Smart Card setup in 10.6.4

Similar Messages

• Smart Cards slow with Sun Ray Windows Connector

  I'm succesfully using smart cards to log on to Windows 2003. But the problem is that it's very slow!
  If i enter a wrong pin code, its fairly quick to respond with an error but when entering the right one it takes like 13-15 seconds to log on. The smart card slot on Sun Ray 2 is flashing all that time, so it seems like it's reading the certificate takes that long?
  Any ideas how to make it quicker?

  I have done the same setup with SunRay 170.
  Approx the same delay is experienced with my setup.
  When I meet my Card Vendor next time around I will ask about
  how many times the CERT is read.
  The Sunray 2 is faster , alot faster than sunray 170 so the delay
  must be the speed that card transactions can be performed.
  //lars

• Smart card with Thinkvantage Client Security Solutions doesnt work

  Dear all,
  I have the Lenovo Gemalto Expesscard54 Smart card reader (41N3043). I purchased some .Net smart cards from Gemalto also. I have installed the drivers for both the smart card reader and the smart card minidrivers, as well as the PKCS#11 Drivers from Gemalto.
  However when I try to setup a smart card using Thinkvanage Client Security, the selection remains greyed out. What is the problem?
  When I try to run the executable css_smartcard.exe, I am told PKCS#11 Module is not installed. How do I install the module as there is no command to choose where the driver path is.
  Essentially I am wondering how to use smart cards on the client security software. The documentation, even the CSS deployment guide, has so little information on this.

  I should add that I am using Windows 7 and my CSS version is 8.3, I can also verify my smart card works for other applications, only thinkvantage CSS 8.3 does not work.

• How to perform kiosk actions based on smart card data

  Hi
  I have Smart card/Sun Ray users based in two locations, Auckland and Wellington. When the user inserts their Smart card into a Sun Ray DTU they are immediately presented with a login to the company Citrix Metaframe farm (which consists of 3 servers in Auckland and 3 servers in Wellington).... this has been done by using the Sun Ray Kiosk scripts to execute the Solaris Citrix ICA client (with parameters for server name and application).
  What I need to do is the following:
  When an Auckland user is in Wellington, they need to be able to insert their Smart Card into any Sun Ray DTU and be presented with an Auckland Citrix Desktop Session... i.e. I want to direct users, based on their Smart Card data, to a specific Citrix server. Each Smart Card has already been setup with a location (Auckland or Wellington) in the "other info" field.
  I know I need to do some modifications to the kiosk scripts... but what? I know that the solaris 'env' command returns the ID of 'this' DTU... can I use this with the 'ut****' commands to identify the ID of the Smart card that has just been inserted into 'this' DTU? and then can I use this Smart card ID to query for the 'name' and 'other info' fields?
  Hope this makes sense :-)
  Any help appreciated.
  Thanks,
  Kerry.

  Hi,
  As you are using card based kiosk this is almost certainly a job for AMGH .
  AMGH looks at the card ID with A PAM service thats already in /etc/pam.conf.
  and checks the Card ID agains a Database indexed with the HOME server for that user
  You need to set this database up as a text file or LDAP service.
  Read the chapter on Advanced MultiGroup Homeing in the Admin Guide. for SRS4
  in /opt/SUNWutref/amgh you have the example scritps and shared objects to use as a starting point
  for setting up a working service.
  //Lars

• Use smart card for 802.1x secured WiFi authentication

  Hi,
  is it possible to use a certificate stored on a USB Security Token for WiFi 802.1x authentication?
  I have setup a test environment with all required components (AD, Enterprise CA, NPS, WPA2-Enterprise capable WiFi Access Point, all required certificates, all Server 2012 R2 / Windows 8.1 Pro) and created a user certificate for WPA2-Enterprise secured
  WiFi access (802.1x). Everthing works fine as long as the user certificate is stored in the local certificate store of the user's client computer: The user can connect to the WiFi network and the NPS logs show that the user has been authenticated correctly
  and granted access.
  To test this scenario with a Smart Card (Safenet USB Token), I stored that same user certificate on the token (incl. private key). The Safenet software on the client computer automatically makes the certificate stored on the token available in the local
  certificate store as soon as the token has been plugged in (checked via MMC Certificates snap-in). But the certificate can't obviously be used for the desired WiFi authentication: If I try to connect the secured WiFi (the same as in scenario 1) the connection
  fails.
  As I'm using exactly the same certificate in both scenarios, I don't think there's anything wrong with the settings in the certificate, the NPS or any other infrastructure component. The reason for failure in scenario 2 must be lying somewhere in either
  the local client computer configuration or in the Safenet software on the client computer.
  I'm very familiar with all the PKI and authentication stuff, but I'm new to smart cards. Are there differences between different types of smart cards and for what purpose one can use them? (USB tokens, chip cards, virtual tokens, etc.?)
  Has anybody experience in creating a 802.1x secured WiFi access with smart card based user certificates who could advise?
  Thanks + Best Regards
  Matt

  Hi,
  I found some links form technet site which can be helpful in this case
  Network access authentication and certificates
  http://technet.microsoft.com/en-us/library/cc759575(v=ws.10).aspx
  Enable smart card or other certificate authentication
  http://technet.microsoft.com/en-us/library/cc737336(v=ws.10).aspx
  Quote:
  Client certificate requirements
  With EAP-TLS or PEAP-EAP-TLS, the server accepts the client authentication attempt when the certificate meets the following requirements:
  The client certificate is issued by an enterprise CA or mapped to a user or computer account in Active Directory.
  The user or computer certificate on the client chains to a trusted root CA, includes the Client Authentication purpose in EKU extensions (the object identifier for Client Authentication is 1.3.6.1.5.5.7.3.2), and fails neither the checks that are performed
  by CryptoAPI and specified in the remote access policy nor the Certificate object identifier checks that are specified in IAS remote access policy.
  The 802.1X client does not use registry-based certificates that are either smart card-logon or password-protected certificates.
  For user certificates, the Subject Alternative Name (SubjectAltName) extension in the certificate contains the user principal name (UPN).
  For computer certificates, the Subject Alternative Name (SubjectAltName) extension in the certificate must contain the client's fully qualified domain name (FQDN), which is also called the DNS name
  Yolanda Zhu
  TechNet Community Support

• Blackberry Z10 and Smart Card Reader Battery Life

  We have several users with new Z10s using Smart Card Reader 2.  After activation with BAS10, users state the Smart Card Sled battery life has dramatically decreased from the old setup with 9930s on BAS5.  One user states he can have it fully charged at work and it will be dead by the time he gets home.
  I searched around a bit, and haven't found anyone else reporting this issue.  Any ideas what might be causing this?

  Hi my two Z10 don't have this issue, what OS version are you running? The newer version should have fixed the battery issue.

• Smart Card login screen authentication

  Apple don't seem to have updated their documentation on this subject since way back in the Mac OS X Tiger days!
  I would like to have a setup where a user can walk up to a Mac (which is at the login screen), wave an RFID card over a reader connected to that Mac and be able to then login to that Mac. If it is necessary for a PIN/Password to also be entered that might be acceptable. Similarly if the screensaver activates during their login session, waving their RFID card again over the reader should unlock the screensaver.
  An alternative scenerio would be a Mac with a guest login account enabled, and then wanting to use the same card reader to authenticate when requested to a proxy server in order to gain network access.
  The cards to make it clear would be RFID based, not magstripe or chip-and-pin. There are suitable USB readers like this one
  http://www.ers-online.co.uk/o5651/cardman5021-cl-omnikey-omnikey-5021-cl-contact less-smart-card-reader

  Hi Robert Gauthney,
  Could you offer more information about your issue, I found a similar scenario with your issue, if it meet your environment please refer the following KB to fix it, if it not
  meet your scenario please offer us more information such as the error screenshot or related Windows event information:
  Smart card authentication does not work when you use VDI and RD Gateway for RDC client in Windows 7 or in Windows Server 2008 R2
  http://support.microsoft.com/kb/2548538/EN-US
  I’m glad to be of help to you!
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Blackberry Smart Card Reader Problem

  I am trying to setup a Blackberry Smart Card Reader for two factor authentication.  Right now I am trying to set it up with a 8300, once I get that working I will set it up with a 9000 as well.
  I have succesfully paired the Smart Card Reader with the 8300.
  I have a smart card from 360 Web Secure, that is supposed to be a ISO 7816 PC/SC T=0.  It has been setup with 360 Web Secure software for windows logon.
  When I try and turn on two-factor authentication on the blackberry (User Authenticator - Enabled), I get the error:
  Unable to initialize the user authenticator, no supported user authenticator is present.
  I'm guessing that my 360 Web Secure card is not actually compatible, as the Registered Card Drivers listed in the smart card settings on the blackberry are: SafeNet 330, PIV, and GSA CAC.  Since I can't find any material as to wether the 360 card is compatible with these formats, it probably isn't.
  I've spent hours searching the net for a card that would work and I have no idea.  There are many place selling all kinds of cards, but they are all blank cards and seem to need a large enterprise software package to be able to program/manage them....
  So, as an individual, where do i get a card that I can use for two-factor authentication with the blackberry smart card reader?

  This smart card is not supported by the BlackBerry. You would have to write drivers for it yourself.
  The only smart cards which are supported right now are the SafeNet 330, the DoD CAC and the PIV for US federal governments. The later two are actually special versions of the SafeNet 330 with some specific extensions.
  If you want to use smart cards on the BlackBerry you'll therefore need to purchase a SafeNet 330 card along with all the software and hardware to initialize the card on a PC and create/import the certificate.
  Hope that helps.
  Chris

• Set up a smart card for user logon to windows server 2012 R2

  Good Evening,
  I have Windows Server 2012 R2 Datacenter edition (dreamspark license)
  Is it possible to successfully set up smart card logon to a server ? I already have the smart card reader, smart card and the certificate (which is also my digital signature) I know how to setup a DC role (as far as I know, the server has to be in a domain
  to use smart card logon) I would like to logon using to my PC using a smart card and set the certificate I already have to use as a certificate for logon.
  Kind Regards,
  Tomasz

  It would take a few things to do this, and could cause some security issues. In short, I assume the certificate you "already have" came from another environment or a commercial provider. You would need to configure your computer to trust that CA
  to be an issuer of smart card authentication certificates. That effectively moves a good portion of your computer security control out of your environment. For many environments that is an unacceptable security risk.
  If you dont have an Active Directory running, you will also need to make some accommodations to the standard guides. I dont believe there are any published guides on how to do this with a single server and third-party CAs. 
  Here are some references for generic smart card authentications. They are not 100% applicable to your need, so some interpretation is going to be needed.
  http://msdn.microsoft.com/en-us/library/windows/desktop/aa380142(v=vs.85).aspx
  http://msdn.microsoft.com/en-us/library/windows/desktop/aa380142(v=vs.85).aspx
  Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years.

• How to create a 802.1X Profile Using Smart Card Certificate

  My company has just implemented a new wireless network that requires users to use a USB Smart Card security device.
  This works fine for Windows, as the OS will allow the end user to configure more advanced authentication/authorization methods (802.1X, etc.) Unfortunately, OS X removed this functionality several versions back; 802.1X and advanced Wi-Fi configurations must now be handled by some sort of profile creation utility. Unfortunately, I've yet to find a utility (iPhone Configuration Utility, Apple Configurator) that will allow the creation of an 802.1X / Wireless Network Configuration that allows the use of a smart card for authentication. They all require that you actually upload the entire key-pair combo(?) in the form of a .p12 file. This is impossible with a smart card; by design you are not allowed to export the private key.
  I'm wondering if there is some way around this? Is it even an option? I know Mac OS will allow me to select "EAP-TLS" when configuring a new wireless network in System Preferences, then even allows me to select my certificate/identity from the Smart Card. Unfortunately, the network I'm trying to connect to doesn't support EAP-TLS/needs some additional configuration options/settings (EAP-TTLS for one).
  Any help/ideas would be greatly appreciated. Thanks!!

  Hello,
  exactly my topic I have been fighting now for months and already gave up.
  My setup is a Lion Server and a Lion WLAN client. My goal is to have the system profile 802.1x WLAN authentication up and running but I just don't get it working. First I tried to create a machine certificate (TLS) but this did not work. Then I tried the option to use Computer Object credentials (TTLS) (Open Directory Computer Object account credentials) to establish network connection before a user logs on but also this does't work.
  As said I'm using Lion Server with Open Directory and Lion Server Radius.
  Any help or guide appreciated!
  Robert

• UAG smart card authentication plus kcdauthentication true

  Hi
  I have already setup smart card certificate authentication to UAG portal. I'm using certificate's field Subject Alternative Name and RFC822 Name to read UPN information. It says 'RFC822
  Name=[email protected]'. That information i'm comparing to AD account's mail attribute. Authentication works ok.
  In Active Directory, samaccount is created from UPN's first part: firstname.lastname. So far i have been able to use kcdauthentication and create valid kerberos ticket which is acceptable for delegation.
  Customer changed their samaccoun to a different form. KCD does not work anymore. I've tried to use regkey:
  HKEY_LOCAL_MACHINE\SOFTWARE\WhaleCom\e-Gap\von\UrlFilter\KCDUseUPN,1. It does not work.
  I have no idea how to change from inc files that do not use samaccount but instead us UPN. UPN matches mail.
  Any ideas ?
  thanks in advance :)
  br -teemu

  Below Article might not give you direct answer.
  But, you may get an excellent idea on how to play around with INC files for your scenario.
  http://social.technet.microsoft.com/wiki/contents/articles/17031.how-to-get-client-certificate-authentication-working-on-a-uag-2010-portal.aspx
  Please let us know, how it goes. :)

• Smart card authentication for IOS device

  I am just wondering if anyone was able to successfully implement smart card authentication for vty and console session.  if anyone did, can you please point me to the documentation and the implementation guide?  thanks

  Actually, with the rsa key pair setup in ISO 15+, you can use a smart card to authenticate to cisco switches.  I'm still working out all the details but you would need SecureCRT or Putty-CAC.  SecureCRT allows you to export the public key from a pki cert and then import that into the switch/router.  The disadvantage is you can only use the first cert in the list.  Putty-CAC allows you to select which PKI cert you want to use but I haven't verified you can export the public key from a cert.  If you contact me, I'll email you the info need to use use SecureCRT.

• Logging into Windows Server 2012 from Remote Desktop requires "Connect with Smart Card"; how do I disable this?

  I am using pretty much the default setup. I cannot figure out how to disable this. I do not want to use smart cards.
  Any ideas?

  Does this mean you're trying to RDP from an XP box, therfore have the Remote Desktop feature on the server set to "less secure"? Sounds like thats what disables network authentication, prompting the Smart Card request.
  If you simply click to login as a different user, you can login without a smart card, to include the same user as was being prompted for the card.
  I expect if you choose the Remote Desktop feature requires network authentication on the server, the smart card requirement goes away, but you'll need to login from Win7 or newer clients. Not sure where Vista falls, probably okay too.

• Disabling normal login and only using smart card login?

  I've managed to setup login using BELPIC (Belgian Identity Card (smart card). However I can still login using username/password. Is it possible to restrict the system only using smart card login? (maybe via tweaking the authorize file?)
  Thanks

  The problem isn't with the provider part of the code - it has to do with security privleges. Java code running from the command line has full access to the file-system. Servlets running inside a container do not.
  In order to access cryptographic keystores, the JVM must allow the servlet code to access local files (and through them, the device drivers to the crypto token). Servlet code running inside a web/application server container, by design, are restricted in their ability to access local files on the servlet container machine (other than configuration files and application code under the servlet context root).
  In order to continue with my project, I had to temporarily provide the servlet full access to the machine's file-system in the java.policy file for your JVM, along the lines of the following:
  grant {
  permission java.security.SecurityPermission "authProvider.SunPKCS11-NSS", "getSignerPrivateKey";
  I hope to go back and restrict this access so that only the specific security grants are available to the servlet to access the private key (the above is too lenient).
  You will need to do something similar to your JVM's java.policy to allow the servlet to access the private key. Substitute the "authProvider.SunPKCS11-NSS" with the driver for your own token.

• Problem with CertificateRequest when using a smart card

  Hello,
  I have used the ssl debug statement to determine that ssl server is sending a CertificateRequest and a list of CAs. The smart card is opened via a password and I think X509KeyManagerImpl compares the Issuer of the smart card certificates with the server sent CAs. However since the issuer is an intermediate CA and only the root CA is in this list, the smartcard certificates are rejected. I CAN'T have the intermediate CA place in the ssl server list.
  Using SSLConnect (KeyManager, X509TrustManager, null). The KeyManager is using NSS and the TrustManager is using opensc-pkcs11 via SunPKCS11. The OS is Linux, kernel 2.6.35.10-74.fc14.i686.
  The intermediate CA is in the local cert store.
  The application being used is DavMail.
  Am I correct in stating that the the smart card certificates are checked against the server sent CAs?
  Does anyone know how to get Java to use he local cert store to find the intermediate CA and then verify it against the Root CA in the server sent list?

  Placed in wrong forum. Moved it to Security Java Secure Socket Extension (JSSE)