On 5/26/2011 10:02 AM, HOURY William wrote: > The kb909520 was already installed and i'm not using roaming profile :(....
OK. I installed OpenSC-12.1 on my XP box, made sure the certificate was not registered rebooted, and was able to login using a PIV card to AD. (But I don't think this has anything to do with the different cards.) The cert does show up in the cert store as expected. So I am not seeing your problem. No roaming profiles either. > > I have recompiled the minidriver and activated the debugs logs in case it > brings some interesting info. I put them attached. > That should be helpful. As expected the code path is different. In the OK case, these never change, as a single context can be used. pCardData->hSCardCtx:0xCD010002 hScard:0xEA010001 In the KO case, after reading the serial number, at line 137 a CardDeleteContext is done, and the Opens SC context is released. (I assume this means because it did not find the cert in the cert store.) But at line 144, the same process and thread does a CardReadFile and a new OpenSC context has to be done. The cardcf returned is then all zero, indicating we may have missed something here. But it goes on, and does 2 sign operations against the card, then at line 291 CardDeauthenticateuser and appears to be done. With your log file, was it set to be writable by everyone? If not we could be missing some data in the log. Maybe someone else in OpenSC can see something? > Thanks for your help. > > William > > -----Message d'origine----- > De : Douglas E. Engert [mailto:deeng...@anl.gov] > Envoyé : jeudi 26 mai 2011 16:34 > À : HOURY William > Cc : opensc-devel@lists.opensc-project.org > Objet : Re: [opensc-devel] First Smartcard logon issue on XP SP3 with OpenSC > 12.1 > > > > On 5/26/2011 3:07 AM, HOURY William wrote: >> >> Is this a login to AD, or just to the XP machine locally? >> ==> This is a login to AD >> >> It may have to do with the CA certificates. Did you add the CA cert >> to the machine before hand? >> ==> the machine is part of the domain, yes the CA cert is in the IE store >> >> You say it is the first login after the card was "personalized". If you use >> a working card on a machine that has never seen that card, does it work? >> i.e. is this a card first time issue or an issue using a working card on a >> new system? >> ==> It is an issue using a working card on a new system >> >> You say you have to reboot. If you don't I assume it does not work >> until you do. >> ==> correct >> >> If you get a failure, but before rebooting, can you login using a password >> and look at the certstore using certutil or Control Panel->Internet >> Options->Content->Certificates >> and see if the cert for the card is listed under personal? >> ==> Yes the cert is there (valid& trusted) >> >> If you were to use the certutil or Control Panel->Internet >> Options->Content->Certificates >> and delete the certificate out of the Personal list (certutil calls this"My") >> can you login? What if you do the same, then reboot? >> ==> if I remove the cert& logoff, I still cannot logon >> If I remove the cert& reboot, I can logon > > What it sounds like, is the GINA opens the cert store and does not find the > cert. > When the other process reads the cert from the card, it adds the cert to the > store > but the GINA's cache version does not see it. So when the GINA is give > control again > the cert is not there. Only after reboot does the store get back in sync. > > This may or may not fix the problem, but see if it is on your system: > http://support.microsoft.com/kb/909520 > > The user's personal store is in the user's profile, are you using roaming > profiles? > > See these, as there are some issues. > http://technet.microsoft.com/en-us/library/cc700806.aspx > http://technet.microsoft.com/en-us/library/cc700823.aspx > http://technet.microsoft.com/en-us/library/cc700848.aspx > > I don't have a good XP test system, it has too many other smart card software > installed. > >> >> >> Is this only an XP problem? Do you have Vista or W7 to try this on? >> ==> I don't have the issue with a 2008 Server; I don't have a vista or W7 >> >> Thanks >> >> William >> >> -----Message d'origine----- >> De : opensc-devel-boun...@lists.opensc-project.org >> [mailto:opensc-devel-boun...@lists.opensc-project.org] De la part de Douglas >> E. Engert >> Envoyé : mercredi 25 mai 2011 18:00 >> À : opensc-devel@lists.opensc-project.org >> Objet : Re: [opensc-devel] First Smartcard logon issue on XP SP3 with OpenSC >> 12.1 >> >> >> >> On 5/25/2011 4:30 AM, HOURY William wrote: >>> Hi all, >>> >>> I'm experiencing a strange issue when trying to perform a smartcard logon >>> for the 1st time (just after the card perso) on a XP SP3 with OpenSC 12.1 >>> and an Athena ASEPCOS Smartcard logon card. >>> >>> Scenario: >>> - The card is personalized on another PC >>> - The XP SP3 PC is started and is at the Gina level, OpenSC 12.1 is well >>> installed and the minidriver well configured >>> - When trying to logon with the just personalized card, I always get a >>> "signature not valid" error in the event log >>> - If I reboot the PC, I can perform my smartcard logon without any issue, >>> and it will never fail again. >> >> Is this a login to AD, or just to the XP machine locally? >> >> I suspect that it has something to do with the cert store, the first time >> a card is used on a particular machine. >> >> It may have to do with the CA certificates. Did you add the CA cert >> to the machine before hand? >> >> You say it is the first login after the card was "personalized". If you >> use a working card on a machine that has never seen that card, >> does it work? i.e. is this a card first time issue or an issue using >> a working card on a new system? >> >> You say you have to reboot. If you don't I assume it does not work >> until you do. >> >> If you get a failure, but before rebooting, can you login using a password >> and look at the certstore using certutil or Control Panel->Internet >> Options->Content->Certificates >> and see if the cert for the card is listed under personal? >> If not, then reboot, login with password and look again? >> >> If you were to use the certutil or Control Panel->Internet >> Options->Content->Certificates >> and delete the certificate out of the Personal list (certutil calls this"My") >> can you login? What if you do the same, then reboot? >> >> Is this only an XP problem? Do you have Vista or W7 to try this on? >> >>> >>> I put attached 2 logs: one (opensc-debug-XPSP3-logonKO.log) when the >>> smartcard logon is failing just after the card perso; and another one >>> (opensc-debug-XPSP3-logonOK.log) when the smartcard logon works well just >>> after the reboot of the PC. >>> >>> I can provide more info if needed. >>> >>> Thanks for your help, >>> >>> William >>> ________________________________ >>> >>> >>> Ce message et les pièces jointes sont confidentiels et réservés à l'usage >>> exclusif de ses destinataires. Il peut également être protégé par le secret >>> professionnel. Si vous recevez ce message par erreur, merci d'en avertir >>> immédiatement l'expéditeur et de le détruire. L'intégrité du message ne >>> pouvant être assurée sur Internet, la responsabilité du groupe Atos Origin >>> ne pourra être recherchée quant au contenu de ce message. Bien que les >>> meilleurs efforts soient faits pour maintenir cette transmission exempte de >>> tout virus, l'expéditeur ne donne aucune garantie à cet égard et sa >>> responsabilité ne saurait être recherchée pour tout dommage résultant d'un >>> virus transmis. >>> >>> This e-mail and the documents attached are confidential and intended solely >>> for the addressee; it may also be privileged. If you receive this e-mail in >>> error, please notify the sender immediately and destroy it. As its >>> integrity cannot be secured on the Internet, the Atos Origin group >>> liability cannot be triggered for the message content. Although the sender >>> endeavours to maintain a computer virus-free network, the sender does not >>> warrant that this transmission is virus-free and will not be liable for any >>> damages resulting from any virus transmitted. >>> >>> >>> >>> _______________________________________________ >>> opensc-devel mailing list >>> opensc-devel@lists.opensc-project.org >>> http://www.opensc-project.org/mailman/listinfo/opensc-devel >> > -- Douglas E. Engert <deeng...@anl.gov> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
