E-smart card information

Similar Messages

• Using smart card/nfc tag for authentication on Windows 8 devices NOT in a domain

  Title says it all. We have Sony RC-S380 readers and Acer Iconia W510 tablets with builtin Broadcom NFC chips. We can read tags and configure them for the usual proximity stuff (URIs, mail, etc.) but we are looking for authentication purposes, however without
  using ADFS or domain security. Can anyone point us in the right direction?

  Hi,
  By default, smart card is not available for stand alone computer and local account.
  This authentication technology might be helpful to you:
  EIDAuthenticate - Smart card logon on stand alone computers and local accounts
  http://www.mysmartlogon.com/products/eidauthenticate.html
  Please Note: Since the website is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
  Karen Hu
  TechNet Community Support

• Security-Kerberos Event ID 9 - Smart Card not working for Login due to CRL download failure

  We have 8 computers that users were able to login with a Smart Card on one day. The next day they couldn't. Everyone else can login with a Smart Card without issue. These users can login with their smart card on other systems without issue. No users can
  login on the affected computers with a SmartID.
  In all cases, users can login on affected computers with their user ID and password.
  All traces on the domain controllers indicate the smart card PKI cert was validated by OCSP and the Kerberos session ticket was passed back to the client.
  However the client can't download the CRL from the CRL server for validation during login and always reports the CRL server is unavailable.
  Using CertUtil, you can validate manually the DC cert and the CRL will download from CRL server.  You can also hit the HTTP site for the CRL download and manually download the CRL.  All this once logged in using user id and password.
  You can't unlock the computer with a Smart card or login with a smart card.
  Packet trace indicates Kerberos session properly negotiated with workstation and DC. 
  Everything fails once client workstation can't download CRL during login.
  Any suggestions on where to look next?
  We have reloaded Activclient smart card validation software.  Still no effect on issue. 
  Smart card is readable once user is logged in, via Activclient, and Windows recognizes certs on smart card when inserted for login.
  Problem occurs during CRL download only, so login or any type of validation fails.

  Got it.
  So try to do what i suggested, exclude the CRL downloaded on Friday and try to rebuild it.
  Check it here:
  To resolve this issue:
  Delete the domain controller certificate that is no longer valid.
  Request a new certificate.
  To perform these procedures, you must be a member of the Domain
  Admins group, or you must have been delegated the appropriate authority.
  Delete the domain controller certificate that is no longer valid
  To delete the domain controller certificate that is no longer valid:
  On the domain controller, click Start, and then click
  Run.
  Type mmc.exe, and then press ENTER.
  If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click
  Continue.
  Click File, and then click Add/Remove Snap-in.
  Click Certificates, and then click Add.
  Click Computer account, click Next, and then click
  Finish.
  Click OK to open the Certificates snap-in.
  Expand Certificates (Local computer), expand Personal, and then click
  Certificates.
  Right-click the old domain controller certificate, and then click Delete.
  Click Yes, confirming that you want to delete the certificate.
  After the certificate is deleted, follow the procedure in the "Request a new certificate" section.
  Request a new certificate
  To request a new certificate:
  Expand Certificates (Local computer),right-click Personal, and then click
  Request New Certificate.
  Complete the appropriate information in the Certificate Enrollment Wizard for a domain controller certificate.
  Close the Certificates snap-in.
  Verify
  To perform this procedure, you must be a member of the Domain
  Admins group, or you must have been delegated the appropriate authority.
  To verify that the Kerberos Key Distribution Center (KDC) certificate is available and working properly:
  Click Start, point to All Programs, click
  Accessories, right-click Command Prompt, and then click
  Run as administrator.
  If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click
  Continue.
  At the command prompt, type certutil -dcinfo verify, and then press ENTER.
  If you receive a successful verification, the Kerberos KDC certificate is installed and operating correctly.
  Sergio Figueiredo
  Microsoft Certified Solutions Associate

• Need advice for an application that restricts access to other applications using a smart card

  Hello everybody,
  I am developing a system that uses a smart card reader attached to a USB port of a PC.
  What the system should provide is:
  When computer boots up and shows the users login screen, a user, previously registered, can use his smart card to access the system, instead of entering his password
  Once the user is logged in, when he tries to launch an application, which has previously marked as "secured", a dialog box is shown indicating that the user has to present his smart card. If the smart card has access to the application, the application
  is launched, otherwise an error message is shown to the user and the application is not executed.
  I develop in C++ and C#. I have already created a library (in Visual C++) that manages the smart card reader and provides the card presented to it.
  Now I am developing the applicastion (in C#) that will configure the security (assigning cards to users and applications).
  Concerning this, I have 2 questions regarding each point above:
  Is it possible to create the centralized application that lists all users and allows to assign cards to them? Then, when the users login screen is shown, the system must access that data before logging in, so that it can check which card was presented and
  what user it corresponds to. I have seen in laptops, that have embedded fingerprint readers, a user must login to his account first and then he can register his fingerprints. In fact, what I need to do is something similar but with smart card reader instead
  of fingerprint reader. So, perhaps, user must login into his account first and then he will be able to add his card and store that information somewhere (in windows registry maybe).
  How can I launch my application when other application is executed but before its interface is actually shown? this is similar to what antivirus programs do, because they check the executable before it is actually ran. What is the best method to address
  the application? by executable file name? process name? or other? if the best is by process name, how can I know the process name without actually running the application?
  Well, that is all what I need to do. Please advice regarding this subject.
  I look forward to hearing from you,
  Best regards,
  Jaime
  Powered by C++

  > what was the guidance?
  1. Research other software that does similar things (not just exactly the same) as you need. If you like something in their solutions, copy it :)
  The only software I know that does that is an antivirus, but I am unlucky to find some code in c++ that allows to intercept the program execution before actually executing it.
  2. If a kernel driver would fit in your solution, go for it (google for what is available for free, or find a consultant to write it for you).
  There are a lot of information about kernel drivers, but the question is, is that really the solution?
  Otherwise, you can just hide the application from user's reach and substitute the executable in shortcuts, etc. to run your program instead.
  Definetly this is not the way to go
  What is the best method to address the application? by executable file name? process name? or other?
  By executable file name, like in the Windows Applocker, I think. Processes do not have names (they are artifact of Task manager and debugging tools, to represent the processes for user somehow). Or, only by the filename part of the full path.
  I agree with that
  if the best is by process name, how can I know the process name without actually running the application?
  When the user runs the application, the driver will detect this and do its magic.
  I have found this page: http://stackoverflow.com/questions/3556048/how-to-detect-win32-process-creation-termination-in-c. They mention WMI, but I will study it tommorow... it is so late for today :-)
  Regards,
  -- pa
  Regards
  Jaime
  Powered by C++

• ISE 802.1x EAP-TLS machine and smart card authentication

  I suspect I know the answer to this, but thought that I would throw it out there anway...
  With Cisco ISE 1.2 is it possible to enable 802.1x machine AND user smart card  authentication simultaneously for wired/wireless clients (specifically  Windows 7/8, but Linux or OSX would also be good).  I can find plenty of  information regarding 802.1x machine authentication (EAP-TLS) and user  password authentication (PEAP), but none about dual EAP-TLS  authentication using certificates for machines and users at the same time.  I think I can figure out how to configure such a policy in ISE, but options seem to be lacking on the client end.  For example, the Windows 7 supplicant seems only able to present either a machine or user smart card certificate, not one then the other.  Plus, I am not sure how the client would know which certificate to present, or if the type can be specified from the authenticator.

  Hope this video link will help you
  http://www.labminutes.com/sec0045_ise_1_1_wired_dot1x_machine_auth_eap-tls

• Digital Signatures with Smart Cards

  Hi folks,
  It is my first time with digital signatures on R/3 system. I’m at customer that uses smart cards (hardware cryptography). We are doing the SAPCRYPTOLIB and front end installations. After finish these tasks, we need to implement the signatures into 3 workflow processes. I already read the SSF programmers guide, API specifications and SSF user guide. But I still have some doubts:
  The SSF profile is stored into smart card with private key information, but where are the public keys stored? (PAB – Private Address Book of my trusted circle).
  Do I need the CRLs? Note: this is only for workflow processes that run inside of customer landscape; this is not a B2B scenario.
  We don’t have clear yet how we sign the data; we are thinking sign a BOR object. Create an attribute and use it to pass the signer data. Note: for the customer, the objective is user authenticity guarantee.
  The BOR object instance ends when the flows finish, so wee need to store the signed data for auditable reasons. A database table can be a good approach or there is another standard way?
  P.S.: anyone have documentation about this subject, something like how-to with guidelines?
  Thanks in advance,
  Ricardo.
  Message was edited by:
          Ricardo  Quintino

  The SmartCard device is present at the frontend PC - and that's the place where the digital signature operation has to take place. Important is the "What You See Is What You Sign" principle: it has to be ensured that the data that is to be signed (using the private key stored on the SmartCard) is exactly the same as the one that is displayed to the user.
  Notice: there is a different scenario where the server is signing the data (after prompting the user for userID and password and validating that information).
  The signed data is then transported back to the server where it is stored (to ensure auditibility); usually you'll have to keep the (archived) data for years; the public key need to be archived as well.
  Notice: it is possible to attach the certificate (-> public key) which has been used to sign the data to the signed data.
  Regards, Wolfgang

• Smart card with Thinkvantage Client Security Solutions doesnt work

  Dear all,
  I have the Lenovo Gemalto Expesscard54 Smart card reader (41N3043). I purchased some .Net smart cards from Gemalto also. I have installed the drivers for both the smart card reader and the smart card minidrivers, as well as the PKCS#11 Drivers from Gemalto.
  However when I try to setup a smart card using Thinkvanage Client Security, the selection remains greyed out. What is the problem?
  When I try to run the executable css_smartcard.exe, I am told PKCS#11 Module is not installed. How do I install the module as there is no command to choose where the driver path is.
  Essentially I am wondering how to use smart cards on the client security software. The documentation, even the CSS deployment guide, has so little information on this.

  I should add that I am using Windows 7 and my CSS version is 8.3, I can also verify my smart card works for other applications, only thinkvantage CSS 8.3 does not work.

• Campus Smart Card Implementation

  hello experts,
  i am a new bee to this java technology
  can anyone guide me main responsibilities(technical) to solve this scenario
  A student is identified by an ID card. Every year there a number of students that join college should be issued an identity card. There could be different cards/receipts for different needs (One for Library, Bus pass, Payment of institution fees etc,.. ). This smart card solution addresses the above mentioned problems and provides convenience for both college administration and the students. This application has features like student profile that includes his/her performance in exams/sports, each year attendance, payment information that includes (fee/hostel/exams etc,..), Library authorization and history and other information that is required for administration purposes.
  i appreciate your help
  thanks alot for u r valuable time
  i will reward the points for sure
  Naveen

  http://forum.java.sun.com/thread.jsp?forum=23&thread=357393&tstart=0&trange=15

• PEAP-TLS: same settings in PEAP Properties and Smart Card & Cert Properties?

  When setting up a GPO for a wireless network profile via GPMC in Windows 2008 R2, in the
  Protected EAP Properties window there are check boxes for
  Validate server certificate and Do not prompt user to authorize new servers or trusted certification authorities, a textbox for
  Connect to these servers, and a selections list for
  Trusted Root Certification Authorities.
  All these configurable options show up again if you click on Configure when using
  Smart Card or other certificate as the authentication method.  You can set them as you wish there, different from PEAP Properties even.
  My question is, which set of options takes precedence? A sane person will probably keep them the same, but why have that confusion in the interface?

  Hi Roland,
  All of these two settings will take effect.
  PEAP is an EAP method that addresses this security issue by first creating a secure channel that is both encrypted and integrity-protected with TLS. Then, a new EAP negotiation with another EAP method occurs within the secure channel, authenticating the
  network access attempt of the access client.
  Therefore, the first settings is the settings of the TLS secure channel (outer layer), and the second settings is the settings of new EAP negotiation (inner layer). If we choose "Smart Card or other certificate" as the authentication method of PEAP,
  there will be two TLS secure channel actually.
  For detailed information, please refer to the link below,
  Extensible Authentication Protocol Overview
  http://technet.microsoft.com/en-us/library/bb457039.aspx
  Best Regards.
  Steven Lee
  TechNet Community Support

• Remotely login error on windows server 2003 using gemalto smart card

  I am getting this error when trying to log on windows server 2003 remotely using smartcard. We have our own CA. We are able to successfully logon on windows server 2008 using same card.

  Hi,
  Base on my research, Event 537 indicates that a logon attempt was made and rejected for some reason other than those covered by explicit audit records in this category.
  Would you please provide more details?
  Are there any related warnings and errors under Application Logs or System Logs?
  By remotely login, do you mean logon via RDP?
  Here are some related links below for you references:
  Event 537
  http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows%20Operating%20System&ProdVer=5.0&EvtID=537&EvtSrc=Security&LCID=1033
  Smart Card and Remote Desktop Services
  http://technet.microsoft.com/en-us/library/ff404286(v=WS.10).aspx
  Please get back to us with the necessary information at your earliest convenience.
  Best Regards,
  Amy Wang

• Unlocked Virtual Smart Card using the PUK and Adminkey

  At my company we use virtual
  smart card with WIN8.1
  and some user has blocked you from failed attempts
  by the VSC. The question is
  whether there is a tool that allows unlocked
  the virtual smart card using
  the PUK or Adminkey password? The error
  that occurs to me is the following:
  “The security device cannot process the PIN.
  The PIN has been blocked temporarity because too many incorrect PINs have been entered, Try again later. If this message reoccurs, contact your administrator to reset the lockout
  period for this security device”

  Hi dtencio,
  It`s unreasonable to use PUK or Admin key instead of PIN ,because
  the VSC uses two-factor authentication and this guarantees the pc`security.
  To get more information, here is link for reference:
  Evaluate Virtual Smart Card Security
  http://technet.microsoft.com/en-us/library/dn579257.aspx
  When PIN is blocked or the TPM is in a lockout state, we recommend you to contact with your administrator to reset user PIN or reset lockout of TPM.
  If you are tired of the frequent blocked or locked out issue, we recommend you to contact with your administrator to change the lockout time in policy.
  Best regards 

• T61/X61 integrated smart card reader

  Hi,
  Does anyone know if the optional smart card reader on the T61/X61 laptops are based on PCMCIA or Expresscard standards, what is the exact make and model, and if they are CCID compliant?
  Thanks.

  http://shop.lenovo.com/SEUILibrary/controller/e/na/LenovoPortal/en_US/catalog.workflow:item.detail?GroupID=38&Code=41N3043
  Add Smart Card security technology to ThinkPad notebook computers equipped with a 54-mm ExpressCard slot. The Gemplus ExpressCard Smart Card Reader from Lenovo offers an ideal interface between a portable computer and a smart card, to control access to databases or corporate computer networks. A smart card is a plastic card that contains personalized information. It's function can range from simple data storage to more advanced memory and processing capabilities. The Gemplus ExpressCard Smart Card Reader from Lenovo is reader hardware only and does not include blank smart cards or smart card management software.
  Features and Benefits:
  Reads and writes(1) to all ISO-7816 compatible smart cards.
  Reader hardware connects to any ThinkPad equipped with a 54-mm ExpressCard slot.
  Includes drivers for Microsoft Windows 2000 and Windows XP to help get you up and running quickly.
  And it's backed by Lenovo's limited warranty with renowned Service and Support available from IBM.
  (1) Although this reader can be used to access any ISO 7816-compliant Smart Card, Lenovo's primary intent is to enable ThinkPad customers to integrate a security authentication application of their choosing.
  have a look it is an express card version built by Gemplus, not sure about the rest.
  Message Edited by wjli2 on 06-25-2008 12:42 PM

• Smart Card login screen authentication

  Apple don't seem to have updated their documentation on this subject since way back in the Mac OS X Tiger days!
  I would like to have a setup where a user can walk up to a Mac (which is at the login screen), wave an RFID card over a reader connected to that Mac and be able to then login to that Mac. If it is necessary for a PIN/Password to also be entered that might be acceptable. Similarly if the screensaver activates during their login session, waving their RFID card again over the reader should unlock the screensaver.
  An alternative scenerio would be a Mac with a guest login account enabled, and then wanting to use the same card reader to authenticate when requested to a proxy server in order to gain network access.
  The cards to make it clear would be RFID based, not magstripe or chip-and-pin. There are suitable USB readers like this one
  http://www.ers-online.co.uk/o5651/cardman5021-cl-omnikey-omnikey-5021-cl-contact less-smart-card-reader

  Hi Robert Gauthney,
  Could you offer more information about your issue, I found a similar scenario with your issue, if it meet your environment please refer the following KB to fix it, if it not
  meet your scenario please offer us more information such as the error screenshot or related Windows event information:
  Smart card authentication does not work when you use VDI and RD Gateway for RDC client in Windows 7 or in Windows Server 2008 R2
  http://support.microsoft.com/kb/2548538/EN-US
  I’m glad to be of help to you!
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Issues regarding Smart Card login inside domain and on SmartPhones

  Hi
  i am planning to implemnt at my domain login ONLY with smartcard
  i saw i have some option how to do it , one with GPO that covers all the computers (or some computers with defined groups)
  or i can check the "smart card is  required ...." this could be the easy way but when i check this  box
  the users with the smartphones no longer can authenticate with it to get emails , also the OWA is not availble for them
  is there any solution so the users will have to login with smartcard and still get the emails to the smartphones ?
  thanks
  TK

  Hi Robert Gauthney,
  Could you offer more information about your issue, I found a similar scenario with your issue, if it meet your environment please refer the following KB to fix it, if it not
  meet your scenario please offer us more information such as the error screenshot or related Windows event information:
  Smart card authentication does not work when you use VDI and RD Gateway for RDC client in Windows 7 or in Windows Server 2008 R2
  http://support.microsoft.com/kb/2548538/EN-US
  I’m glad to be of help to you!
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Accessing smart card through internet

  I want to make an application that will do the following : I want to have a webpage(for example an order form at an e-shop site) to access the smart card at a remote computer over the internet (the customer's pc) and get some information from an array in the card (e.g the shipping address and his name)....Is it possible to do that or the security restrictions (java applet restrictions) will not allow me to ? If so has anybody any ideas of how it could be done? The same opencard commands (e.g sendCommandApdu() ) work for accessing a card through the internet or do I have to use anything different???Thank you ...

  Sir,
  Even I am looking for a similar application Online Banking application
  But in that case the bank has to authenticate the user using some info that the card stores
  How does the bank achieve the same?
  What is the cards role in this regard
  Where does cryptology come into this
  I would be happy top know these details
  Regards
  Kumar