Issues regarding Smart Card login inside domain and on SmartPhones

Similar Messages

• Disabling normal login and only using smart card login?

  I've managed to setup login using BELPIC (Belgian Identity Card (smart card). However I can still login using username/password. Is it possible to restrict the system only using smart card login? (maybe via tweaking the authorize file?)
  Thanks

  The problem isn't with the provider part of the code - it has to do with security privleges. Java code running from the command line has full access to the file-system. Servlets running inside a container do not.
  In order to access cryptographic keystores, the JVM must allow the servlet code to access local files (and through them, the device drivers to the crypto token). Servlet code running inside a web/application server container, by design, are restricted in their ability to access local files on the servlet container machine (other than configuration files and application code under the servlet context root).
  In order to continue with my project, I had to temporarily provide the servlet full access to the machine's file-system in the java.policy file for your JVM, along the lines of the following:
  grant {
  permission java.security.SecurityPermission "authProvider.SunPKCS11-NSS", "getSignerPrivateKey";
  I hope to go back and restrict this access so that only the specific security grants are available to the servlet to access the private key (the above is too lenient).
  You will need to do something similar to your JVM's java.policy to allow the servlet to access the private key. Substitute the "authProvider.SunPKCS11-NSS" with the driver for your own token.

• TACACS+ and Smart Card login

  We are currently using Cisco ACS 5.3 integrated with Active Directory for authentication to our Cisco devices. We are looking to move to smart card logins and trying to find out if this is possible to authenticate to the console/ssh on the router/switch using a smart card.

  Direct Smart card authentication is not supported for vty / console session on IOS. However, via TACACS to a AAA server (e.g. Cisco ACS) you can turn it to use a two factor-based external authentication store. Even if the Smart card get the PKI cert of some kind to the client PC and then to the terminal emulator like Putty or SecureCRT, AAA with Tacacs + would not be possible as Tacacs is not capable for encapsulating any kind of PKI.
  Jatin Katyal
  - Do rate helpful posts -

• Smart card login and sparsebundle password

  Hi,
  I am using a PIV profiled card to login to my mac. I am using Snow Leopard 10.6.2 and have successfully used the card to login to the machine and do signed and encrypted emails. Every login I get prompted after smart card login for the password for my sparsebundle (I had been using filevault prior to introducing the card) and even though I tick the "save password" option I still am prompted on each login. Does anyone know if there is any way to associate my smartcard login with an existing sparsebundle? Also, is there any way to force the machine to use a smart card login only (i.e. remove the password option)?
  Many thanks
  Michael

  I'm guessing that since you are not entering a password, the sparse bundle is not being unlocked. I don't know of a way to tie it to the smart card login. It sounds similar to when you put a different password on your default keychain. It won't unlock on login because you are not entering its password.

• Unlocked Virtual Smart Card using the PUK and Adminkey

  At my company we use virtual
  smart card with WIN8.1
  and some user has blocked you from failed attempts
  by the VSC. The question is
  whether there is a tool that allows unlocked
  the virtual smart card using
  the PUK or Adminkey password? The error
  that occurs to me is the following:
  “The security device cannot process the PIN.
  The PIN has been blocked temporarity because too many incorrect PINs have been entered, Try again later. If this message reoccurs, contact your administrator to reset the lockout
  period for this security device”

  Hi dtencio,
  It`s unreasonable to use PUK or Admin key instead of PIN ,because
  the VSC uses two-factor authentication and this guarantees the pc`security.
  To get more information, here is link for reference:
  Evaluate Virtual Smart Card Security
  http://technet.microsoft.com/en-us/library/dn579257.aspx
  When PIN is blocked or the TPM is in a lockout state, we recommend you to contact with your administrator to reset user PIN or reset lockout of TPM.
  If you are tired of the frequent blocked or locked out issue, we recommend you to contact with your administrator to change the lockout time in policy.
  Best regards 

• How to configure smart card login in sunray 2fs??

  Hi all,
  Please help me to configure smart card login using Sun Ray Server Software 4.0... How to assign a smart card for a particular user? Do I need to flash th smart card for user information or any other method exists?

  I'm not sure what you know or don't know about this so I'll give you what I know:
  1. Create a token reader and a token
  * Plugin a Sun Ray DTU/client
  * Check the MAC address of the Sun Ray you just plugged in
  * Access the Sun Ray admin GUI
  * Choose the 'Desktop Units' tab
  * See if your Sun Ray DTU is listed (if it isn't listed you have Sun Ray Server configuration issues...)
  * If it is listed click the identifier
  * Check the status of the DTU to see if this particular unit is already a token reader (normally it is not, i.e. by default a Sun Ray DTU is not)
  * Click 'Edit'
  * Check 'Token Reader'
  * Click 'OK'
  * /opt/SUNWut/sbin/utrestart (I'm not sure if a warm restart is OK or a hard restart is necessary)
  Now insert a shiny new Java card into your token reader's slot
  * In the Sun Ray admin GUI choose the 'Tokens' tab
  * Search for currently used tokens
  * You should see a token identifier such as 'Payflex.blah' under your desktop unit (i.e. the token reader)
  * Click the token identifier and click 'Edit'
  * Assign a username (i.e. Unix username) to the token under 'Owner'
  * Click 'OK' and remove the smart card from the token reader
  2. Assign the Token
  * Insert your smart card from step 1 into the token reader
  * In the Sun Ray GUI click 'Tokens' and 'New'
  * Under 'Identifier' you should see 'Read Identifier from Token Reader' checked
  * Click 'Read Token'
  * Assign an owner (i.e. Unix user account) and a session type (Kiosk or Regular)
  * Click 'OK'
  Item 2 from the notes I used for this looks alot like item 1 so I can't say that it is strictly necessary.
  I don't have a Sun Ray Server accessible to me at the moment to confirm but this procedure should help I hope.

• Smart card login

  Hi Guys,
  I have just enabled smart card login to my mac but want to disable the password login option (i.e. I can login with smart card but if I don't plugin the card reader/card, I am prompted for password login). How can I enforce smart card only login?
  Many Thanks
  Michael

  Are you getting all user icons, plus the smartcard icon, or just the smartcard icon and "Other..." ?
  If the latter, then disable root user (which displays the "Other..." prompt on the login window, even if smartcards login is enabled).

• Smart Card login for ordinary folk

  Hi,
  I used to use the OpenSC project for Smart Card login, but I believe that with changes in OS X 10.8 it's no longer an option.
  What affordable solutions are there for genuine Smart Card login for OS X 10.8?  YubiKey doesn't support anything more than entering a static password pre-stored on the device, and when I last tried Rohos it was abysmal.

  I'm guessing that since you are not entering a password, the sparse bundle is not being unlocked. I don't know of a way to tie it to the smart card login. It sounds similar to when you put a different password on your default keychain. It won't unlock on login because you are not entering its password.

• Cisco ISE Guest portal - smart card login

  Does anyone know if Cisco ISE support smart card login to the guest portal page?                    

  No it doesn't, you can test the same , while editing the wireless SSID profile, opting authentication method as smart card other than PEAP/EAP.

• Smart Card login screen authentication

  Apple don't seem to have updated their documentation on this subject since way back in the Mac OS X Tiger days!
  I would like to have a setup where a user can walk up to a Mac (which is at the login screen), wave an RFID card over a reader connected to that Mac and be able to then login to that Mac. If it is necessary for a PIN/Password to also be entered that might be acceptable. Similarly if the screensaver activates during their login session, waving their RFID card again over the reader should unlock the screensaver.
  An alternative scenerio would be a Mac with a guest login account enabled, and then wanting to use the same card reader to authenticate when requested to a proxy server in order to gain network access.
  The cards to make it clear would be RFID based, not magstripe or chip-and-pin. There are suitable USB readers like this one
  http://www.ers-online.co.uk/o5651/cardman5021-cl-omnikey-omnikey-5021-cl-contact less-smart-card-reader

  Hi Robert Gauthney,
  Could you offer more information about your issue, I found a similar scenario with your issue, if it meet your environment please refer the following KB to fix it, if it not
  meet your scenario please offer us more information such as the error screenshot or related Windows event information:
  Smart card authentication does not work when you use VDI and RD Gateway for RDC client in Windows 7 or in Windows Server 2008 R2
  http://support.microsoft.com/kb/2548538/EN-US
  I’m glad to be of help to you!
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• FileVault plus Smart Card Login

  I was wondering if there is any way to use FileVault when using a smart card to log into an account on Mac OS X?

  Hi Robert Gauthney,
  Could you offer more information about your issue, I found a similar scenario with your issue, if it meet your environment please refer the following KB to fix it, if it not
  meet your scenario please offer us more information such as the error screenshot or related Windows event information:
  Smart card authentication does not work when you use VDI and RD Gateway for RDC client in Windows 7 or in Windows Server 2008 R2
  http://support.microsoft.com/kb/2548538/EN-US
  I’m glad to be of help to you!
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Connect smart card reader over usb and access digital signature certificate

  Hi,
  I got digital signature certificate stored in a smart card.I places smart card into card reader and plugged usb port of server.
  I can see card reader in windows environment.My problem is to connect card reader and access digital signature certificate using java code.
  I thinh it needs javax.smartcardio but i did not find necessary jar file for jdk 1.5.xx.
  1- Where can i download jar fiel for javax.smartcardio for jdk 1.5.xx
  2- Is there a blog or forum thread to help me to use smart card over usb?
  Thanks.

  One of the beauty of Java is that when the Java VM does not let you do something (here: accessing a Smart Card), there is no way that a purely Java solution will add this functionality.
  Hence, what you ask simply can not be done in pure Java (1.)5. Some machine-specific non-java code is required. And you did not specify your target.
  Unless a jar file could contain machine-specific code (I don't know if this is the case, and I never made one such jar file), there seems to be no way a jar file could help.

• Issue regarding media card since upgrading to v6

  Hello,
  I am experiencing a couple of problems with my device since the last prompted OS upgrade:
  1. When I plug the device into a USB port on my PC, it successfully begins charging but I do not receive the familiar "USB Drive / Sync Media / Charge Only" selection prompt. Furthermore, the device isn't being recognized as a peripheral by my PC and, as such, I cannot access its data.
  Note: I have enabled "Media Card Support" in Options -> Device -> Storage
  2. When I send someone a voice note using BBM's "Send -> Voice Note" option, it no longer appears to save the voice note in the voice note collection in the Media section as it used to do.
  I assume these two problems stem from the same issue, but I can't imagine what it may be, and looking around the forums / Google has produced nothing useful.
  Appreciate any and all assistance.
  Yours,
  JT

  Desperate bump.

• Security-Kerberos Event ID 9 - Smart Card not working for Login due to CRL download failure

  We have 8 computers that users were able to login with a Smart Card on one day. The next day they couldn't. Everyone else can login with a Smart Card without issue. These users can login with their smart card on other systems without issue. No users can
  login on the affected computers with a SmartID.
  In all cases, users can login on affected computers with their user ID and password.
  All traces on the domain controllers indicate the smart card PKI cert was validated by OCSP and the Kerberos session ticket was passed back to the client.
  However the client can't download the CRL from the CRL server for validation during login and always reports the CRL server is unavailable.
  Using CertUtil, you can validate manually the DC cert and the CRL will download from CRL server.  You can also hit the HTTP site for the CRL download and manually download the CRL.  All this once logged in using user id and password.
  You can't unlock the computer with a Smart card or login with a smart card.
  Packet trace indicates Kerberos session properly negotiated with workstation and DC. 
  Everything fails once client workstation can't download CRL during login.
  Any suggestions on where to look next?
  We have reloaded Activclient smart card validation software.  Still no effect on issue. 
  Smart card is readable once user is logged in, via Activclient, and Windows recognizes certs on smart card when inserted for login.
  Problem occurs during CRL download only, so login or any type of validation fails.

  Got it.
  So try to do what i suggested, exclude the CRL downloaded on Friday and try to rebuild it.
  Check it here:
  To resolve this issue:
  Delete the domain controller certificate that is no longer valid.
  Request a new certificate.
  To perform these procedures, you must be a member of the Domain
  Admins group, or you must have been delegated the appropriate authority.
  Delete the domain controller certificate that is no longer valid
  To delete the domain controller certificate that is no longer valid:
  On the domain controller, click Start, and then click
  Run.
  Type mmc.exe, and then press ENTER.
  If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click
  Continue.
  Click File, and then click Add/Remove Snap-in.
  Click Certificates, and then click Add.
  Click Computer account, click Next, and then click
  Finish.
  Click OK to open the Certificates snap-in.
  Expand Certificates (Local computer), expand Personal, and then click
  Certificates.
  Right-click the old domain controller certificate, and then click Delete.
  Click Yes, confirming that you want to delete the certificate.
  After the certificate is deleted, follow the procedure in the "Request a new certificate" section.
  Request a new certificate
  To request a new certificate:
  Expand Certificates (Local computer),right-click Personal, and then click
  Request New Certificate.
  Complete the appropriate information in the Certificate Enrollment Wizard for a domain controller certificate.
  Close the Certificates snap-in.
  Verify
  To perform this procedure, you must be a member of the Domain
  Admins group, or you must have been delegated the appropriate authority.
  To verify that the Kerberos Key Distribution Center (KDC) certificate is available and working properly:
  Click Start, point to All Programs, click
  Accessories, right-click Command Prompt, and then click
  Run as administrator.
  If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click
  Continue.
  At the command prompt, type certutil -dcinfo verify, and then press ENTER.
  If you receive a successful verification, the Kerberos KDC certificate is installed and operating correctly.
  Sergio Figueiredo
  Microsoft Certified Solutions Associate

• Authenticate to the Domain using a Smart Card

  Hi,
  I'm trying to get authenticated using the Smart Card but got the following error messages:
  On the Windows XP client, we inserted the PIV card, entered the PIN but received an error message “The system could not log you on.  The server authenticating you reported an error (0xC00000BB).”
  On the Windows 7 client, we received an error message “The system could not log you on.  You cannot use a smart card to log on because smart card logon is not supported for your user account.”
  Here is our environment:
  -          Domain:  Windows 2008 R2
  -          Client:  Windows XP SP3 and Windows 7
  -          Smart Card:  USAccess issued PIV card
  -          Care Reader:  SCR3310
  -          Middleware:  ActiveClient
  Here is what I have already done:
  -          Imported the following Entrust certificates from http://sspweb.managed.entrust.com/EMSPKIFSSPCACertificateInformation.html into the Domain under the Trusted Root Certification Authorities
  o   Common Policy CA Certificate
  o   Common Policy to EMSPKI trust certificate
  o   Federal Root CA Expires 06/01/2012
  o   Federal SSP CA Expires 05/31/2012
  o   Federal Root CA Expires 05/09/2019
  o   Federal SSP CA Expires 05/08/2019
  -          Added the certificates to the NTAuth store in the Domain
  -          Posted Domain controller certificate (issued by NIST internal CA) in the NTAuth store
  -          Updated my UPN on the domain to match with the Subject Alternative Name on the card “[email protected]”
  -          Domain policy pushed down the Entrust certificates and Domain Controller certificate to the client computer
  -          Made PIV Card certificates available to the Windows via ActiveClient middleware
  Am I missing some steps or configuration? 
  Thank you,

  To solve one of the issues related to:
  "The system could not log you on. You cannot use a smart card to log on because smart card login is not supported for your user account. Contact
  your system administrator to ensure that smart card logon is configured for your organization."
  On the client side.
  Ensure that the Certificate is assigned the Client Authentication function.
  You can do this on Internet Explorer:
  Tools -> Internet Options -> Content -> Certificates
  Then select the certificate
  Click the ‘Advanced’ button, this opens the Advanced Options dialog box.
  Under ‘Certificate purposes:’ box check:
  |X| Client Authentication