Hi Sim,
It seems to fail in C_Initialize, so potentially it does not see a reader or something. To further debug, you might turn on logging in the PKCS#11 module. Do this by putting a pkcs11rc file into the Identity Alliance\Middleware directory (or maybe just Identity Alliance) Turn logging to LOW. This will generate a C:\PKCS11.log
We have not yet tested on Metaframe, but this is on our soon to be done list. For login through Metaframe, there may be issues with how we are doing the fully qualified container names, but we have a handle on what needs to be done to fix that .....
Citrix logins working from Solaris (SunRays)<-- it is possible ...... you will need to use the PC/SC shim and there might be some changes you need to make to the return of SCardStatus ?.?.?.....
When you get a PKCS11.log, feel free to send it direct to me, and I'll try to help ....
Thanks, Dave
On Mar 8, 2005, at 10:22 PM, sim rid wrote:
------------------------------------------------------------------------ ------------Hiya,
Finally back working on this project again .. lol been busy...
Thanks Dave .. that debug line worked fine.
My scenario is still the same in the previous email except my Citrix server is now on Windows2003 rather than Windows2000. I can perform normal Windows domain smartcard logins with muscle cards but they won't work over Citrix Metaframe.
I perform a username/password login via Citrix. Once in a session I can execute MuscleTools-IDA.exe and successfully access my local muscle-card and view contents.
If I try to execute RegCerts.exe I get this debug output on the server:
03/09 12:57:29 PKCS11Module size is: 11
03/09 12:57:29 PKCS11Module value is: IDAP11.dll
03/09 12:57:29 Dllmain: DLL_PROCESS_ATTACH
03/09 12:57:29 +CPAcquireContext() - called
03/09 12:57:29 Build: $Id: csp.cpp,v 1.9 2004/09/24 15:12:47 corcoran Exp $
03/09 12:57:29 Executable: "E:\Program Files\Identity Alliance\Middleware\Binaries\RegCerts.exe" (E:\WINDOWS\system32\IDACSP.dll)
03/09 12:57:29 Container: "(null)" Flags: (0x0)
03/09 12:57:29 Initializing CSP
03/09 12:57:30 C_Initialize: 0x32
03/09 12:57:30 C_Initialize() failed: 0x32 (50)
03/09 12:57:30 Exception: 0x0 at .\csp.cpp:94 in CPAcquireContext() "PKCS#11 initialization failed"
03/09 12:57:30 -CPAcquireContext() - finished: FALSE (0x80090020)
03/09 12:57:30 Dllmain: DLL_PROCESS_DETACH
It should be noted, however, that if I perform a "Remote Desktop Connection", using the built-in windows tool, instead of a Citrix client, then RegCerts.exe seems to work just fine.
I get a similar error when attempting smartcard login via citrix. The difference being that the executable listed in the debug is WinLogin.exe
If I get all this working I will attempt to get Citrix logins working from Solaris (SunRays). .. If its possible :)
Cheers Sim
From: David Corcoran <[EMAIL PROTECTED]> To: "sim rid" <[EMAIL PROTECTED]> Subject: Re: [Muscle] Identity Alliance CSP and citrix smartcard login Date: Thu, 6 Jan 2005 09:50:14 -0500
Hi,
Usually a log file is created in C:\CSPDebug.log. Perhaps it is not turned on. You may need to
go into the registry and set Logging to 1 in our CSP.
HKLM\Software\Microsoft\Cryptography\Calais\Defaults\Provider\Identity Alliance CSP
Dave
On Jan 5, 2005, at 11:00 PM, sim rid wrote:
---------------------------------------------------------------------- -- ------------Hi all,
I am testing the Identity Alliance CSP with citrix and have run into a problem with smartcard windows login, via citrix.
My setup: Server: Windows 2000 Microsoft certificate services. Citrix MetaFrame Server. Version XP 1.0 Feature Release 3 Identity Alliance CSP installed.
Client:
Windows XP SP1
Citrix MetaFrame Program neighbourhood client. Version 8.100.29670
Identity Alliance CSP installed.
Smartcard: Oberthur Cosmopolic V4 loaded with latest MuscleCard Applet.
What works:
1) Used Microsoft Cert Services to generate a keypair(1024) and cert on the card using smartcard user template and the Identity Alliance CSP.
2) Used card to perform a smartcard login locally on the AD (Windows 2000).
3) Used card to perform a remote domain login from client pc (Windows XP)
4) Setup Citrix client and performed a username/password login, via citrix to the AD/Metaframe server.
5) Used scconfig command to allow MuscleTools-IDA.exe to have access to the local smartcard reader and card inside a citrix session. Via the remote citrix session I could successfully execute MuscleTools-IDA, connect to the local token and list the contents.
What failed:
1) Using the Citrix client attempted to perform a windows smartcard login.
- Windows login screen appeared as normal: "Insert card or press Ctrl-Alt-Delete to begin"
- Inserted muscle card and was prompted for PIN.
- Typed in correct PIN.
- ERROR: "Your credentials could not be read from the smart card. Verify the card is valid, and that it seated properly in the reader"
- Typed in incorrect PIN. Same error.
Any ideas here would be much appreciated. Also is there some way of getting debug info from the CSP?
Thanks sim
_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
_______________________________________________ Muscle mailing list [email protected] http://lists.drizzle.com/mailman/listinfo/muscle
David Corcoran [EMAIL PROTECTED]
Identity Alliance http://www.identityalliance.com
Smart Cards, Biometrics, Training, Identity Management
---------------------------------------------------------------------- -- -------------
_________________________________________________________________
FREE pop-up blocking with the new MSN Toolbar - get it now! http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/
_______________________________________________ Muscle mailing list [email protected] http://lists.drizzle.com/mailman/listinfo/muscle
David Corcoran [EMAIL PROTECTED]
Identity Alliance http://www.identityalliance.com
Smart Cards, Biometrics, Training, Identity Management
------------------------------------------------------------------------ -------------
_______________________________________________ Muscle mailing list [email protected] http://lists.drizzle.com/mailman/listinfo/muscle
