FIM 2010 CM deployment for Smart Card Management

Similar Messages

• KDC Event ID 29 - The KDC cannot find a suitable certificate to use for smart card logons...

  I am getting the event (below) every day on a new 2008 domain controller that I brought up recently. The DC has a domain controller certificate, that was automatically issued by an online enterprise CA. This CA is located in another domain (child domain) within the same forest. The 2008 DC is in the top-lvel domain.  None of the other domain controllers , which are 2003, are reporting this message. I ran certutil.exe, and it successfully verifies all domain controller certificates, including the certificate on my new 2008 DC. Any ideas why these messages continue to appear?
  The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate.

  Hi,
  I have checked the file. Here is my findings:
  1.    The computer name of the domain controllers are different in this dcinfo.txt file. There is no Swampoak. I would like to confirm which one is Windows Server 2008 domain controller.
  2.    The domain controller Buckeye and Madrone both have 2 KDC certificates, one is expired and the other one is valid:
  *** Testing DC[0]: MADRONE
  ** KDC Certificates for DC MADRONE
  Certificate 0:  -à Valid
  Serial Number: 116bbdd90000000000b6
  Issuer: ***
  NotBefore: 12/15/2008 2:28 AM
  NotAfter: 12/15/2009 2:28 AM
  Subject: CN=madrone.****
  Certificate Template Name (Certificate Type): DomainController
  Non-root Certificate
  Template: DomainController, Domain Controller
  Certificate 1:   --à Expired
  Serial Number: 15c2f00b000000000028
  Issuer: ****
  NotBefore: 3/9/2007 3:05 PM
  NotAfter: 3/8/2008 3:05 PM
  Subject: EMPTY (DNS Name=madrone.****)
  Non-root Certificate
  Template: DomainControllerAuthentication, Domain Controller Authentication
  *** Testing DC[1]: BUCKEYE
  ** KDC Certificates for DC BUCKEYE
  Certificate 0:  -à Expired
  Serial Number: 15c4ddc2000000000029
  Issuer: *****
  NotBefore: 3/9/2007 3:07 PM
  NotAfter: 3/8/2008 3:07 PM
  Subject: EMPTY (DNS Name=buckeye.****)
  Non-root Certificate
  Template: DomainControllerAuthentication, Domain Controller Authentication
  Certificate 1: -à Valid
  Serial Number: 115f34ec0000000000b4
  Issuer: ****
  NotBefore: 12/15/2008 2:15 AM
  NotAfter: 12/15/2009 2:15 AM
  Subject: CN=buckeye.****
  Certificate Template Name (Certificate Type): DomainController
  Non-root Certificate
  Template: DomainController, Domain Controller
  Suggestion:
  1.    Please delete the expired certificate and then reboot the domain controller and test the issue again.
  2.    If the issue persists, please request a new Domain Controller Authentication certificate on the domian controller and check the result.

• Windows 8.1 default logon prompt for smart card instead of username/password

  Hello,
  We are currently in our pre-deployment test phase for Windows 8.1 and are trying to knock out the high visibility problems that we notice.  One of the issues we've noticed:
  When logging into Windows, the default prompt is for a username/password.  all of our users are using smart cards, so they have to click "sign-in options", click the smart card icon, and then enter their PIN.  How would I change the startup
  screen to default to smart card?
  Also, when locking the screen by removing the card it again prompts for the username/password when unlocking the screen.  So the users again have to click on "sign-in options" and select the smart card, otherwise they risk locking out their
  account by entering the PIN in the username/password field.
  when locking the screen via ctrl-alt-del or windows-L unlocking does default to the smart card, so I know it can be done! 
  thanks,
  -Nick

  Hi,
  I'm afraid we couldn't change the Sign-in Options order, I checked GP and Registry, there is no way to do it.
  However, there is another way is just enable "Require smart card" In GP. While after this policy enabled, All users will have to use smart cards to log on to the network. This means that the organization must have a reliable public key infrastructure (PKI)
  in place, and provide smart cards and smart card readers for all users.
  Location: GPO_name\Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
  Roger Lu
  TechNet Community Support

• Generate certificates valid for smart card (Windows logon) with third party PKI (not Microsoft)

  Hello everyone
  today I am working on a mounted on a Red Hat Enterprise PKI
  Linux Server release 5.5 (Tikanga) is Easycert 5.2.2.15. We need to know what are the necessary data that we have to go to the PKI so it can generate certificates of users in Active Directory for use with a USB Token (ACOS5-64 CHIP CRYPTO) functioning as Smart
  Card to make the login of users on computers.
  On the other hand also we need to know the necessary settings between the third party pki and the domains controllers (Windows 2012).
  Greetings and I hope for you response.
  TechCach

  > It is for Windows 2012.
  nothing changed since Windows Server 2003. Here is a KB article:
  http://support2.microsoft.com/kb/281245
  > Is
  the
  scenario
  supported
  by
  microsoft?
  yes, of course. See KB article above.
  My weblog: en-us.sysadmins.lv
  PowerShell PKI Module: pspki.codeplex.com
  PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
  Check out new: SSL Certificate Verifier
  Check out new:
  PowerShell FCIV tool.

• Support for smart-card authentication in PowerBuilder based application

  Hi, I have an application on PB11.5 with an Oracle DB back-end (11.2g). My DoD customer wants the application to use their DoD CAC Card (Smart Card) to authenticate against the Enterprise - Windows Active Directory domain, currently the application uses user-id\password for user authentication.  Is this something newer versions of PB can support and implement? Thank you.

  You have a couple of choices:
  1.  Depending on how old their workstations are, or if they have ACTIVCLIENT installed, you could call the CAPICOMM ActiveX using OLE commands
  2.  A solution that doesn't require that ActiveX is to use the Smart Card SDK built into newer versions of Windows.  It does require a lot lower level coding though, as you have to issue specific APDU commands to the card and know how to handle the responses.
  I posted a sample of the latter to the NNTP groups back in 2011.  I suppose I should get around to creating a blog entry explaining how to use it.

• Java Card Technology for Smart Cards: Zhiqun Chen

  Hi,
  I have this book but its using Java card 2.0.
  do you know if the author "Zhiqun Chen" have new one for 3.0 connected.?
  http://java.sun.com/developer/Books/consumerproducts/javacard/
  Edited by: Hassan on Apr 20, 2012 3:45 AM

  That is the latest copy. It is still a good reference for getting started and contains some more advanced topics that are relevant to newer JC versions. I am not sure if a book on connected edition is relevant considering there is no real application that I am aware of. You may be able to get cards that support JC 3 classic though.
  The book is available on Amazon: http://www.amazon.com/Java-Card-Technology-Smart-Cards/dp/0201703297
  It is well worth the $33.
  Shane

• Outlook 2010 prompting to "Insert smart card"

  Before anyone refers me to the KB articles or other threads which address this problem, let me say that I have seen them and have performed the requested operations referenced in the following KB: http://support.microsoft.com/kb/2704959/en-us
  The exchange server is running Microsoft Windows Server 2003 R2 x64 with Exchange Server 2007.
  The clients are running Windows 7 x64 or Windows 2008 Server with Microsoft Outlook 2010 Professional Plus - both of these are up-to-date.
  While an older version of IIS (v6.0) is running on the exchange server, the settings specified by the previously indicated KB are correctly configured, yet clients on both of these platforms across the domain continue to encounter these prompts. 
  Aside from attempting to uninstall the KBs that are responsible for this on the first place (http://support.microsoft.com/default.aspx?scid=kb;EN-US;2553248, http://support.microsoft.com/default.aspx?scid=kb;EN-US;2597137, http://support.microsoft.com/default.aspx?scid=kb;EN-US;2597011),
  which are not even present on some of the systems that exhibit this problem (but may rolled in to the Service Packs for Office, though I have been unable to verify this), what else can be done to remove or otherwise prevent this prompt from endlessly harassing
  our users?
  Thanks!
  Sorry for the lack of links in the body, apparently I can't include them until my account is verified.

  Hi,
  because you're using (older) Outlook with (older) Exchange, I recommend the exchange legacy clients forum:
  http://social.technet.microsoft.com/Forums/en-US/home?forum=exchangesvrclientslegacy
  KB2704959 mentions that the affecting feature was introduced in 2011, and, you mentioned that your clients are all up to date, which suggests they would have SP2 for Office2010.
  Since SP2 for Office2010 was released around July2013, it's reasonable to assume that your clients will have the feature, and, that you would need to rollback before SP2 to remove it. You could perhaps test this, but if everything works without SP2, I'm not
  sure that's a very acceptable workaround.
  I also note in the "more info" section of the same KB that you would need to ensure the necessary certificate settings are applied to FE/CAS (in case you have those elements in your implementation), in addition to MBX. It may also be relevant if
  you are publishing via TMG or UAG or similar products?
  It may also be helpful for you to confirm if your clients are using MAPI/RPC vs. RPC-over-http(OutlookAnywhere) - from my reading of the same KB, the issue might only affect clients that are configured to use RPC-over-http ?
  Don
  (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
  This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

• Outlook 2010 "The server is unavailable" using smart card Exchange 2010

  I have a XenApp 6.5 environment, that uses smart card authenication for login. All the office applications will open except for outlook. Outlook opens up and shows a prompt saying "Connecting" ...."Then server is unavailable".
  If I removed the smart card authenication from the XenApp environment, User are able to open Outlook with no problem.
  My question, is there something with exchange 2010 that needs to be turned on for smart card authenication?

  Hi,
  I suggest you remove any existing certificate-based credentials from the Credential Manager and use the
  EnableSmartCard registry setting to check the result. The Outlook client may not be properly configured to work with saved smart card credentials.
  Important
  Follow the steps in this section carefully. Serious problems might occur if you modify the registry incorrectly. Before you modify it,
  back up the registry for restoration in
  case problems occur.
  Remove existing certificate based credentials
  The first step to prevent a PIN lockout is to delete any existing certificate based credentials that were saved by Outlook.
  Open Control Panel.
  Double-click Credential Manager.
  See whether there is a Certificate-Based credential similar to the following:
  @@BSUgiZQZ54Pf6cEtxKflWHH
  Also, see whether there is a Generic credential similar to one of the following:
  MS.Outlook.14:[email protected]:PUT
  MS.Outlook.15:[email protected]:PUT
  Note 14 indicates Outlook 2010 saved the credential and 15 indicates Outlook 2013.
  If these are both present and were created or changed at the same time, they are likely smart card credentials saved from Outlook. Click the first credential to expand it and to show the details. Then, click Remove to delete the
  credential from Credential Manager.
  Repeat step 4 for each one of the credentials listed in step 3.
  When you are finished, close Credential Manager.
  Configure the EnableSmartCard registry setting
  The second step to prevent a PIN lockout is to create the EnableSmartCard registry setting.
  Outlook 2010
  For Outlook 2010, the EnableSmartCard registry setting was introduced with the Microsoft Outlook 2010 hotfix package dated December 13, 2011 (KB2597028). We recommend that you install the most recent build of Outlook 2010. For more information
  about the latest applicable updates for Outlook, click the following article number to view the article in the Microsoft Knowledge Base:
  2625547 How to install the latest applicable updates for Microsoft Outlook (US English only)
  To create the EnableSmartCard registry value, follow these steps:
  Exit Outlook.
  Start Registry Editor.
  Create the following registry values at the specified locations:
  Note Manually create any registry keys or values if they do not exist.
  Key: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\RPC
  DWORD: EnableSmartCard
  Value: 1
  Exit Registry Editor.
  For this question, if you need to get more information about Exchange 2010, I suggest you post the question in Exchange forum:
  https://social.technet.microsoft.com/Forums/exchange/en-US/home?category=exchangeserver
  Regards,
  Melon Chen
  TechNet Community Support
  It's recommended to download and install
  Configuration Analyzer Tool (OffCAT), which is developed by Microsoft Support teams. Once the tool is installed, you can run it at any time to scan for hundreds of known issues in Office
  programs.

• Smart Card login for ordinary folk

  Hi,
  I used to use the OpenSC project for Smart Card login, but I believe that with changes in OS X 10.8 it's no longer an option.
  What affordable solutions are there for genuine Smart Card login for OS X 10.8?  YubiKey doesn't support anything more than entering a static password pre-stored on the device, and when I last tried Rohos it was abysmal.

  I'm guessing that since you are not entering a password, the sparse bundle is not being unlocked. I don't know of a way to tie it to the smart card login. It sounds similar to when you put a different password on your default keychain. It won't unlock on login because you are not entering its password.

• T61/X61 integrated smart card reader

  Hi,
  Does anyone know if the optional smart card reader on the T61/X61 laptops are based on PCMCIA or Expresscard standards, what is the exact make and model, and if they are CCID compliant?
  Thanks.

  http://shop.lenovo.com/SEUILibrary/controller/e/na/LenovoPortal/en_US/catalog.workflow:item.detail?GroupID=38&Code=41N3043
  Add Smart Card security technology to ThinkPad notebook computers equipped with a 54-mm ExpressCard slot. The Gemplus ExpressCard Smart Card Reader from Lenovo offers an ideal interface between a portable computer and a smart card, to control access to databases or corporate computer networks. A smart card is a plastic card that contains personalized information. It's function can range from simple data storage to more advanced memory and processing capabilities. The Gemplus ExpressCard Smart Card Reader from Lenovo is reader hardware only and does not include blank smart cards or smart card management software.
  Features and Benefits:
  Reads and writes(1) to all ISO-7816 compatible smart cards.
  Reader hardware connects to any ThinkPad equipped with a 54-mm ExpressCard slot.
  Includes drivers for Microsoft Windows 2000 and Windows XP to help get you up and running quickly.
  And it's backed by Lenovo's limited warranty with renowned Service and Support available from IBM.
  (1) Although this reader can be used to access any ISO 7816-compliant Smart Card, Lenovo's primary intent is to enable ThinkPad customers to integrate a security authentication application of their choosing.
  have a look it is an express card version built by Gemplus, not sure about the rest.
  Message Edited by wjli2 on 06-25-2008 12:42 PM

• How to use Smart Card API's (OCF) in Web Application

  Hi frnds,
  For our new smart card based project, i have few queries,
  1. Can we choose web based application for smart card based projects?
  2. How servlet will communicate with opencard CTListener class?
  3. While the card insertion and remove how the event will be reflet the servlet?
  4. For that is it needed to design the client UI by using Swing?
  5. Without Swing will servlet give all solution for smart card connection and events?
  Rgrds,
  dhaya.

  I am also looking for smart card Authentication using web. Any info really appreciated

• Remote desktop and smart cards

  I frequently work from home using my mac to access my windows based desktop at the office. I use the microsoft remote desktop v. 1.0.3. for MAC. Now that my agency is moving to smart card identification requirements for access I need to be able to use the smart card at home to sign onto the office desktop.
  The RDC for MAC does not have an option for smart card readers (as opposed to the RDC for windows version). Is there alternative software that would be simple to install on my MAC (I am not an IT sophisticate) that will give me smart card access?

  Microsoft Remote Desktop Connection (RDC) for Mac and Apple Remote Desktop (ARD) are two completely different tools with marginally similar capabilities. Unfortunately, as you've already discovered, neither offers Smart Card capabilities to allow you to authenticate to your Windows computer at work.
  If your Mac is an Intel Mac then you could probably run Windows using Parallels or Boot Camp on your home computer and use the Windows RDC client to make your connection. I don't suggest trying to use VirtualPC if you have a PowerPC Mac simply because your Smart Card reader will most likely be USB and VirtualPC has a bad track record with USB devices.
  Hope this helps!
  bill
    Mac OS X (10.4.10)   1 GHz Powerbook G4

• XML Signatures using Smart Cards

  Hello guys,
  I know this is not exactly a javacard topic, but I think this forum is where I 'll get the best replies.
  We need to perform XML document signatures and verification using smart card stored certificates. The certificates are created using Microsoft Windows 2003 CA and stored in the cards using the cards' CSP.
  I have a notion on the libraries that I am going to have to use:
  - sun.security.pkcs11 for the smart card access,
  - java.security.* for cryptography stuff (keystore, public-privateKey etc.),
  - sun.security.cert.X509Certificate for the certificates,
  - org.apache.xml for the xml documents.
  Could you please verify that I am heading to the correct direction? I would be glad if you could suggest suitable starting points, similar scenarios etc. If you think that there is a more appropriate forum for my question please tell me so.
  Thanks in advance for your help.

  yes you are moving towards right directiong actualy PKCS11 is a standard that is used for hardware cryptographic operations so it would be used for smart cards 2. I'll suggest u to use a wrapper and provider API given by IAIK it would help u a lot and will also ease ur work

• MIDlets and smart cards ???

  Hi
  A question:
  We have smart cards and SIM cards, a smart card with a much smaller plastic substrate than credit-card sized smart cards.
  We have the Java[tm] programming language.
  We know, that there are wireless phones that can execute so-called MIDlets. And - as far as I know - they can execute those MIDlets because they have a java-understanding SIM-card.
  So the language is the same and the "hardware" is the same.
  So where are the differences bedween programs for smart cards and MIDlets. Is it the same?
  RB

  You mix Java on SIM cards with Java on phones! MIDlets are executed by a Java VM that runs on the mobile phone hardware. Java Card Applets, however, are executed by a Java VM that runs on a smart card hardware. This smart card might be a SIM card, which sits inside a mobile phone but appart from that we are talking about two differnent things - two different Java runtime environments. Please consult the MIDP/Java Card specifications.

• ADSI SetPassword requests smart card pin

  I have an HTA application that I use to create users in AD. Javascript and ADSI is used.
  This is working fine, I can create users, set all desired attributes etc. But if the user that executes the HTA is authenticated using a smart card, it will popup twice asking for smart card pin code. If I type the pin it works fine, likewise it does if
  I just click cancel. The thing is, that it is anoying and slows things down. A users with the proper rights, but no smart card, can run the script without anything popping up.
  First I bind to the AD and gets the container, then create the user as follows:
     objContainer = GetObject("LDAP://" + strContainerDN);
     objUser = objContainer.Create("user", "CN=" + strUserID);
     objUser.Put("samAccountName", strUserID);
     objUser.Put("userPrincipalName", strUserID + "@mydomain.com");
     objUser.SetInfo();
  Next I set the password:
     objUser.SetPassword("xxxxxxxx");
  It is the SetPassword method, that results in the popup window.
  The Window looks genuine Microsoft. Says Windows Security, Microsoft Smart Card Provider, Please enter your PIN:
  And next the the input box there is a smart card tile.
  I am loging to a server (2008 R2) using RDP to perform the administration. Using smart cards in remote session have been enabled.
  Any ideas why this Windows pops up? Apparently it is not necessary when I can just click cancel.
  And any way to prevent it?  Other than disabling using smart card in remote session.
  Thanks in advance,
  Jan Nielsen

  I just ran into the same problem.  I've been using the .NET classes from the System.DirectoryServices namespace (which wrap ADSI behind the scenes) in PowerShell scripts for years without
  issue.  Recently, I installed the minidriver module for a new smart card on my RDP machine.  After doing that, whenever I use the DirectoryEntry.Invoke() method to call either the SetPassword or ChangePassword ADSI functions, and I don't have my
  smart card plugged in, I get a prompt to insert it.  If I do have the smart card plugged in, I get a PIN prompt exactly like you describe.  Either way, clicking cancel allows the call to complete successfully.
  I think what's happening here is ADSI is trying to "upgrade" its LDAP connection to use SSL/TLS whenever SetPassword or ChangePassword get called, and in the process triggering SSL/TLS
  client certificate authentication.  At that point, the smart card subsystem kicks in to provide a certificate to use with said authentication, causing the prompts to appear.
  The reason ADSI would try to do this is because the DC won't allow a password modify operation to occur over an unencrypted LDAP connection (see *), and ADSI must be smart enough to know this
  and attempt to re-bind to the DC using SSL/TLS automatically.  Unfortunately, though, I guess when ADSI does this it doesn't distinguish between using SSL for encryption, and using it for encryption + authentication, and so the latter ends up happening
  when conditions are right for it.
  Fortunately, there is a workaround. 
  For the System.DirectoryServices namespace, if you set the AuthenticationType property on your DirectoryEntry object ahead of time to include:
  AuthenticationTypes.Secure | AuthenticationTypes.Signing | AuthenticationTypes.Sealing
  then the next time the object’s properties get loaded, ADSI will bind to the DC using SASL for encryption. 
  If your DC is running Server 2003 or later (see *), this will be sufficient to allow the password modify operation to succeed, and ADSI won’t try to rebind again using SSL.
  For native ADSI, I’d assume passing the
  ADS_SECURE_AUTHENTICATION,
  ADS_USE_SIGNING, and ADS_USE_SEALING constants to the IADsOpenDSObject::OpenDSObject method (instead of calling GetObject) will achieve the same thing.
  http://msdn.microsoft.com/en-us/library/cc223248(v=prot.20).aspx