apdu);
  return;
  default:
  ISOException.throwIt(ISO7816.SW_INS_NOT_SUPPORTED);
  } // end of process method
  private void credit(APDU apdu) {
  // access authentication
  if ( ! pin.isValidated() )
  ISOException.throwIt(SW_PIN_VERIFICATION_REQUIRED);
  byte[] buffer = apdu.getBuffer();
  // Lc byte denotes the number of bytes in the
  // data field of the command APDU
  byte numBytes = buffer[ISO7816.OFFSET_LC];
  // indicate that this APDU has incoming data
  // and receive data starting from the offset
  // ISO7816.OFFSET_CDATA following the 5 header
  // bytes.
  byte byteRead =
  (byte)(apdu.setIncomingAndReceive());
  // it is an error if the number of data bytes
  // read does not match the number in Lc byte
  if ( ( numBytes != 1 ) || (byteRead != 1) )
  ISOException.throwIt(ISO7816.SW_WRONG_LENGTH);
  // get the credit amount
  byte creditAmount = buffer[ISO7816.OFFSET_CDATA];
  // check the credit amount
  if ( ( creditAmount > MAX_TRANSACTION_AMOUNT)
  || ( creditAmount < 0 ) )
  ISOException.throwIt(SW_INVALID_TRANSACTION_AMOUNT);
  // check the new balance
  if ( (short)( balance + creditAmount) > MAX_BALANCE )
  ISOException.throwIt(SW_EXCEED_MAXIMUM_BALANCE);
  // credit the amount
  balance = (short)(balance + creditAmount);
  } // end of deposit method
  private void debit(APDU apdu) {
  // access authentication
  if ( ! pin.isValidated() )
  ISOException.throwIt(SW_PIN_VERIFICATION_REQUIRED);
  byte[] buffer = apdu.getBuffer();
  byte numBytes =
  (byte)(buffer[ISO7816.OFFSET_LC]);
  byte byteRead =
  (byte)(apdu.setIncomingAndReceive());
  if ( ( numBytes != 1 ) || (byteRead != 1) )
  ISOException.throwIt(ISO7816.SW_WRONG_LENGTH);
  // get debit amount
  byte debitAmount = buffer[ISO7816.OFFSET_CDATA];
  // check debit amount
  if ( ( debitAmount > MAX_TRANSACTION_AMOUNT)
  || ( debitAmount < 0 ) )
  ISOException.throwIt(SW_INVALID_TRANSACTION_AMOUNT);
  // check the new balance
  if ( (short)( balance - debitAmount ) < (short)0 )
  ISOException.throwIt(SW_NEGATIVE_BALANCE);
  balance = (short) (balance - debitAmount);
  } // end of debit method
  private void getBalance(APDU apdu) {
  byte[] buffer = apdu.getBuffer();
  // inform system that the applet has finished
  // processing the command and the system should
  // now prepare to construct a response APDU
  // which contains data field
  short le = apdu.setOutgoing();
  if ( le < 2 )
  ISOException.throwIt(ISO7816.SW_WRONG_LENGTH);
  //informs the CAD the actual number of bytes
  //returned
  apdu.setOutgoingLength((byte)2);
  // move the balance data into the APDU buffer
  // starting at the offset 0
  buffer[0] = (byte)(balance >> 8);
  buffer[1] = (byte)(balance & 0xFF);
  // send the 2-byte balance at the offset
  // 0 in the apdu buffer
  apdu.sendBytes((short)0, (short)2);
  } // end of getBalance method
  private void verify(APDU apdu) {
  byte[] buffer = apdu.getBuffer();
  // retrieve the PIN data for validation.
  byte byteRead = (byte)(apdu.setIncomingAndReceive());
  // check pin
  // the PIN data is read into the APDU buffer
  // at the offset ISO7816.OFFSET_CDATA
  // the PIN data length = byteRead
  if ( pin.check(buffer, ISO7816.OFFSET_CDATA,
  byteRead) == false )
  ISOException.throwIt(SW_VERIFICATION_FAILED);
  } // end of validate method
  } // end of class Wallet
  Any help on this would highly appreciated !! :)

  Hi,
  Thanks a lot for reply.But I am not sure as to how can I delete the simulator.
  All I want to do is write a pin on the smart card and verify it.But I am not being able to deploy the cap file or initiate the applet.
  Also for passing the pin correct me if I am wrong........ according to what you said and what I have understood
  If the code is like this :
  public static void install(byte[] bArray, short bOffset, byte bLength) {
  // create a Wallet applet instance
  new Wallet(bArray, bOffset, bLength);
  } // end of install method
  byte aLen = bArray[bOffset]; // applet data length
  // The installation parameters contain the PIN
  // initialization value
  pin.update(bArray, (short)(bOffset+1), aLen);
  Lets say my pin is : 1234
  then I would pass it here.....
  new Wallet(bArray, 1234, bLength);

• How to include the user as a recipient of the email generated when a smart card certificate is issued by an Enrollment Agent on behalf of a user.

  How can I add the requester name in the To: field of the email generated when a Smart Card certificate is issued on his behalf.
  I want to address the possibility of someone (Enrollment Agent) issuing a Smart Card certificate on behalf of a user, assign a PIN and use it without the user's knowledge.
  There doesn't seem to be a way in the registry to define a variable to be used in a manner similar to the TitleArg & TitleFormat way of using %1.
  Jamal Saket OSFI Canada

  Hi,
  Thank you for your question.  
  I am trying to involve someone familiar with this topic to further look at this issue. There might be some time delay. Appreciate your patience. 
  Thank you for your understanding and support.
  TechNet Subscriber Support
  If you are
  TechNet Subscription
  user and have any feedback on our support quality, please send your feedback
  here.
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• SUN One web server 6.1,strong authentication and smart card

  Hi guys,
  I am experiencing a weired issue with smart cards.
  scenario:
  SOWS 6.1 SP6, smart card Gem Plus and Internet explorer 6 and 7 as client and strong authentication.
  Once I put my smart card and insert the PIN code to get into the html page, when I tried to just move the mouse in a frame, I got lots of PIN request. I have notest the there are lots of SSLv3 sessions opened. When I put the PIN code after a while and again when I move the mouse quickly I got the same request
  I tried with Firefox and the it works fine.
  Anyone experienced a sort of same issue? any clue? Could it be that Firefox store the PIN code somewhere and IE doesn't?
  Cheers

  Hi,
  Yes, Firefox and other mozilla products by default only require the pin for tokens the first time they are needed. In Seamonkey, the preference is in edit/preference/privacy & security/master passwords/master password timeout/web browser will ask for your master password . There is an equivalent in Firefox, but since i don't use it, I don't know the exact location of that pref.
  The fact that you are being prompted multiple times in IE means that there are multiple SSL handshakes happening. This may be because the server is forcing a new SSL handshake on each HTTP request. . There may be a way for the web server to be configured not to do that by setting client auth globally on the listen socket instead of setting it on a specific URL space.

• Configuring Weblogic Server for X.509 Smart Card Authentication

  0 down vote favorite
  share [g+] share [fb] share [tw]
  I am running Oracle Weblogic 11g (10.3.6) and attempting to configure two-way SSL (client certificate requested and enforced). The client certificate is on a smart card.
  I have enabled "basic" ssl in the weblogic server, and used keytool to import the relevant root CA certificates into the DemoTruststore.jks file. I have set the Two-way client cert behavior to Client Certs Requested and Enforced for the server.
  Unfortunately, attempting to access my application causes the following:
  <pre>
  <Certificate chain received from 127.0.0.1 - 127.0.0.1 was incomplete.>
  <NO_CERTIFICATE alert was received from 127.0.0.1 - 127.0.0.1. Verify the SSL configuration has a proper SSL certificate chain and private key specified.>
  <Certificate chain received from 127.0.0.1 - 127.0.0.1 was incomplete.>
  </pre>
  The ActivClient dialog never appears to select a certificate from the Smart Card, and a pin is never requested. Therefore, I think I misconfigured something.
  Help would be greatly appreciated.
  Jason

  Hello Mukunthan Damodharan,
  this means that the SSL Server Certificate has not his fully quallified name in the subject alternative name extension of the X.509 certificate.
  You can create a valid one or disbale that check in the Secure Login Client.
  How does the configuration gets to the clients?
  With the Policy Download you can disable that check over the Secure Login Server Administration console in the corresponding authentication profile.
  If manually you can change the following registry key:
  [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\SAP\SecureLogin\profiles\<profile name>
  "sslHostAlternativeNameCheck"=dword:00000000
  the value 0 disable that check on the client.
  best regards
  Alexander Gimbel

• Automatic Smart Card Certificate Renewal

  We have a problem where our Smart Card certificates are starting to expire but the automatic renewal process is failing.
  Is it actually possible to auto renew Smart Card certs without requiring any user input (other than the PIN)?
  There are two errors in the event log -
  Event ID:      16
  Description:
  Certificate enrollment for <domain>\<username> failed to renew a SmartcardLogon certificate with request ID N/A from <ca server name> (Provider could not perform the action since the context was acquired as silent. 0x80090022 (-2146893790)).
  Event ID:      6
  Automatic certificate enrollment for <domain>\<username> failed (0x80090022) Provider could not perform the action since the context was acquired as silent.
  The certificate template is configured with all the correct permissions (Read,Enroll,AutoEnroll) and group policy is configured with the auto enrolment settings. 
  Thanks in advance.

  This may be caused by a incorrect certificate template configuration. In the Request Handling tab (IIRC), there are several radio buttons where you specify whether enrollment may ask for user input during enrollment or not. You need to allow user input
  during enrollment for smart card templates.
  My weblog: en-us.sysadmins.lv
  PowerShell PKI Module: pspki.codeplex.com
  PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
  Check out new: SSL Certificate Verifier
  Check out new:
  PowerShell FCIV tool.

• Smart Card login screen authentication

  Apple don't seem to have updated their documentation on this subject since way back in the Mac OS X Tiger days!
  I would like to have a setup where a user can walk up to a Mac (which is at the login screen), wave an RFID card over a reader connected to that Mac and be able to then login to that Mac. If it is necessary for a PIN/Password to also be entered that might be acceptable. Similarly if the screensaver activates during their login session, waving their RFID card again over the reader should unlock the screensaver.
  An alternative scenerio would be a Mac with a guest login account enabled, and then wanting to use the same card reader to authenticate when requested to a proxy server in order to gain network access.
  The cards to make it clear would be RFID based, not magstripe or chip-and-pin. There are suitable USB readers like this one
  http://www.ers-online.co.uk/o5651/cardman5021-cl-omnikey-omnikey-5021-cl-contact less-smart-card-reader

  Hi Robert Gauthney,
  Could you offer more information about your issue, I found a similar scenario with your issue, if it meet your environment please refer the following KB to fix it, if it not
  meet your scenario please offer us more information such as the error screenshot or related Windows event information:
  Smart card authentication does not work when you use VDI and RD Gateway for RDC client in Windows 7 or in Windows Server 2008 R2
  http://support.microsoft.com/kb/2548538/EN-US
  I’m glad to be of help to you!
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• How to load the .cap file in a Smart Card?

  Dear All,
  Hello..!!
  I am using JCDK 2.2 and have used Eclipse JCDK.
  I have written a simple read/write applet and created a .cap file using Eclipse's Converter Java Card tool.
  What is the next step to be done?
  I have a smart card device and have installed its drivers.
  When do the APDU commands come into picture?
  Expecting help.
  Thanks a lot.
  Regards,
  Suril

  Suril Sarvaiya wrote:
  Hi Shane....
  Thnx a lot....
  I have downloaded GP-Shell 1.4.4
  When I open its application and write any command and press enter ; the app window closes immendiately.
  Can you please help me on this?
  One more thing Shane......
  I'm writig a java class using javax.smartcardio
  I have installed drivers of Omnikey 3021
  but the TerminalFactory is not detecting it?
  Any idea on that?
  Thanks again...
  Regards,
  SurilHi all,
  Is Mr. thread starter has solved his problem?
  I profit this thread to post my question. I'm working with new environment and I have problem loading cap file into my smartcard.
  specification come first :-)
  - My smartcard is said to be JC2.2.1 and GP2.1.1 compatible
  - My code (for testing) is written in Java under eclipse Helios service 2 with JavaCard plugin (for JC2.2.2)
  I compile my code with JDK 1.3 (for compatible version) and using the JC plugin to generate cap file (along with exp and jca).
  My problem is exactly the same as one that was posted in this forum about 2 years ago but is not answered :-)
  [Problem Loading Application to Card |http://forums.oracle.com/forums/thread.jspa?threadID=1749334&tstart=420]
  + I successfully authenticate with smartcard
  + APDU command Install for Load is executed successfully
  + BUT the APDU command LOAD file fails with returned status word is 6424
  For details, I post here my javacard applet code and APDU command executed with my tool:
  package mksAuthSys;
  import javacard.framework.APDU;
  import javacard.framework.Applet;
  import javacard.framework.ISO7816;
  import javacard.framework.ISOException;
  import javacard.framework.OwnerPIN;
  public class Jcardlet extends Applet {
       private final static byte[] myPIN = { (byte) 0x01, (byte) 0x02, (byte) 0x03, (byte) 0x04};
       final static byte Jcardlet_CLA =(byte)0xB0;
       final static byte VERIFY = (byte) 0x20;
       final static byte PIN_TRY_LIMIT =(byte)0x03;
       final static byte MAX_PIN_SIZE =(byte)0x08;
       final static short SW_VERIFICATION_FAILED = 0x6300;
       OwnerPIN pin;
       private Jcardlet() {
            pin = new OwnerPIN(PIN_TRY_LIMIT, MAX_PIN_SIZE);
            pin.update(myPIN, (byte) 0, (byte) 4 );
           register();
       public static void install(byte bArray[], short bOffset, byte bLength)
                 throws ISOException {
            new Jcardlet().register();
       public boolean select() {
            if ( pin.getTriesRemaining() == 0 ) return false;
           return true;     
       public void deselect(){
            pin.reset();
       //@Override
       public void process(APDU apdu) throws ISOException {
            // TODO Auto-generated method stub
            byte[] buffer = apdu.getBuffer();
            if ((buffer[ISO7816.OFFSET_CLA] == 0) &&
                    (buffer[ISO7816.OFFSET_INS] == (byte)(0xA4))) return;          
            if (buffer[ISO7816.OFFSET_CLA] != Jcardlet_CLA)
                  ISOException.throwIt(ISO7816.SW_CLA_NOT_SUPPORTED);          
            switch (buffer[ISO7816.OFFSET_INS]) {
             case VERIFY: verify(apdu);
               return;
             default: ISOException.throwIt (ISO7816.SW_INS_NOT_SUPPORTED);
       private void verify(APDU apdu) {
            // TODO Auto-generated method stub
           byte[] buffer = apdu.getBuffer();
           // retrieve the PIN data for validation.
           byte byteRead = (byte)(apdu.setIncomingAndReceive());
           // check pin
           // the PIN data is read into the APDU buffer
           // at the offset ISO7816.OFFSET_CDATA
           // the PIN data length = byteRead
           if ( pin.check(buffer, ISO7816.OFFSET_CDATA,byteRead) == false )
             ISOException.throwIt(SW_VERIFICATION_FAILED);          
  }And my APDU command:
  Loading "D:\mksAuthSys.cap" ...
  T - 80F28000024F00
  C - 08A000000003000000079E9000
  ISD AID : A000000003000000
  T - 80E602001508F23412345610000008A00000000300000000000000
  C - 009000
  T - 80E80000C8C482018B010012DECAFFED010204000108F23412345610000002001F0012001F000C001500420012009D0011001C0000009F00020001000402010004001502030107A0000000620101000107A000000062000103000C0108F234123456100001002306001200800301000104040000003DFFFF0030004507009D000510188C0003188F00013D0610088C00028700AD007B000403078B0005188B00067A02308F00073D8C00088B00067A0110AD008B00096104037804780110AD008B000A7A0221198B000B2D1A0300
  C - 6424
  Stopped loading due to unexpected status words.Urgently look forward to hearing from you.
  Thanks a bunch in advance
  Best Regards,
  JDL

• MS Remote Desktop and smart card reader

  I have installed MS Remote Desktop Conn. on my iMac and connected a smart card reader via the USB. Although my reader energizes when the computer is on, the computer doesn't seem to recognize the reader. When I insert a CAC card into the reader and try to log in remotely, I continue to get a "username/password" box instead of the CAC PIN number. Do I need to install some kind of smart card driver or does Apple already have it? I'm at a loss as to how to fix this.

  I was able to get rdesktop 1.6.0 to install on my Mac and I was able to get CAC log-in to work.
  However, the installation is a little tricky. I downloaded rdesktop 1.6.0 from this link:
  <<http://www.rdesktop.org>>
  My instructions for installation:
  1. Make sure Xcode Tools is installed on your computer. It should be on your OS X install disk.
  2. Find out where your X11 libraries are located:
  -From the Finder menu, selct "Go" >> "Go to Folder..."
  -Type (without the quotes) "/usr/X11", and click "Go"
  You should see a bunch of folders. Make sure the "include" and "lib" folders are there. Otherwise you need to find out where the X11 "include" and "lib" folders are located on your computer.
  3. Download rdesktop and place the (unarchived) rdesktop-1.6.0 folder on your Desktop
  4. Open the X11 application (should be in your Utilities folder)
  5. In the X11 window type the following (without the quotes):
  "cd Desktop/rdesktop-1.6.0 && ./configure --enable-smartcard -x-includes=/usr/X11/include -x-libraries=/usr/X11/lib && make && sudo make install"
  4. Hit enter. When prompted, enter your administrator password and hit enter.
  rdesktop should now be installed in the following folder:
  /usr/local/bin
  So, to launch rdesktop with smartcard log in enabled, open the X11 application (or Terminal application) and type the following (without the quotes, and replace your.server.address with the server address):
  "cd /usr/local/bin && ./rdesktop -r scard your.server.address"
  Hit enter and it should launch a new X11 window that will try to access the remote server where you should be prompted for your PIN.
  To explore more options with rdesktop, open X11 and type the following (without quotes):
  "cd /usr/local/bin && ./rdesktop"
  Hit enter and you should get a list of options available to rdesktop.

• Security-Kerberos Event ID 9 - Smart Card not working for Login due to CRL download failure

  We have 8 computers that users were able to login with a Smart Card on one day. The next day they couldn't. Everyone else can login with a Smart Card without issue. These users can login with their smart card on other systems without issue. No users can
  login on the affected computers with a SmartID.
  In all cases, users can login on affected computers with their user ID and password.
  All traces on the domain controllers indicate the smart card PKI cert was validated by OCSP and the Kerberos session ticket was passed back to the client.
  However the client can't download the CRL from the CRL server for validation during login and always reports the CRL server is unavailable.
  Using CertUtil, you can validate manually the DC cert and the CRL will download from CRL server.  You can also hit the HTTP site for the CRL download and manually download the CRL.  All this once logged in using user id and password.
  You can't unlock the computer with a Smart card or login with a smart card.
  Packet trace indicates Kerberos session properly negotiated with workstation and DC. 
  Everything fails once client workstation can't download CRL during login.
  Any suggestions on where to look next?
  We have reloaded Activclient smart card validation software.  Still no effect on issue. 
  Smart card is readable once user is logged in, via Activclient, and Windows recognizes certs on smart card when inserted for login.
  Problem occurs during CRL download only, so login or any type of validation fails.

  Got it.
  So try to do what i suggested, exclude the CRL downloaded on Friday and try to rebuild it.
  Check it here:
  To resolve this issue:
  Delete the domain controller certificate that is no longer valid.
  Request a new certificate.
  To perform these procedures, you must be a member of the Domain
  Admins group, or you must have been delegated the appropriate authority.
  Delete the domain controller certificate that is no longer valid
  To delete the domain controller certificate that is no longer valid:
  On the domain controller, click Start, and then click
  Run.
  Type mmc.exe, and then press ENTER.
  If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click
  Continue.
  Click File, and then click Add/Remove Snap-in.
  Click Certificates, and then click Add.
  Click Computer account, click Next, and then click
  Finish.
  Click OK to open the Certificates snap-in.
  Expand Certificates (Local computer), expand Personal, and then click
  Certificates.
  Right-click the old domain controller certificate, and then click Delete.
  Click Yes, confirming that you want to delete the certificate.
  After the certificate is deleted, follow the procedure in the "Request a new certificate" section.
  Request a new certificate
  To request a new certificate:
  Expand Certificates (Local computer),right-click Personal, and then click
  Request New Certificate.
  Complete the appropriate information in the Certificate Enrollment Wizard for a domain controller certificate.
  Close the Certificates snap-in.
  Verify
  To perform this procedure, you must be a member of the Domain
  Admins group, or you must have been delegated the appropriate authority.
  To verify that the Kerberos Key Distribution Center (KDC) certificate is available and working properly:
  Click Start, point to All Programs, click
  Accessories, right-click Command Prompt, and then click
  Run as administrator.
  If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click
  Continue.
  At the command prompt, type certutil -dcinfo verify, and then press ENTER.
  If you receive a successful verification, the Kerberos KDC certificate is installed and operating correctly.
  Sergio Figueiredo
  Microsoft Certified Solutions Associate

• Simulation of smart card

  Hi ppl,
  I'm a student working on a project of simulation of smart card. It involes no hardware at all so the physical layer transmission is ignored. I'm gonna implement the smart card operation using two programmes "card.c" and "reader.c" in the same computer. Yes, it's C not java, but the idea is the same. I just wanna ask is that the programmes r about the same? I mean what exactly should the reader.c and the card.c do? Is it the reader.c simply sends out commands and then the card.c listens and waits for the commands like the client of a client-server scenario? And then once the card.c receives commands, it extracts the useful data according to the ISO17816-4 and then sends back response and the reader.c again provess the data recoived and sends another commands. And the transmission goes on, is it like that?
  Plz give me some hits on these. Desperate for some help really.
  Thanz sooo much ppl!!
  Franky

  Here's what I'm gonna do in the programs.
  At the very first, the reader sends a reset RST to teh card and waits for repsonse. The card then responses with answer to reset ATR, this gives all the communications protocol used afterwards, so the card will choose like T=1.
  And then the reader sends the GET CHALLENGE command to the card asking for a random number e.g. A and response from the card gives the challenge A to reader.
  Reader then sends the encrypted challenge [A] with the EXTERNAL AUTHENTICATE command to card, the card replies with a YES or NO indicating if the challenges match.
  Reader sends its challenge B with command INTERNAL AUTHENTICATE, card replies with encrypted challenge .
  This finishes the challenge-response operation for mutual authentication. I read from books that the key used to encrypt and decrypt the challenge is the master key. But I have no clue how both entities can get hold of the key beforehand. Maybe there's sth like PKI for that.
  And then, should there be a verification by using the PIN? So after this verification, the real data and message exchange should occur rite? And I read from books that some cards require every access to the card to have a PIN verification. Well, I think that's almost it for the security part. And I'll have to find some source on how to make a read application of the smart card, like a payment card or identification card. I think one of the most popular standards for payment card is EMV, and I dunno much for the identification card.

• Problem with Sun PKCS#11 Provider and Ativcard smart card.

  Hi,
  I'm trying to make a signature with a smartcard.
  I have no problem signing with my card in applications such as Microsoft Office, Outlook (they probably use CAPICOM or MS CryptoAPI).
  There is only one certificate on my card with non extractable pair of keys.
  When I`m using Java based application I have the following problem:
  I have Java 1.5.0 installed, and according to the reference guide on:
  http://java.sun.com/j2se/1.5.0/docs/guide/security/p11guide.html
  I configured "Sun PKCS#11 Provider".
  In file:
  %JAVA_HOME%/lib/security/java.security I inserted the following lines:
  # Configuration for security providers 1..6 omitted
  security.provider.7=sun.security.pkcs11.SunPKCS11 C:/pkcs11.cfg
  In my case (I`m using ActivCard) The file "C:/pkcs11.cfg" contains:
  name = ActivCard
  library = c:\windows\system32\acpkcs211.dll
  After that I try tu use configured provider with keytool.exe from jsdk.
  In cmdline:
  c:\Program Files\Java\jdk1.5.0_06\bin>keytool.exe -keystore NONE -storetype PKCS11 -list
  Enter keystore password:  1111
  Keystore type: PKCS11
  Keystore provider: SunPKCS11-ActivCard
  Your keystore contains 1 entry
  Cinek's dp ID, keyEntry,
  Certificate fingerprint (MD5): 36:19:DD:01:2E:A2:C5:F6:51:44:03:74:14:D5:62:C0
  So till now everything looks ok. Certificate is accessible.
  But when I trying to use jarsigner.exe to sign something:
  c:\Program Files\Java\jdk1.5.0_06\bin>jarsigner.exe -keystore NONE -storetype PKCS11 D:\Applet.jar "Cinek's dp ID"
  Enter Passphrase for keystore: 1111
  jarsigner error: java.lang.NullPointerException
  I`ve got the java.lang.NullPointerException !
  To find reason of the exception I`ve written simple application, which signs a byte array:
  import java.security.KeyStore;
  import java.security.PrivateKey;
  import java.security.PublicKey;
  import java.security.Signature;
  import java.security.cert.Certificate;
  import java.util.Enumeration;
  public class Main {
       public static void main(String[] args) throws Exception {
            PrivateKey privkey = null;
            char[] pin = { '1', '1', '1', '1' };
            KeyStore smartCardKeyStore = KeyStore.getInstance("PKCS11");
            smartCardKeyStore.load(null, pin);
            Enumeration aliasesEnum = smartCardKeyStore.aliases();
            if (aliasesEnum.hasMoreElements()) {
                 String alias = (String) aliasesEnum.nextElement();
                 privkey = (PrivateKey) smartCardKeyStore.getKey(alias, null);
                 byte[] aDocument = new byte[100];
                 Signature signatureAlgorithm = Signature.getInstance("SHA1withRSA");
                 signatureAlgorithm.initSign(privkey);
                 signatureAlgorithm.update(aDocument);
                 byte[] digitalSignature = signatureAlgorithm.sign();
  When I`ve run this application in last line in method signatureAlgorithm.sign() I got:
  Exception in thread "main" java.lang.NullPointerException
       at java.math.BigInteger.modPow(Unknown Source)
       at sun.security.rsa.RSACore.crtCrypt(Unknown Source)
       at sun.security.rsa.RSACore.rsa(Unknown Source)
       at sun.security.rsa.RSASignature.engineSign(Unknown Source)
       at java.security.Signature$Delegate.engineSign(Unknown Source)
       at java.security.Signature.sign(Unknown Source)
       at Main.main(Main.java:31)
  In debug, before this exception variables are:
  alias= "Cinek's dp ID"
  privkey =
  SunPKCS11-ActivCard RSA private key, 1024 bits (id 192168768, token object, not sensitive, extractable)
    modulus:          112271510887039102410124262012976131016781096451891854145879061791454872222254764386718257162446565027910080375427552248069203548913907633164297672417327888344423061606707834842776634133861005271620794248782338105033496749719965719732501903618453514554701005390412127008091861831421936757053019877456102263703
    public exponent:  65537
    private exponent: null
    prime p:          null
    prime q:          null
    prime exponent p: null
    prime exponent q: null
    crt coefficient:  null
  As you can see, private key has extractable attribute set, what is wrong. Attribute is set and key has no values.
  I think that can be the reason of NullPointerException. (Maybe when extractable = true, sign() methods expects key values filled).
  So, I can not sign anything.
  I tryed to add some additional attributes to file "C:/pkcs11.cfg":
  attributes(*,CKO_PRIVATE_KEY,*) = {
    CKA_EXTRACTABLE = false
  but with no effect. Key was still extractable.
  Can you help me to solve this problem?
  PS. I`m using acpkcs211.dll (v3.2.102.0) as an implementation of PKCS#11. (Activcard says that it is PKCS#11 v2.11 implementation)
  PS2. Sorry for my english

  Can I ask you one question?
  Which driver did you specify? I mean the smarcard reader driver or the smartcard itself driver?
  If the second, does it come along with the card? because as far as I know I just got the smart card but no software at all (apart the smartcard reader driver).
  Can you help me out with this?
  thanks in advance,
  Marco