Smart card-account user

Similar Messages

• Set up a smart card for user logon to windows server 2012 R2

  Good Evening,
  I have Windows Server 2012 R2 Datacenter edition (dreamspark license)
  Is it possible to successfully set up smart card logon to a server ? I already have the smart card reader, smart card and the certificate (which is also my digital signature) I know how to setup a DC role (as far as I know, the server has to be in a domain
  to use smart card logon) I would like to logon using to my PC using a smart card and set the certificate I already have to use as a certificate for logon.
  Kind Regards,
  Tomasz

  It would take a few things to do this, and could cause some security issues. In short, I assume the certificate you "already have" came from another environment or a commercial provider. You would need to configure your computer to trust that CA
  to be an issuer of smart card authentication certificates. That effectively moves a good portion of your computer security control out of your environment. For many environments that is an unacceptable security risk.
  If you dont have an Active Directory running, you will also need to make some accommodations to the standard guides. I dont believe there are any published guides on how to do this with a single server and third-party CAs. 
  Here are some references for generic smart card authentications. They are not 100% applicable to your need, so some interpretation is going to be needed.
  http://msdn.microsoft.com/en-us/library/windows/desktop/aa380142(v=vs.85).aspx
  http://msdn.microsoft.com/en-us/library/windows/desktop/aa380142(v=vs.85).aspx
  Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years.

• Use smart card for 802.1x secured WiFi authentication

  Hi,
  is it possible to use a certificate stored on a USB Security Token for WiFi 802.1x authentication?
  I have setup a test environment with all required components (AD, Enterprise CA, NPS, WPA2-Enterprise capable WiFi Access Point, all required certificates, all Server 2012 R2 / Windows 8.1 Pro) and created a user certificate for WPA2-Enterprise secured
  WiFi access (802.1x). Everthing works fine as long as the user certificate is stored in the local certificate store of the user's client computer: The user can connect to the WiFi network and the NPS logs show that the user has been authenticated correctly
  and granted access.
  To test this scenario with a Smart Card (Safenet USB Token), I stored that same user certificate on the token (incl. private key). The Safenet software on the client computer automatically makes the certificate stored on the token available in the local
  certificate store as soon as the token has been plugged in (checked via MMC Certificates snap-in). But the certificate can't obviously be used for the desired WiFi authentication: If I try to connect the secured WiFi (the same as in scenario 1) the connection
  fails.
  As I'm using exactly the same certificate in both scenarios, I don't think there's anything wrong with the settings in the certificate, the NPS or any other infrastructure component. The reason for failure in scenario 2 must be lying somewhere in either
  the local client computer configuration or in the Safenet software on the client computer.
  I'm very familiar with all the PKI and authentication stuff, but I'm new to smart cards. Are there differences between different types of smart cards and for what purpose one can use them? (USB tokens, chip cards, virtual tokens, etc.?)
  Has anybody experience in creating a 802.1x secured WiFi access with smart card based user certificates who could advise?
  Thanks + Best Regards
  Matt

  Hi,
  I found some links form technet site which can be helpful in this case
  Network access authentication and certificates
  http://technet.microsoft.com/en-us/library/cc759575(v=ws.10).aspx
  Enable smart card or other certificate authentication
  http://technet.microsoft.com/en-us/library/cc737336(v=ws.10).aspx
  Quote:
  Client certificate requirements
  With EAP-TLS or PEAP-EAP-TLS, the server accepts the client authentication attempt when the certificate meets the following requirements:
  The client certificate is issued by an enterprise CA or mapped to a user or computer account in Active Directory.
  The user or computer certificate on the client chains to a trusted root CA, includes the Client Authentication purpose in EKU extensions (the object identifier for Client Authentication is 1.3.6.1.5.5.7.3.2), and fails neither the checks that are performed
  by CryptoAPI and specified in the remote access policy nor the Certificate object identifier checks that are specified in IAS remote access policy.
  The 802.1X client does not use registry-based certificates that are either smart card-logon or password-protected certificates.
  For user certificates, the Subject Alternative Name (SubjectAltName) extension in the certificate contains the user principal name (UPN).
  For computer certificates, the Subject Alternative Name (SubjectAltName) extension in the certificate must contain the client's fully qualified domain name (FQDN), which is also called the DNS name
  Yolanda Zhu
  TechNet Community Support

• How to configure smart card login in sunray 2fs??

  Hi all,
  Please help me to configure smart card login using Sun Ray Server Software 4.0... How to assign a smart card for a particular user? Do I need to flash th smart card for user information or any other method exists?

  I'm not sure what you know or don't know about this so I'll give you what I know:
  1. Create a token reader and a token
  * Plugin a Sun Ray DTU/client
  * Check the MAC address of the Sun Ray you just plugged in
  * Access the Sun Ray admin GUI
  * Choose the 'Desktop Units' tab
  * See if your Sun Ray DTU is listed (if it isn't listed you have Sun Ray Server configuration issues...)
  * If it is listed click the identifier
  * Check the status of the DTU to see if this particular unit is already a token reader (normally it is not, i.e. by default a Sun Ray DTU is not)
  * Click 'Edit'
  * Check 'Token Reader'
  * Click 'OK'
  * /opt/SUNWut/sbin/utrestart (I'm not sure if a warm restart is OK or a hard restart is necessary)
  Now insert a shiny new Java card into your token reader's slot
  * In the Sun Ray admin GUI choose the 'Tokens' tab
  * Search for currently used tokens
  * You should see a token identifier such as 'Payflex.blah' under your desktop unit (i.e. the token reader)
  * Click the token identifier and click 'Edit'
  * Assign a username (i.e. Unix username) to the token under 'Owner'
  * Click 'OK' and remove the smart card from the token reader
  2. Assign the Token
  * Insert your smart card from step 1 into the token reader
  * In the Sun Ray GUI click 'Tokens' and 'New'
  * Under 'Identifier' you should see 'Read Identifier from Token Reader' checked
  * Click 'Read Token'
  * Assign an owner (i.e. Unix user account) and a session type (Kiosk or Regular)
  * Click 'OK'
  Item 2 from the notes I used for this looks alot like item 1 so I can't say that it is strictly necessary.
  I don't have a Sun Ray Server accessible to me at the moment to confirm but this procedure should help I hope.

• RDS Gateway + Smart Card Error [ The specified user name does not exist.]

  I have the following Windows Server 2008 R2 servers:
  addsdc.contoso.com, AD DS Domain Controller for contoso.com
  adcsca.contoso.com, AD CS Enterprise CA, CDPs/AIAs published externally.
  fileserver.contoso.com, RDS Session Host for Administration enabled
  rdsgateway.contoso.com, RDS Gateway enabled
  tmgserver.contoso.com, 'Publishing' rdsgateway.contoso.com but with pass-through authentication
  And the following Windows 7 PCs:
  internalclient.contoso.com
  externalclient.fabrikam.com
  There's no trust between the domains, the external client is completely separate on the internet but the CA certificate for contoso.com has been installed in the trusted Root CA store. All servers have certificates for secure RDP.
  I enrolled for a custom 'Smart Card Authentication' certificate with Client Authentication and Smart Card Logon EKUs from the CA, stored on my new Gemalto smart card using the Microsoft Base Smart Card CSP.
  From internalclient.contoso.com, I can RDP to fileserver.contoso.com
  using the smart card just fine with no certificate errors.
  From externalclient.fabrikam.com, I can RDP to fileserver.contoso.com
  via rdsgateway.contoso.com using a username and password just fine with no certificate errors.
  From externalclient.fabrikam.com, I can RDP to fileserver.contoso.com
  via rdsgateway.contoso.com using the smart card to authenticate to the gateway, and a username and password to authenticate to the end server, just fine.
  BUT from when using a smart card to authenticate to the end server via the gateway, it fails with:
       The specified user name does not exist. Verify the username and try logging in again. If the problem continues, contact your system administrator or technical support. 
  When I move the client into the internal network and try the connection again (still via the RDS Gateway), it works fine - the only thing I can think of is being outside the network and not being able to contact the AD DS DC for Kerberos is causing the issue
  - but I'm pretty sure this is a supported scenario?
  The smart card works fine internally, the subject of the certificate is the user's common name (John Smith) and the only SAN is
  [email protected] which matches the UPN of the user account as it was auto-enrolled.
  Does anyone have any ideas?

  I had a similar issue where I am using a smart card through a Remote Desktop Gateway. I had to disable Network Level Authentication (NLA) on the destination Remote Desktop Server. If anyone has another way around this, I'd appreciate hearing it. I'd prefer
  to use NLA.

• Sun Ray Smart Card User Authentication

  Hello All,
  I recently installed SRSS 4.1 I created 6 users for testing, 3 of which use SRWC to connect to Windows VM's. My problem is with the smart cards. They are required for the user access the SunRay and that part works, however it doesnt seem the cards are binded to any particular user. For instance any of the 6 cards can be inserted and logged into any of the accounts (correct username and pw of course). I thought that each card was linked to one user account which provided increased security. The way it is working now is kind of useless.
  Any Suggestions?

  Hi,
  It depends very much on which type of card you are using and what authentication mechanism you set up.
  The SIMPLE card that SUN ships as the Sun Ray card does AFAIK not have any options for personalisation on the Card.
  What you can do with it is to use AMGH ( Advanced Multi Group Homeing is a SunRay server feature ) and tie
  the CARD ID to a user name. So that when the card is inserted in the Sun Ray , you user ID will be pre-entered in the
  UNIX login dialoge. But this does not prohibit the card from being used to log in as a differernt user ID .
  If you use the Sun VDI 2.0 ( virtual desktop infrastructure ) software. You need to Populate the Sun Ray Server DataStore
  with the Names that will be used as machine names of the virtual PC's in VMware. It is almost nessesary that the
  User name is equal to the Vmware Virtual Machin name.
  So in VDI the the Username in SRS-DS assoiated with a CARD becomes the virtual Machine name.
  ( this is not the same as the user name in AMGH but keeping the two the same probably limits the confusion )
  If you get hold of a more advanced Public KEY Interchange card, it is possible to set up PKI login to a windows session
  this involves some software in the windows XP client to read the smart card in the Sun Ray and to authenticate the card
  whit PKI to a known certificate that you have stored for the Card in a Directory ( Active Directory or some other one )
  The Sun Ray server can be loaded with the PC/SC - bypass software that allows a Windows server/client using the
  Sun Windows Connector RDP software, to read and write directly to the SmartCard inserted in the SUnRay.
  The Virtual PC or terminal server will work with the Smartcard reader as if it was local on the WIndows machine.
  The "Active CARD" company has such a solution amongst others.
  Regards
  //Lars

• How to include the user as a recipient of the email generated when a smart card certificate is issued by an Enrollment Agent on behalf of a user.

  How can I add the requester name in the To: field of the email generated when a Smart Card certificate is issued on his behalf.
  I want to address the possibility of someone (Enrollment Agent) issuing a Smart Card certificate on behalf of a user, assign a PIN and use it without the user's knowledge.
  There doesn't seem to be a way in the registry to define a variable to be used in a manner similar to the TitleArg & TitleFormat way of using %1.
  Jamal Saket OSFI Canada

  Hi,
  Thank you for your question.  
  I am trying to involve someone familiar with this topic to further look at this issue. There might be some time delay. Appreciate your patience. 
  Thank you for your understanding and support.
  TechNet Subscriber Support
  If you are
  TechNet Subscription
  user and have any feedback on our support quality, please send your feedback
  here.
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• The use only smart cards for several hundred users

  How can I assign soon as possible,
  use only the smart card for
  a few hundred users? I also have
  a group of people who would like to allow the use of
  a login and password, and smart card.
  Using GPO to the computer,
  will be applied to the station, and I would just like
  to the user. I know that
  the card user can select
  to use a smart card, but
  how to do it automatically for a group of people
  (several hunderd)?

  I would use LDAP query via GUI tools (like AD Administrative Console) or console tools (Active Directory PowerShell module) get target users by using some filter and enable smart card checkboxes. GPO cannot be used to make changes in AD.
  My weblog: en-us.sysadmins.lv
  PowerShell PKI Module: pspki.codeplex.com
  PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
  Check out new: SSL Certificate Verifier
  Check out new:
  PowerShell FCIV tool.

• Verify user pin on a smart card & load a cap file on a card (with eclipse)

  I have been able install JCWDE (Java card development Kit) successfully on eclipse.Basically all I need to do is verify user pin on a smart card.As in first set a pin and then verify it.
  To begin with I have referred many tutorials (here: http://www.javaworld.com/jw-07-1999/jw-07-javacard.html?page=1) and implemented the wallet code in eclipse.I have the cap file generated and the scripts generated.I am not sure how to load it on the smart card with eclipse.
  I tried to deploy the cap file but it keeps saying connected.Also when we initiate the applet I get the same result.
  output:
  Java Card 2.2.2 APDU Tool, Version 1.3
  Copyright 2005 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms.
  Opening connection to localhost on port 9032.
  Connected.
  I have also tried : http://www.cs.ru.nl/E.Poll/hw/practical.html ........ but no luck.
  I have the wallet.cap ,wallet.exp ,wallet.jca ,wallet.opt create.script, select,cap-download.scripts files already generated in eclipse.
  How does a successfully implemented applet code on a smart card work?How does this wallet code work if it is successfully implemented ? Does it have like some GUI which prompts the user to enter the pin?
  Wallet code for reference :
  package com.sun.javacard.samples.wallet;
  import javacard.framework.*;
  public class Wallet extends Applet {
  /* constants declaration */
  // code of CLA byte in the command APDU header
  final static byte Wallet_CLA =(byte)0x80;
  // codes of INS byte in the command APDU header
  final static byte VERIFY = (byte) 0x20;
  final static byte CREDIT = (byte) 0x30;
  final static byte DEBIT = (byte) 0x40;
  final static byte GET_BALANCE = (byte) 0x50;
  // maximum balance
  final static short MAX_BALANCE = 0x7FFF;
  // maximum transaction amount
  final static byte MAX_TRANSACTION_AMOUNT = 127;
  // maximum number of incorrect tries before the
  // PIN is blockedd
  final static byte PIN_TRY_LIMIT =(byte)0x03;
  // maximum size PIN
  final static byte MAX_PIN_SIZE =(byte)0x08;
  // signal that the PIN verification failed
  final static short SW_VERIFICATION_FAILED =
  0x6300;
  // signal the the PIN validation is required
  // for a credit or a debit transaction
  final static short SW_PIN_VERIFICATION_REQUIRED =
  0x6301;
  // signal invalid transaction amount
  // amount > MAX_TRANSACTION_AMOUNT or amount < 0
  final static short SW_INVALID_TRANSACTION_AMOUNT = 0x6A83;
  // signal that the balance exceed the maximum
  final static short SW_EXCEED_MAXIMUM_BALANCE = 0x6A84;
  // signal the the balance becomes negative
  final static short SW_NEGATIVE_BALANCE = 0x6A85;
  /* instance variables declaration */
  OwnerPIN pin;
  short balance;
  private Wallet (byte[] bArray,short bOffset,byte bLength) {
  // It is good programming practice to allocate
  // all the memory that an applet needs during
  // its lifetime inside the constructor
  pin = new OwnerPIN(PIN_TRY_LIMIT, MAX_PIN_SIZE);
  byte iLen = bArray[bOffset]; // aid length
  bOffset = (short) (bOffset+iLen+1);
  byte cLen = bArray[bOffset]; // info length
  bOffset = (short) (bOffset+cLen+1);
  byte aLen = bArray[bOffset]; // applet data length
  // The installation parameters contain the PIN
  // initialization value
  pin.update(bArray, (short)(bOffset+1), aLen);
  register();
  } // end of the constructor
  public static void install(byte[] bArray, short bOffset, byte bLength) {
  // create a Wallet applet instance
  new Wallet(bArray, bOffset, bLength);
  } // end of install method
  public boolean select() {
  // The applet declines to be selected
  // if the pin is blocked.
  if ( pin.getTriesRemaining() == 0 )
  return false;
  return true;
  }// end of select method
  public void deselect() {
  // reset the pin value
  pin.reset();
  public void process(APDU apdu) {
  // APDU object carries a byte array (buffer) to
  // transfer incoming and outgoing APDU header
  // and data bytes between card and CAD
  // At this point, only the first header bytes
  // [CLA, INS, P1, P2, P3] are available in
  // the APDU buffer.
  // The interface javacard.framework.ISO7816
  // declares constants to denote the offset of
  // these bytes in the APDU buffer
  byte[] buffer = apdu.getBuffer();
  // check SELECT APDU command
  if (apdu.isISOInterindustryCLA()) {
  if (buffer[ISO7816.OFFSET_INS] == (byte)(0xA4)) {
  return;
  } else {
  ISOException.throwIt (ISO7816.SW_CLA_NOT_SUPPORTED);
  // verify the reset of commands have the
  // correct CLA byte, which specifies the
  // command structure
  if (buffer[ISO7816.OFFSET_CLA] != Wallet_CLA)
  ISOException.throwIt(ISO7816.SW_CLA_NOT_SUPPORTED);
  switch (buffer[ISO7816.OFFSET_INS]) {
  case GET_BALANCE:
  getBalance(apdu);
  return;
  case DEBIT:
  debit(apdu);
  return;
  case CREDIT:
  credit(apdu);
  return;
  case VERIFY:
  verify(apdu);
  return;
  default:
  ISOException.throwIt(ISO7816.SW_INS_NOT_SUPPORTED);
  } // end of process method
  private void credit(APDU apdu) {
  // access authentication
  if ( ! pin.isValidated() )
  ISOException.throwIt(SW_PIN_VERIFICATION_REQUIRED);
  byte[] buffer = apdu.getBuffer();
  // Lc byte denotes the number of bytes in the
  // data field of the command APDU
  byte numBytes = buffer[ISO7816.OFFSET_LC];
  // indicate that this APDU has incoming data
  // and receive data starting from the offset
  // ISO7816.OFFSET_CDATA following the 5 header
  // bytes.
  byte byteRead =
  (byte)(apdu.setIncomingAndReceive());
  // it is an error if the number of data bytes
  // read does not match the number in Lc byte
  if ( ( numBytes != 1 ) || (byteRead != 1) )
  ISOException.throwIt(ISO7816.SW_WRONG_LENGTH);
  // get the credit amount
  byte creditAmount = buffer[ISO7816.OFFSET_CDATA];
  // check the credit amount
  if ( ( creditAmount > MAX_TRANSACTION_AMOUNT)
  || ( creditAmount < 0 ) )
  ISOException.throwIt(SW_INVALID_TRANSACTION_AMOUNT);
  // check the new balance
  if ( (short)( balance + creditAmount) > MAX_BALANCE )
  ISOException.throwIt(SW_EXCEED_MAXIMUM_BALANCE);
  // credit the amount
  balance = (short)(balance + creditAmount);
  } // end of deposit method
  private void debit(APDU apdu) {
  // access authentication
  if ( ! pin.isValidated() )
  ISOException.throwIt(SW_PIN_VERIFICATION_REQUIRED);
  byte[] buffer = apdu.getBuffer();
  byte numBytes =
  (byte)(buffer[ISO7816.OFFSET_LC]);
  byte byteRead =
  (byte)(apdu.setIncomingAndReceive());
  if ( ( numBytes != 1 ) || (byteRead != 1) )
  ISOException.throwIt(ISO7816.SW_WRONG_LENGTH);
  // get debit amount
  byte debitAmount = buffer[ISO7816.OFFSET_CDATA];
  // check debit amount
  if ( ( debitAmount > MAX_TRANSACTION_AMOUNT)
  || ( debitAmount < 0 ) )
  ISOException.throwIt(SW_INVALID_TRANSACTION_AMOUNT);
  // check the new balance
  if ( (short)( balance - debitAmount ) < (short)0 )
  ISOException.throwIt(SW_NEGATIVE_BALANCE);
  balance = (short) (balance - debitAmount);
  } // end of debit method
  private void getBalance(APDU apdu) {
  byte[] buffer = apdu.getBuffer();
  // inform system that the applet has finished
  // processing the command and the system should
  // now prepare to construct a response APDU
  // which contains data field
  short le = apdu.setOutgoing();
  if ( le < 2 )
  ISOException.throwIt(ISO7816.SW_WRONG_LENGTH);
  //informs the CAD the actual number of bytes
  //returned
  apdu.setOutgoingLength((byte)2);
  // move the balance data into the APDU buffer
  // starting at the offset 0
  buffer[0] = (byte)(balance >> 8);
  buffer[1] = (byte)(balance & 0xFF);
  // send the 2-byte balance at the offset
  // 0 in the apdu buffer
  apdu.sendBytes((short)0, (short)2);
  } // end of getBalance method
  private void verify(APDU apdu) {
  byte[] buffer = apdu.getBuffer();
  // retrieve the PIN data for validation.
  byte byteRead = (byte)(apdu.setIncomingAndReceive());
  // check pin
  // the PIN data is read into the APDU buffer
  // at the offset ISO7816.OFFSET_CDATA
  // the PIN data length = byteRead
  if ( pin.check(buffer, ISO7816.OFFSET_CDATA,
  byteRead) == false )
  ISOException.throwIt(SW_VERIFICATION_FAILED);
  } // end of validate method
  } // end of class Wallet
  Any help on this would highly appreciated !! :)

  Hi,
  Thanks a lot for reply.But I am not sure as to how can I delete the simulator.
  All I want to do is write a pin on the smart card and verify it.But I am not being able to deploy the cap file or initiate the applet.
  Also for passing the pin correct me if I am wrong........ according to what you said and what I have understood
  If the code is like this :
  public static void install(byte[] bArray, short bOffset, byte bLength) {
  // create a Wallet applet instance
  new Wallet(bArray, bOffset, bLength);
  } // end of install method
  byte aLen = bArray[bOffset]; // applet data length
  // The installation parameters contain the PIN
  // initialization value
  pin.update(bArray, (short)(bOffset+1), aLen);
  Lets say my pin is : 1234
  then I would pass it here.....
  new Wallet(bArray, 1234, bLength);

• Smart card and Account Lockout Policies Issue

  I have enabled "Interactive logon: Require smart" card and "Account Lockout threshold: 3 invalid logon attempts". The lockout policy works fine with normal passwords. However, when I try to use the smart card and entering wrong PIN 4
  times, the lockout policy does not work. 
  Can anyone please help with this issue?

  Hi,
  the validity of the PIN is managed by the smartcard itself, not by windows. Windows just logs in of the smartcard gives the right certificates/keys. the smartcard will only do so when it is provided a valid PIN.
  Also note an account should not be locked out to avoid brute forcing the PIN. instead, the smartcard should lock.
  http://technet.microsoft.com/en-us/library/cc962052.aspx
  http://technet.microsoft.com/en-us/library/ff404290(v=ws.10).aspx
  MCP/MCSA/MCTS/MCITP

• Standard Account and Smart Card

  I apparently have a standard account and  whenever I try to make an administrator change it tells me to connect a smart card and I don't know what it is.

  Owenthec,
  A smart card is a card that you can insert into a computer with a smart card reader that will allow you to log on to an account associated with that card. 
  In your case, the account associated with the card is an administrator account.
  If this is a work computer that you’re using, then it appears that your systems administrator has it set so that you cannot make changes.
  For more information, check out
  What is a smart card and how do I use one?
  Hope this helps!
  Mike
  Windows Outreach Team – IT Pro
  Windows for IT Pros on TechNet

• Security-Kerberos Event ID 9 - Smart Card not working for Login due to CRL download failure

  We have 8 computers that users were able to login with a Smart Card on one day. The next day they couldn't. Everyone else can login with a Smart Card without issue. These users can login with their smart card on other systems without issue. No users can
  login on the affected computers with a SmartID.
  In all cases, users can login on affected computers with their user ID and password.
  All traces on the domain controllers indicate the smart card PKI cert was validated by OCSP and the Kerberos session ticket was passed back to the client.
  However the client can't download the CRL from the CRL server for validation during login and always reports the CRL server is unavailable.
  Using CertUtil, you can validate manually the DC cert and the CRL will download from CRL server.  You can also hit the HTTP site for the CRL download and manually download the CRL.  All this once logged in using user id and password.
  You can't unlock the computer with a Smart card or login with a smart card.
  Packet trace indicates Kerberos session properly negotiated with workstation and DC. 
  Everything fails once client workstation can't download CRL during login.
  Any suggestions on where to look next?
  We have reloaded Activclient smart card validation software.  Still no effect on issue. 
  Smart card is readable once user is logged in, via Activclient, and Windows recognizes certs on smart card when inserted for login.
  Problem occurs during CRL download only, so login or any type of validation fails.

  Got it.
  So try to do what i suggested, exclude the CRL downloaded on Friday and try to rebuild it.
  Check it here:
  To resolve this issue:
  Delete the domain controller certificate that is no longer valid.
  Request a new certificate.
  To perform these procedures, you must be a member of the Domain
  Admins group, or you must have been delegated the appropriate authority.
  Delete the domain controller certificate that is no longer valid
  To delete the domain controller certificate that is no longer valid:
  On the domain controller, click Start, and then click
  Run.
  Type mmc.exe, and then press ENTER.
  If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click
  Continue.
  Click File, and then click Add/Remove Snap-in.
  Click Certificates, and then click Add.
  Click Computer account, click Next, and then click
  Finish.
  Click OK to open the Certificates snap-in.
  Expand Certificates (Local computer), expand Personal, and then click
  Certificates.
  Right-click the old domain controller certificate, and then click Delete.
  Click Yes, confirming that you want to delete the certificate.
  After the certificate is deleted, follow the procedure in the "Request a new certificate" section.
  Request a new certificate
  To request a new certificate:
  Expand Certificates (Local computer),right-click Personal, and then click
  Request New Certificate.
  Complete the appropriate information in the Certificate Enrollment Wizard for a domain controller certificate.
  Close the Certificates snap-in.
  Verify
  To perform this procedure, you must be a member of the Domain
  Admins group, or you must have been delegated the appropriate authority.
  To verify that the Kerberos Key Distribution Center (KDC) certificate is available and working properly:
  Click Start, point to All Programs, click
  Accessories, right-click Command Prompt, and then click
  Run as administrator.
  If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click
  Continue.
  At the command prompt, type certutil -dcinfo verify, and then press ENTER.
  If you receive a successful verification, the Kerberos KDC certificate is installed and operating correctly.
  Sergio Figueiredo
  Microsoft Certified Solutions Associate

• Need advice for an application that restricts access to other applications using a smart card

  Hello everybody,
  I am developing a system that uses a smart card reader attached to a USB port of a PC.
  What the system should provide is:
  When computer boots up and shows the users login screen, a user, previously registered, can use his smart card to access the system, instead of entering his password
  Once the user is logged in, when he tries to launch an application, which has previously marked as "secured", a dialog box is shown indicating that the user has to present his smart card. If the smart card has access to the application, the application
  is launched, otherwise an error message is shown to the user and the application is not executed.
  I develop in C++ and C#. I have already created a library (in Visual C++) that manages the smart card reader and provides the card presented to it.
  Now I am developing the applicastion (in C#) that will configure the security (assigning cards to users and applications).
  Concerning this, I have 2 questions regarding each point above:
  Is it possible to create the centralized application that lists all users and allows to assign cards to them? Then, when the users login screen is shown, the system must access that data before logging in, so that it can check which card was presented and
  what user it corresponds to. I have seen in laptops, that have embedded fingerprint readers, a user must login to his account first and then he can register his fingerprints. In fact, what I need to do is something similar but with smart card reader instead
  of fingerprint reader. So, perhaps, user must login into his account first and then he will be able to add his card and store that information somewhere (in windows registry maybe).
  How can I launch my application when other application is executed but before its interface is actually shown? this is similar to what antivirus programs do, because they check the executable before it is actually ran. What is the best method to address
  the application? by executable file name? process name? or other? if the best is by process name, how can I know the process name without actually running the application?
  Well, that is all what I need to do. Please advice regarding this subject.
  I look forward to hearing from you,
  Best regards,
  Jaime
  Powered by C++

  > what was the guidance?
  1. Research other software that does similar things (not just exactly the same) as you need. If you like something in their solutions, copy it :)
  The only software I know that does that is an antivirus, but I am unlucky to find some code in c++ that allows to intercept the program execution before actually executing it.
  2. If a kernel driver would fit in your solution, go for it (google for what is available for free, or find a consultant to write it for you).
  There are a lot of information about kernel drivers, but the question is, is that really the solution?
  Otherwise, you can just hide the application from user's reach and substitute the executable in shortcuts, etc. to run your program instead.
  Definetly this is not the way to go
  What is the best method to address the application? by executable file name? process name? or other?
  By executable file name, like in the Windows Applocker, I think. Processes do not have names (they are artifact of Task manager and debugging tools, to represent the processes for user somehow). Or, only by the filename part of the full path.
  I agree with that
  if the best is by process name, how can I know the process name without actually running the application?
  When the user runs the application, the driver will detect this and do its magic.
  I have found this page: http://stackoverflow.com/questions/3556048/how-to-detect-win32-process-creation-termination-in-c. They mention WMI, but I will study it tommorow... it is so late for today :-)
  Regards,
  -- pa
  Regards
  Jaime
  Powered by C++

• Smart card logon with third party CA combined with ADFS to Office 365

  Greetings,
  I've been trying figure out how to implement ADFS to Office 365 in MS cloud in our environment, with little luck. I have a working 2012 domain and we are already using smart card logon on Windows 7/8 workstations. Certificates on smart cards are issued by
  3rd party CA. This far every thing is fine and working, necessary root certificates are added to trusted Trusted Root Certification Authorities, UPN suffixes and users' UPNs are set according to UPN on the certificates and users successfully log on to
  workstations with smart cards.
  Now I face the requirement to enable SSOto Office 365 with accounts from our AD. I've been told by our MS partner and Dr. Google that in order to do that user account name (upn) in AD and in O365 need to match. Now the fact that account UPN in our AD is
  not usable in O365 (because it is set to match 3rd party certificate UPN) and I have not found a way to enable smart card log on without changing UPN in AD. 
  Does anyone has experience of such a configuration? Is it possible to use AD federation to O365 at all in our case?
  Best regards, and thanks in advance
  Timo

  On Fri, 25 Apr 2014 09:27:05 +0000, Timo Kallioniemi wrote:
  Now I face the requirement to enable SSOto Office 365 with accounts from our AD. I've been told by our MS partner and Dr. Google that in order to do that user account name (upn) in AD and in O365 need to match. Now the fact that account UPN in our AD
  is not usable in O365 (because it is set to match 3rd party certificate UPN) and I have not found a way to enable smart card log on without changing UPN in AD. 
  Does anyone has experience of such a configuration? Is it possible to use AD federation to O365 at all in our case?
  This is not a general Windows server security issue. You should post your
  question in an O365 support forum.
  http://community.office365.com/en-us/f/default.aspx
  Paul Adare - FIM CM MVP
  Technology is dominated by two types of people: Those who understand
  what they do not manage. Those who manage what they do not understand.
  -- Putt's Law

• Smart Card login screen authentication

  Apple don't seem to have updated their documentation on this subject since way back in the Mac OS X Tiger days!
  I would like to have a setup where a user can walk up to a Mac (which is at the login screen), wave an RFID card over a reader connected to that Mac and be able to then login to that Mac. If it is necessary for a PIN/Password to also be entered that might be acceptable. Similarly if the screensaver activates during their login session, waving their RFID card again over the reader should unlock the screensaver.
  An alternative scenerio would be a Mac with a guest login account enabled, and then wanting to use the same card reader to authenticate when requested to a proxy server in order to gain network access.
  The cards to make it clear would be RFID based, not magstripe or chip-and-pin. There are suitable USB readers like this one
  http://www.ers-online.co.uk/o5651/cardman5021-cl-omnikey-omnikey-5021-cl-contact less-smart-card-reader

  Hi Robert Gauthney,
  Could you offer more information about your issue, I found a similar scenario with your issue, if it meet your environment please refer the following KB to fix it, if it not
  meet your scenario please offer us more information such as the error screenshot or related Windows event information:
  Smart card authentication does not work when you use VDI and RD Gateway for RDC client in Windows 7 or in Windows Server 2008 R2
  http://support.microsoft.com/kb/2548538/EN-US
  I’m glad to be of help to you!
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]