Smart Card on Elevated Permissions

Similar Messages

• Automatic Smart Card Certificate Renewal

  We have a problem where our Smart Card certificates are starting to expire but the automatic renewal process is failing.
  Is it actually possible to auto renew Smart Card certs without requiring any user input (other than the PIN)?
  There are two errors in the event log -
  Event ID:      16
  Description:
  Certificate enrollment for <domain>\<username> failed to renew a SmartcardLogon certificate with request ID N/A from <ca server name> (Provider could not perform the action since the context was acquired as silent. 0x80090022 (-2146893790)).
  Event ID:      6
  Automatic certificate enrollment for <domain>\<username> failed (0x80090022) Provider could not perform the action since the context was acquired as silent.
  The certificate template is configured with all the correct permissions (Read,Enroll,AutoEnroll) and group policy is configured with the auto enrolment settings. 
  Thanks in advance.

  This may be caused by a incorrect certificate template configuration. In the Request Handling tab (IIRC), there are several radio buttons where you specify whether enrollment may ask for user input during enrollment or not. You need to allow user input
  during enrollment for smart card templates.
  My weblog: en-us.sysadmins.lv
  PowerShell PKI Module: pspki.codeplex.com
  PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
  Check out new: SSL Certificate Verifier
  Check out new:
  PowerShell FCIV tool.

• Smart card authentication

  I need to figure out how to allow users to authenticate to webi with a smart card. I'm using BOE XIr2 with Tomcat on Linux, and I have documentation for using Tomcat with smart cards, but I don't see anything in Business Objects documentation or the forums about smart cards, or linking a particular user's certificate from the card to a defined user account with a set of Business Objects permissions. Any suggestions?
  /me goes back to reading the Enterprise Deployment and Configuration guide
  -- Josh

  A smart card is typically integrated with AD. You should be able to set up AD auth or vintela SSO. I've released a new doc you can search for vintela enterprises in the SMP portal. Also the XI 3.x admin guides show how to configure kerberos.
  Regards,
  Tim

• SCCM 2012 SP1 Remote Control Smart Card Support?

  Hi,
  We're currently running SCCM 2012 SP1.  We have implemented mandatory smart card login on our Win 7 workstations using GPO.  Is it correct to say that SCCM's Remote Control Viewer does not support passing of smart card credentials through the session? 
  Our testing thus far would indicate that it does not.  This is problematic for our help desk that often uses the Remote Viewer to connect to end user machines and then elevate rights to perform admin level tasks.  So far the only way we have developed
  to work around it is to run a script that temporarily changes the GPO to remove the smart card enforcement requirement.  Is there a better way to address this issue?
  Thanks
  Josh

  Just to add to Wally's comments, there's actually no way this will ever happen without significant investments and development time (if it's possible at all) and it's really not anything that the ConfigMgr product group could implement as it has to with
  authentication which is handled by the OS. Passing smart card credentials across the network is inherently flawed and poses a huge security risk. When this was discussed internally at Microsoft, the security teams there said they could easily hack any mechanism
  that tried to do this and compromise the credentials.
  The recommendation from Microsoft is to use local admin accounts on workstations for elevation. This goes for *any* type of remote control (including remote desktop btw) because the same security weakness exists regardless of the remote tool being used.
  Jason | http://blog.configmgrftw.com

• Jabber for Windows 10.5.1 not working without elevated permissions

  Customer starts Jabber for Windows 10.5.1 and gets a pop-up about CiscoJabber.exe, wbxcOIEx.exe, and wbxcOIEx64 and to contact WebEx support.  It appears these components are talking to Outlook.  Show connection status under Outlook we see a mapi connection error with a code 0x80080005 that goes back to permissions error.
  Users are not local administrators running Windows 7.  Jabber was packaged using LanDesk and deployed to PC and installed with admin rights.
  Workaround was to grant elevated permissions to Jabber folder that had CiscoJabber.exe, wbxcOIEx.exe, and wbxcOIEx64.
  see attached screenshot.
  TAC Case 632162203 sent issue to BU for escalation, meanwhile customer elevated that folder permissions

  @ richard Beck   good answer your answer is right 

• Problem with CertificateRequest when using a smart card

  Hello,
  I have used the ssl debug statement to determine that ssl server is sending a CertificateRequest and a list of CAs. The smart card is opened via a password and I think X509KeyManagerImpl compares the Issuer of the smart card certificates with the server sent CAs. However since the issuer is an intermediate CA and only the root CA is in this list, the smartcard certificates are rejected. I CAN'T have the intermediate CA place in the ssl server list.
  Using SSLConnect (KeyManager, X509TrustManager, null). The KeyManager is using NSS and the TrustManager is using opensc-pkcs11 via SunPKCS11. The OS is Linux, kernel 2.6.35.10-74.fc14.i686.
  The intermediate CA is in the local cert store.
  The application being used is DavMail.
  Am I correct in stating that the the smart card certificates are checked against the server sent CAs?
  Does anyone know how to get Java to use he local cert store to find the intermediate CA and then verify it against the Root CA in the server sent list?

  Placed in wrong forum. Moved it to Security Java Secure Socket Extension (JSSE)

• RDS Gateway + Smart Card Error [ The specified user name does not exist.]

  I have the following Windows Server 2008 R2 servers:
  addsdc.contoso.com, AD DS Domain Controller for contoso.com
  adcsca.contoso.com, AD CS Enterprise CA, CDPs/AIAs published externally.
  fileserver.contoso.com, RDS Session Host for Administration enabled
  rdsgateway.contoso.com, RDS Gateway enabled
  tmgserver.contoso.com, 'Publishing' rdsgateway.contoso.com but with pass-through authentication
  And the following Windows 7 PCs:
  internalclient.contoso.com
  externalclient.fabrikam.com
  There's no trust between the domains, the external client is completely separate on the internet but the CA certificate for contoso.com has been installed in the trusted Root CA store. All servers have certificates for secure RDP.
  I enrolled for a custom 'Smart Card Authentication' certificate with Client Authentication and Smart Card Logon EKUs from the CA, stored on my new Gemalto smart card using the Microsoft Base Smart Card CSP.
  From internalclient.contoso.com, I can RDP to fileserver.contoso.com
  using the smart card just fine with no certificate errors.
  From externalclient.fabrikam.com, I can RDP to fileserver.contoso.com
  via rdsgateway.contoso.com using a username and password just fine with no certificate errors.
  From externalclient.fabrikam.com, I can RDP to fileserver.contoso.com
  via rdsgateway.contoso.com using the smart card to authenticate to the gateway, and a username and password to authenticate to the end server, just fine.
  BUT from when using a smart card to authenticate to the end server via the gateway, it fails with:
       The specified user name does not exist. Verify the username and try logging in again. If the problem continues, contact your system administrator or technical support. 
  When I move the client into the internal network and try the connection again (still via the RDS Gateway), it works fine - the only thing I can think of is being outside the network and not being able to contact the AD DS DC for Kerberos is causing the issue
  - but I'm pretty sure this is a supported scenario?
  The smart card works fine internally, the subject of the certificate is the user's common name (John Smith) and the only SAN is
  [email protected] which matches the UPN of the user account as it was auto-enrolled.
  Does anyone have any ideas?

  I had a similar issue where I am using a smart card through a Remote Desktop Gateway. I had to disable Network Level Authentication (NLA) on the destination Remote Desktop Server. If anyone has another way around this, I'd appreciate hearing it. I'd prefer
  to use NLA.

• How to include the user as a recipient of the email generated when a smart card certificate is issued by an Enrollment Agent on behalf of a user.

  How can I add the requester name in the To: field of the email generated when a Smart Card certificate is issued on his behalf.
  I want to address the possibility of someone (Enrollment Agent) issuing a Smart Card certificate on behalf of a user, assign a PIN and use it without the user's knowledge.
  There doesn't seem to be a way in the registry to define a variable to be used in a manner similar to the TitleArg & TitleFormat way of using %1.
  Jamal Saket OSFI Canada

  Hi,
  Thank you for your question.  
  I am trying to involve someone familiar with this topic to further look at this issue. There might be some time delay. Appreciate your patience. 
  Thank you for your understanding and support.
  TechNet Subscriber Support
  If you are
  TechNet Subscription
  user and have any feedback on our support quality, please send your feedback
  here.
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• How to use Smart Card API's (OCF) in Web Application

  Hi frnds,
  For our new smart card based project, i have few queries,
  1. Can we choose web based application for smart card based projects?
  2. How servlet will communicate with opencard CTListener class?
  3. While the card insertion and remove how the event will be reflet the servlet?
  4. For that is it needed to design the client UI by using Swing?
  5. Without Swing will servlet give all solution for smart card connection and events?
  Rgrds,
  dhaya.

  I am also looking for smart card Authentication using web. Any info really appreciated

• How to load the .cap file in a Smart Card?

  Dear All,
  Hello..!!
  I am using JCDK 2.2 and have used Eclipse JCDK.
  I have written a simple read/write applet and created a .cap file using Eclipse's Converter Java Card tool.
  What is the next step to be done?
  I have a smart card device and have installed its drivers.
  When do the APDU commands come into picture?
  Expecting help.
  Thanks a lot.
  Regards,
  Suril

  Suril Sarvaiya wrote:
  Hi Shane....
  Thnx a lot....
  I have downloaded GP-Shell 1.4.4
  When I open its application and write any command and press enter ; the app window closes immendiately.
  Can you please help me on this?
  One more thing Shane......
  I'm writig a java class using javax.smartcardio
  I have installed drivers of Omnikey 3021
  but the TerminalFactory is not detecting it?
  Any idea on that?
  Thanks again...
  Regards,
  SurilHi all,
  Is Mr. thread starter has solved his problem?
  I profit this thread to post my question. I'm working with new environment and I have problem loading cap file into my smartcard.
  specification come first :-)
  - My smartcard is said to be JC2.2.1 and GP2.1.1 compatible
  - My code (for testing) is written in Java under eclipse Helios service 2 with JavaCard plugin (for JC2.2.2)
  I compile my code with JDK 1.3 (for compatible version) and using the JC plugin to generate cap file (along with exp and jca).
  My problem is exactly the same as one that was posted in this forum about 2 years ago but is not answered :-)
  [Problem Loading Application to Card |http://forums.oracle.com/forums/thread.jspa?threadID=1749334&tstart=420]
  + I successfully authenticate with smartcard
  + APDU command Install for Load is executed successfully
  + BUT the APDU command LOAD file fails with returned status word is 6424
  For details, I post here my javacard applet code and APDU command executed with my tool:
  package mksAuthSys;
  import javacard.framework.APDU;
  import javacard.framework.Applet;
  import javacard.framework.ISO7816;
  import javacard.framework.ISOException;
  import javacard.framework.OwnerPIN;
  public class Jcardlet extends Applet {
       private final static byte[] myPIN = { (byte) 0x01, (byte) 0x02, (byte) 0x03, (byte) 0x04};
       final static byte Jcardlet_CLA =(byte)0xB0;
       final static byte VERIFY = (byte) 0x20;
       final static byte PIN_TRY_LIMIT =(byte)0x03;
       final static byte MAX_PIN_SIZE =(byte)0x08;
       final static short SW_VERIFICATION_FAILED = 0x6300;
       OwnerPIN pin;
       private Jcardlet() {
            pin = new OwnerPIN(PIN_TRY_LIMIT, MAX_PIN_SIZE);
            pin.update(myPIN, (byte) 0, (byte) 4 );
           register();
       public static void install(byte bArray[], short bOffset, byte bLength)
                 throws ISOException {
            new Jcardlet().register();
       public boolean select() {
            if ( pin.getTriesRemaining() == 0 ) return false;
           return true;     
       public void deselect(){
            pin.reset();
       //@Override
       public void process(APDU apdu) throws ISOException {
            // TODO Auto-generated method stub
            byte[] buffer = apdu.getBuffer();
            if ((buffer[ISO7816.OFFSET_CLA] == 0) &&
                    (buffer[ISO7816.OFFSET_INS] == (byte)(0xA4))) return;          
            if (buffer[ISO7816.OFFSET_CLA] != Jcardlet_CLA)
                  ISOException.throwIt(ISO7816.SW_CLA_NOT_SUPPORTED);          
            switch (buffer[ISO7816.OFFSET_INS]) {
             case VERIFY: verify(apdu);
               return;
             default: ISOException.throwIt (ISO7816.SW_INS_NOT_SUPPORTED);
       private void verify(APDU apdu) {
            // TODO Auto-generated method stub
           byte[] buffer = apdu.getBuffer();
           // retrieve the PIN data for validation.
           byte byteRead = (byte)(apdu.setIncomingAndReceive());
           // check pin
           // the PIN data is read into the APDU buffer
           // at the offset ISO7816.OFFSET_CDATA
           // the PIN data length = byteRead
           if ( pin.check(buffer, ISO7816.OFFSET_CDATA,byteRead) == false )
             ISOException.throwIt(SW_VERIFICATION_FAILED);          
  }And my APDU command:
  Loading "D:\mksAuthSys.cap" ...
  T - 80F28000024F00
  C - 08A000000003000000079E9000
  ISD AID : A000000003000000
  T - 80E602001508F23412345610000008A00000000300000000000000
  C - 009000
  T - 80E80000C8C482018B010012DECAFFED010204000108F23412345610000002001F0012001F000C001500420012009D0011001C0000009F00020001000402010004001502030107A0000000620101000107A000000062000103000C0108F234123456100001002306001200800301000104040000003DFFFF0030004507009D000510188C0003188F00013D0610088C00028700AD007B000403078B0005188B00067A02308F00073D8C00088B00067A0110AD008B00096104037804780110AD008B000A7A0221198B000B2D1A0300
  C - 6424
  Stopped loading due to unexpected status words.Urgently look forward to hearing from you.
  Thanks a bunch in advance
  Best Regards,
  JDL

• Remote desktop and smart cards

  I frequently work from home using my mac to access my windows based desktop at the office. I use the microsoft remote desktop v. 1.0.3. for MAC. Now that my agency is moving to smart card identification requirements for access I need to be able to use the smart card at home to sign onto the office desktop.
  The RDC for MAC does not have an option for smart card readers (as opposed to the RDC for windows version). Is there alternative software that would be simple to install on my MAC (I am not an IT sophisticate) that will give me smart card access?

  Microsoft Remote Desktop Connection (RDC) for Mac and Apple Remote Desktop (ARD) are two completely different tools with marginally similar capabilities. Unfortunately, as you've already discovered, neither offers Smart Card capabilities to allow you to authenticate to your Windows computer at work.
  If your Mac is an Intel Mac then you could probably run Windows using Parallels or Boot Camp on your home computer and use the Windows RDC client to make your connection. I don't suggest trying to use VirtualPC if you have a PowerPC Mac simply because your Smart Card reader will most likely be USB and VirtualPC has a bad track record with USB devices.
  Hope this helps!
  bill
    Mac OS X (10.4.10)   1 GHz Powerbook G4

• MS Remote Desktop and smart card reader

  I have installed MS Remote Desktop Conn. on my iMac and connected a smart card reader via the USB. Although my reader energizes when the computer is on, the computer doesn't seem to recognize the reader. When I insert a CAC card into the reader and try to log in remotely, I continue to get a "username/password" box instead of the CAC PIN number. Do I need to install some kind of smart card driver or does Apple already have it? I'm at a loss as to how to fix this.

  I was able to get rdesktop 1.6.0 to install on my Mac and I was able to get CAC log-in to work.
  However, the installation is a little tricky. I downloaded rdesktop 1.6.0 from this link:
  <<http://www.rdesktop.org>>
  My instructions for installation:
  1. Make sure Xcode Tools is installed on your computer. It should be on your OS X install disk.
  2. Find out where your X11 libraries are located:
  -From the Finder menu, selct "Go" >> "Go to Folder..."
  -Type (without the quotes) "/usr/X11", and click "Go"
  You should see a bunch of folders. Make sure the "include" and "lib" folders are there. Otherwise you need to find out where the X11 "include" and "lib" folders are located on your computer.
  3. Download rdesktop and place the (unarchived) rdesktop-1.6.0 folder on your Desktop
  4. Open the X11 application (should be in your Utilities folder)
  5. In the X11 window type the following (without the quotes):
  "cd Desktop/rdesktop-1.6.0 && ./configure --enable-smartcard -x-includes=/usr/X11/include -x-libraries=/usr/X11/lib && make && sudo make install"
  4. Hit enter. When prompted, enter your administrator password and hit enter.
  rdesktop should now be installed in the following folder:
  /usr/local/bin
  So, to launch rdesktop with smartcard log in enabled, open the X11 application (or Terminal application) and type the following (without the quotes, and replace your.server.address with the server address):
  "cd /usr/local/bin && ./rdesktop -r scard your.server.address"
  Hit enter and it should launch a new X11 window that will try to access the remote server where you should be prompted for your PIN.
  To explore more options with rdesktop, open X11 and type the following (without quotes):
  "cd /usr/local/bin && ./rdesktop"
  Hit enter and you should get a list of options available to rdesktop.

• Remote desktop and smart card

  Hi.
  I need to use a smart card while working with remote desktop.
  My office pc runs win XP and have a smart card connected. I can not use that card when working remotly, its not found. Like its disconnected.
  I also have a smart card connected to my Mac at home. The smart card works fine when the VPN connection ask for my code.
  The problem is that it does not get forwarded. I have tried to use MS Remote Desktop for mac and CoRD.
  But none of them supports the smart card.
  It works fine with parallels/win7 on my mac, I can then use my smart card.
  How ever I would like to not use the win/ on my mac.
  Do anybody have a soulution to this? Are there any Remote desktop applications that support forwarding of smart card for Mac OS?
  Thanx for any tips

  You can install rdesktop with Smart Card support.
  It is fairly easy if you use something like MacPorts, Fink, or Homebrew.
  I know MacPorts has a port for it that I used in the past.

• Error encountered while signing. Windows cryptographic service provider reported an error. Object not found. Error code:2148073489. Windows 7, Adobe Reader XI, Symantec PKI, Smart Card and CAC. I have seen other threads for this error but none have a reso

  Error encountered while signing. Windows cryptographic service provider reported an error. Object not found. Error code:2148073489. Windows 7, Adobe Reader XI, Symantec PKI, Smart Card and CAC. I have seen other threads for this error but none have a resolution. Any help would be appreciated.
  Sorry for the long title, first time poster here.

  This thread is pretty old, are you still having this issue?

• Error while Accessing Smart Card using Open Card Frame Work

  HI
  Using Open Card Frame work I am trying to access GemAlto provided Smart Card (java card). I downloaded the Open Card Frame work from “http://www.openscdp.org/ocf/download.html”.
  I am executing a basic program to access the data stored in smart card.
  public static void main(String[] args)
                      System.out.println("reading smartcard file...");
                      try {
                      SmartCard.start();
                      CardRequest cr = (FileAccessCardService.class);
                      System.out.println("calling waitforCard");
                      SmartCard sc = SmartCard.waitForCard(cr); //Error comes after this line
                      System.out.println("After waitForCard called");
                      FileAccessCardService facs = (FileAccessCardService)
                      sc.getCardService(FileAccessCardService.class, true);
                      CardFile root = new CardFile(facs);
                      CardFile file = new CardFile(root, ":c009");
                      byte[] data = facs.read(file.getPath(), 0,
                      file.getLength() );
                      sc.close();
                      String entry = new String(data);
                      entry = entry.trim();
                      System.out.println(entry);
                      } catch (Exception e) {
                           e.printStackTrace(System.err);
                      System.exit(0);
  The content of the opencard.properties are :
            OpenCard.services = opencard.opt.util.PassThruCardServiceFactory
  OpenCard.terminals = com.ibm.opencard.terminal.pcsc10.Pcsc10CardTerminalFactory
  OpenCard.trace = opencard:5 com.ibm:4 opencard.opt.database:6
  After the line “ SmartCard sc = SmartCard.waitForCard(cr);”
  the program is expecting a card to be inserted but while inserting Smartcard the following error message come :
            calling waitforCard
            [ERROR    ] com.ibm.opencard.terminal.pcsc10.OCFPCSC1.OCFPCSC1.SCardConnect
  --- message
  --- thread Thread[Thread-0,5,main]
  --- source com.ibm.opencard.terminal.pcsc10.OCFPCSC1@2e7263
  [ERROR    ] com.ibm.opencard.terminal.pcsc10.OCFPCSC1.OCFPCSC1.SCardConnect
  --- message Protocol = 0
  --- thread Thread[Thread-0,5,main
  --- source com.ibm.opencard.terminal.pcsc10.OCFPCSC1@2e7263
  Basically the error is coming from the SCardConnect function of OCFPCSC1.cpp file.
  Please reply to my mail id if any body has any idea how to resolve this issue.
  MAIL-ID : [email protected]
  With Regards
  Swarup
  Finacle Archie
  Infosys Technologies Limited,Bhubaneswar,India

  Sounds like an issue that has to do with JavaScript Origin policy. You'll have to use Domain Relaxing for this. Read all about it here:
  http://help.sap.com/saphelp_nw04/helpdata/en/59/87b54064c2742ae10000000a155106/frameset.htm
  here:
  http://help.sap.com/saphelp_nw04/helpdata/en/5e/473d4124b08739e10000000a1550b0/frameset.htm
  and here:
  http://help.sap.com/saphelp_nw04/helpdata/en/cb/f8751d8c6b254dac189f4029c76112/frameset.htm