Smart card door locks ?

Similar Messages

• Logon with Virtual Smart Card Breaks Run As Administrator

  I've been testing the Virtual Smart Card (VSC) capability on a Surface Pro 2 and Dell Latitude E7240.
  This may be by design however, I have noticed that if I login using the VSC I am unable to use "Run As Administrator" functionality - for example:
  Command Prompt from Start Screen
  Task Manager
  I'm prompted for a username / password or the VSC PIN.
  In my environment the Administrative user does not have a VSC, so it is a username/password. When using Run As Administrator I'm therefore always entering a username and password.
  Once the credentials are entered the prompt goes away but the application never runs.
  If I lock/unlock the session and login using username/password for the non-admin user, instead of the VSC and PIN, I am able to elevate using Run As.
  I have noticed that I can use the workaround as specified in this article:
  http://support.microsoft.com/kb/2013976
  To work around this issue, start the application using the Run as different user right-click context menu option and select the smart card reader of choice.
  Click Start, select Programs, and locate the shortcut item in the Programs menu or the application folder for the application you want to run
  Hold down the SHIFT key while you right-click the shortcut item, and select Run as different user.
  Enter the username, password and the domain name or choose a smart card logon.
  Seems a little odd... maybe I am missing something. If anyone can assist that would be great.
  Thanks, Chris
  MCTS 70-640 | MCTS 70-642 | Prince2 Practitioner| ITIL Foundation v3 | http://www.cb-net.co.uk

  Hi Chris,
  I also have this issue. I think it is a known issue for Windows.
  I did some more research in web and found what I was looking for.
  RUNAS /SMARTCARD Only Supports a Single Smart Card Reader
  http://support.microsoft.com/kb/2013976
  How Smart Card Logon Works in Windows
  http://technet.microsoft.com/en-us/library/ff404285(v=WS.10).aspx
  Guidelines for enabling smart card logon with third-party certification authorities
  http://support.microsoft.com/kb/281245
  Thanks

• Unlocked Virtual Smart Card using the PUK and Adminkey

  At my company we use virtual
  smart card with WIN8.1
  and some user has blocked you from failed attempts
  by the VSC. The question is
  whether there is a tool that allows unlocked
  the virtual smart card using
  the PUK or Adminkey password? The error
  that occurs to me is the following:
  “The security device cannot process the PIN.
  The PIN has been blocked temporarity because too many incorrect PINs have been entered, Try again later. If this message reoccurs, contact your administrator to reset the lockout
  period for this security device”

  Hi dtencio,
  It`s unreasonable to use PUK or Admin key instead of PIN ,because
  the VSC uses two-factor authentication and this guarantees the pc`security.
  To get more information, here is link for reference:
  Evaluate Virtual Smart Card Security
  http://technet.microsoft.com/en-us/library/dn579257.aspx
  When PIN is blocked or the TPM is in a lockout state, we recommend you to contact with your administrator to reset user PIN or reset lockout of TPM.
  If you are tired of the frequent blocked or locked out issue, we recommend you to contact with your administrator to change the lockout time in policy.
  Best regards 

• Windows 8.1 default logon prompt for smart card instead of username/password

  Hello,
  We are currently in our pre-deployment test phase for Windows 8.1 and are trying to knock out the high visibility problems that we notice.  One of the issues we've noticed:
  When logging into Windows, the default prompt is for a username/password.  all of our users are using smart cards, so they have to click "sign-in options", click the smart card icon, and then enter their PIN.  How would I change the startup
  screen to default to smart card?
  Also, when locking the screen by removing the card it again prompts for the username/password when unlocking the screen.  So the users again have to click on "sign-in options" and select the smart card, otherwise they risk locking out their
  account by entering the PIN in the username/password field.
  when locking the screen via ctrl-alt-del or windows-L unlocking does default to the smart card, so I know it can be done! 
  thanks,
  -Nick

  Hi,
  I'm afraid we couldn't change the Sign-in Options order, I checked GP and Registry, there is no way to do it.
  However, there is another way is just enable "Require smart card" In GP. While after this policy enabled, All users will have to use smart cards to log on to the network. This means that the organization must have a reliable public key infrastructure (PKI)
  in place, and provide smart cards and smart card readers for all users.
  Location: GPO_name\Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
  Roger Lu
  TechNet Community Support

• Connect a smart Card

  After connecting my computer to Microsoft for updates it has locked me out of administrative access. When wanting to install a software it keeps on saying connect a smart card. I have tried to go on start-Run -and typed gpedit.msc and it says access denied
  you do not have permission to perform this operation Group policy error. Please help on how l can resolve this problem. I cant even do any other setting changes on my machine. I am using windows 8.1 pro wit media center on an asus 64bit.

  Hi,
  Have you any other Administrator account?
  If yes, please log on with that account to disable the Smart Card Logon.
  Start --> Run --> type gpedit.msc and press Enter.
  Navigate to:
  Computer Configuration\Administrative Templates\Windows Components\Smart Card
  Right-click Turn on Smart Card Plug and Play service and click Edit to disable.
  If no, please logon with the built-in administrator to do that if it's enabled.
  Otherwise, there is no any other method except reinstallation.
  Karen Hu
  TechNet Community Support

• Signed Applet to Access Smart Card Reader

  I am trying to develop an applet that will access a smart card on the client's side. The applet will need to load the PKCS#11 library(.dll) from the client side.
  What is the most secure way to implement this design?
  1 solution I am think of is to use Java Web Start which will download the applet onto the client desktop. Is this the right way?
  Is there a solution where the applet can run in the browser and access the smart card without downloading the applet?
  Thanks.

  This is a duplicate of this and is probably better dealt with in the WebStart forum. I'm locking this thread.

• Smart card and Account Lockout Policies Issue

  I have enabled "Interactive logon: Require smart" card and "Account Lockout threshold: 3 invalid logon attempts". The lockout policy works fine with normal passwords. However, when I try to use the smart card and entering wrong PIN 4
  times, the lockout policy does not work. 
  Can anyone please help with this issue?

  Hi,
  the validity of the PIN is managed by the smartcard itself, not by windows. Windows just logs in of the smartcard gives the right certificates/keys. the smartcard will only do so when it is provided a valid PIN.
  Also note an account should not be locked out to avoid brute forcing the PIN. instead, the smartcard should lock.
  http://technet.microsoft.com/en-us/library/cc962052.aspx
  http://technet.microsoft.com/en-us/library/ff404290(v=ws.10).aspx
  MCP/MCSA/MCTS/MCITP

• Problem with CertificateRequest when using a smart card

  Hello,
  I have used the ssl debug statement to determine that ssl server is sending a CertificateRequest and a list of CAs. The smart card is opened via a password and I think X509KeyManagerImpl compares the Issuer of the smart card certificates with the server sent CAs. However since the issuer is an intermediate CA and only the root CA is in this list, the smartcard certificates are rejected. I CAN'T have the intermediate CA place in the ssl server list.
  Using SSLConnect (KeyManager, X509TrustManager, null). The KeyManager is using NSS and the TrustManager is using opensc-pkcs11 via SunPKCS11. The OS is Linux, kernel 2.6.35.10-74.fc14.i686.
  The intermediate CA is in the local cert store.
  The application being used is DavMail.
  Am I correct in stating that the the smart card certificates are checked against the server sent CAs?
  Does anyone know how to get Java to use he local cert store to find the intermediate CA and then verify it against the Root CA in the server sent list?

  Placed in wrong forum. Moved it to Security Java Secure Socket Extension (JSSE)

• RDS Gateway + Smart Card Error [ The specified user name does not exist.]

  I have the following Windows Server 2008 R2 servers:
  addsdc.contoso.com, AD DS Domain Controller for contoso.com
  adcsca.contoso.com, AD CS Enterprise CA, CDPs/AIAs published externally.
  fileserver.contoso.com, RDS Session Host for Administration enabled
  rdsgateway.contoso.com, RDS Gateway enabled
  tmgserver.contoso.com, 'Publishing' rdsgateway.contoso.com but with pass-through authentication
  And the following Windows 7 PCs:
  internalclient.contoso.com
  externalclient.fabrikam.com
  There's no trust between the domains, the external client is completely separate on the internet but the CA certificate for contoso.com has been installed in the trusted Root CA store. All servers have certificates for secure RDP.
  I enrolled for a custom 'Smart Card Authentication' certificate with Client Authentication and Smart Card Logon EKUs from the CA, stored on my new Gemalto smart card using the Microsoft Base Smart Card CSP.
  From internalclient.contoso.com, I can RDP to fileserver.contoso.com
  using the smart card just fine with no certificate errors.
  From externalclient.fabrikam.com, I can RDP to fileserver.contoso.com
  via rdsgateway.contoso.com using a username and password just fine with no certificate errors.
  From externalclient.fabrikam.com, I can RDP to fileserver.contoso.com
  via rdsgateway.contoso.com using the smart card to authenticate to the gateway, and a username and password to authenticate to the end server, just fine.
  BUT from when using a smart card to authenticate to the end server via the gateway, it fails with:
       The specified user name does not exist. Verify the username and try logging in again. If the problem continues, contact your system administrator or technical support. 
  When I move the client into the internal network and try the connection again (still via the RDS Gateway), it works fine - the only thing I can think of is being outside the network and not being able to contact the AD DS DC for Kerberos is causing the issue
  - but I'm pretty sure this is a supported scenario?
  The smart card works fine internally, the subject of the certificate is the user's common name (John Smith) and the only SAN is
  [email protected] which matches the UPN of the user account as it was auto-enrolled.
  Does anyone have any ideas?

  I had a similar issue where I am using a smart card through a Remote Desktop Gateway. I had to disable Network Level Authentication (NLA) on the destination Remote Desktop Server. If anyone has another way around this, I'd appreciate hearing it. I'd prefer
  to use NLA.

• I updated my 4s to ios7, and had to restore it (stupidly forgot my passcode and disabled it), and now it wont activate, for 2 days... I can't activate it through iTunes because the sim card is locked. What do I do?

  I need help reactivating my 4s!
  I updated the software to ios7, couldn't remember my passcode (never used it before, and ios7 turned it on) and ended up disabling my phone. Erased it remotely via Find my iPhone, and now that I'm trying to restore it, it wont activate. It's been this way for 2 days now. I get the "activation server is unavailable" error. I realize Apple is struggling with their servers during this software update and launch of the new iPhone 5, but really, 2 days now?? 
  I am currently living abroad, and am using a sim card that must be unlocked. So when I plug it into iTunes, it will not activate because the sim card is locked.
  Help!! Is there anything I can do?

  Try disconnecting your iPhone temporarily and then reconnecting it after a while.

• How to include the user as a recipient of the email generated when a smart card certificate is issued by an Enrollment Agent on behalf of a user.

  How can I add the requester name in the To: field of the email generated when a Smart Card certificate is issued on his behalf.
  I want to address the possibility of someone (Enrollment Agent) issuing a Smart Card certificate on behalf of a user, assign a PIN and use it without the user's knowledge.
  There doesn't seem to be a way in the registry to define a variable to be used in a manner similar to the TitleArg & TitleFormat way of using %1.
  Jamal Saket OSFI Canada

  Hi,
  Thank you for your question.  
  I am trying to involve someone familiar with this topic to further look at this issue. There might be some time delay. Appreciate your patience. 
  Thank you for your understanding and support.
  TechNet Subscriber Support
  If you are
  TechNet Subscription
  user and have any feedback on our support quality, please send your feedback
  here.
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• How to use Smart Card API's (OCF) in Web Application

  Hi frnds,
  For our new smart card based project, i have few queries,
  1. Can we choose web based application for smart card based projects?
  2. How servlet will communicate with opencard CTListener class?
  3. While the card insertion and remove how the event will be reflet the servlet?
  4. For that is it needed to design the client UI by using Swing?
  5. Without Swing will servlet give all solution for smart card connection and events?
  Rgrds,
  dhaya.

  I am also looking for smart card Authentication using web. Any info really appreciated

• How to load the .cap file in a Smart Card?

  Dear All,
  Hello..!!
  I am using JCDK 2.2 and have used Eclipse JCDK.
  I have written a simple read/write applet and created a .cap file using Eclipse's Converter Java Card tool.
  What is the next step to be done?
  I have a smart card device and have installed its drivers.
  When do the APDU commands come into picture?
  Expecting help.
  Thanks a lot.
  Regards,
  Suril

  Suril Sarvaiya wrote:
  Hi Shane....
  Thnx a lot....
  I have downloaded GP-Shell 1.4.4
  When I open its application and write any command and press enter ; the app window closes immendiately.
  Can you please help me on this?
  One more thing Shane......
  I'm writig a java class using javax.smartcardio
  I have installed drivers of Omnikey 3021
  but the TerminalFactory is not detecting it?
  Any idea on that?
  Thanks again...
  Regards,
  SurilHi all,
  Is Mr. thread starter has solved his problem?
  I profit this thread to post my question. I'm working with new environment and I have problem loading cap file into my smartcard.
  specification come first :-)
  - My smartcard is said to be JC2.2.1 and GP2.1.1 compatible
  - My code (for testing) is written in Java under eclipse Helios service 2 with JavaCard plugin (for JC2.2.2)
  I compile my code with JDK 1.3 (for compatible version) and using the JC plugin to generate cap file (along with exp and jca).
  My problem is exactly the same as one that was posted in this forum about 2 years ago but is not answered :-)
  [Problem Loading Application to Card |http://forums.oracle.com/forums/thread.jspa?threadID=1749334&tstart=420]
  + I successfully authenticate with smartcard
  + APDU command Install for Load is executed successfully
  + BUT the APDU command LOAD file fails with returned status word is 6424
  For details, I post here my javacard applet code and APDU command executed with my tool:
  package mksAuthSys;
  import javacard.framework.APDU;
  import javacard.framework.Applet;
  import javacard.framework.ISO7816;
  import javacard.framework.ISOException;
  import javacard.framework.OwnerPIN;
  public class Jcardlet extends Applet {
       private final static byte[] myPIN = { (byte) 0x01, (byte) 0x02, (byte) 0x03, (byte) 0x04};
       final static byte Jcardlet_CLA =(byte)0xB0;
       final static byte VERIFY = (byte) 0x20;
       final static byte PIN_TRY_LIMIT =(byte)0x03;
       final static byte MAX_PIN_SIZE =(byte)0x08;
       final static short SW_VERIFICATION_FAILED = 0x6300;
       OwnerPIN pin;
       private Jcardlet() {
            pin = new OwnerPIN(PIN_TRY_LIMIT, MAX_PIN_SIZE);
            pin.update(myPIN, (byte) 0, (byte) 4 );
           register();
       public static void install(byte bArray[], short bOffset, byte bLength)
                 throws ISOException {
            new Jcardlet().register();
       public boolean select() {
            if ( pin.getTriesRemaining() == 0 ) return false;
           return true;     
       public void deselect(){
            pin.reset();
       //@Override
       public void process(APDU apdu) throws ISOException {
            // TODO Auto-generated method stub
            byte[] buffer = apdu.getBuffer();
            if ((buffer[ISO7816.OFFSET_CLA] == 0) &&
                    (buffer[ISO7816.OFFSET_INS] == (byte)(0xA4))) return;          
            if (buffer[ISO7816.OFFSET_CLA] != Jcardlet_CLA)
                  ISOException.throwIt(ISO7816.SW_CLA_NOT_SUPPORTED);          
            switch (buffer[ISO7816.OFFSET_INS]) {
             case VERIFY: verify(apdu);
               return;
             default: ISOException.throwIt (ISO7816.SW_INS_NOT_SUPPORTED);
       private void verify(APDU apdu) {
            // TODO Auto-generated method stub
           byte[] buffer = apdu.getBuffer();
           // retrieve the PIN data for validation.
           byte byteRead = (byte)(apdu.setIncomingAndReceive());
           // check pin
           // the PIN data is read into the APDU buffer
           // at the offset ISO7816.OFFSET_CDATA
           // the PIN data length = byteRead
           if ( pin.check(buffer, ISO7816.OFFSET_CDATA,byteRead) == false )
             ISOException.throwIt(SW_VERIFICATION_FAILED);          
  }And my APDU command:
  Loading "D:\mksAuthSys.cap" ...
  T - 80F28000024F00
  C - 08A000000003000000079E9000
  ISD AID : A000000003000000
  T - 80E602001508F23412345610000008A00000000300000000000000
  C - 009000
  T - 80E80000C8C482018B010012DECAFFED010204000108F23412345610000002001F0012001F000C001500420012009D0011001C0000009F00020001000402010004001502030107A0000000620101000107A000000062000103000C0108F234123456100001002306001200800301000104040000003DFFFF0030004507009D000510188C0003188F00013D0610088C00028700AD007B000403078B0005188B00067A02308F00073D8C00088B00067A0110AD008B00096104037804780110AD008B000A7A0221198B000B2D1A0300
  C - 6424
  Stopped loading due to unexpected status words.Urgently look forward to hearing from you.
  Thanks a bunch in advance
  Best Regards,
  JDL

• Remote desktop and smart cards

  I frequently work from home using my mac to access my windows based desktop at the office. I use the microsoft remote desktop v. 1.0.3. for MAC. Now that my agency is moving to smart card identification requirements for access I need to be able to use the smart card at home to sign onto the office desktop.
  The RDC for MAC does not have an option for smart card readers (as opposed to the RDC for windows version). Is there alternative software that would be simple to install on my MAC (I am not an IT sophisticate) that will give me smart card access?

  Microsoft Remote Desktop Connection (RDC) for Mac and Apple Remote Desktop (ARD) are two completely different tools with marginally similar capabilities. Unfortunately, as you've already discovered, neither offers Smart Card capabilities to allow you to authenticate to your Windows computer at work.
  If your Mac is an Intel Mac then you could probably run Windows using Parallels or Boot Camp on your home computer and use the Windows RDC client to make your connection. I don't suggest trying to use VirtualPC if you have a PowerPC Mac simply because your Smart Card reader will most likely be USB and VirtualPC has a bad track record with USB devices.
  Hope this helps!
  bill
    Mac OS X (10.4.10)   1 GHz Powerbook G4

• MS Remote Desktop and smart card reader

  I have installed MS Remote Desktop Conn. on my iMac and connected a smart card reader via the USB. Although my reader energizes when the computer is on, the computer doesn't seem to recognize the reader. When I insert a CAC card into the reader and try to log in remotely, I continue to get a "username/password" box instead of the CAC PIN number. Do I need to install some kind of smart card driver or does Apple already have it? I'm at a loss as to how to fix this.

  I was able to get rdesktop 1.6.0 to install on my Mac and I was able to get CAC log-in to work.
  However, the installation is a little tricky. I downloaded rdesktop 1.6.0 from this link:
  <<http://www.rdesktop.org>>
  My instructions for installation:
  1. Make sure Xcode Tools is installed on your computer. It should be on your OS X install disk.
  2. Find out where your X11 libraries are located:
  -From the Finder menu, selct "Go" >> "Go to Folder..."
  -Type (without the quotes) "/usr/X11", and click "Go"
  You should see a bunch of folders. Make sure the "include" and "lib" folders are there. Otherwise you need to find out where the X11 "include" and "lib" folders are located on your computer.
  3. Download rdesktop and place the (unarchived) rdesktop-1.6.0 folder on your Desktop
  4. Open the X11 application (should be in your Utilities folder)
  5. In the X11 window type the following (without the quotes):
  "cd Desktop/rdesktop-1.6.0 && ./configure --enable-smartcard -x-includes=/usr/X11/include -x-libraries=/usr/X11/lib && make && sudo make install"
  4. Hit enter. When prompted, enter your administrator password and hit enter.
  rdesktop should now be installed in the following folder:
  /usr/local/bin
  So, to launch rdesktop with smartcard log in enabled, open the X11 application (or Terminal application) and type the following (without the quotes, and replace your.server.address with the server address):
  "cd /usr/local/bin && ./rdesktop -r scard your.server.address"
  Hit enter and it should launch a new X11 window that will try to access the remote server where you should be prompted for your PIN.
  To explore more options with rdesktop, open X11 and type the following (without quotes):
  "cd /usr/local/bin && ./rdesktop"
  Hit enter and you should get a list of options available to rdesktop.