Le 26/05/2011 20:14, Douglas E. Engert a écrit : > > On 5/26/2011 10:02 AM, HOURY William wrote: >> The kb909520 was already installed and i'm not using roaming profile :(.... > OK. I installed OpenSC-12.1 on my XP box, made sure the certificate was not > registered > rebooted, and was able to login using a PIV card to AD. (But I don't think > this has anything to do with the different cards.) The cert does show up > in the cert store as expected. So I am not seeing your problem. No roaming > profiles either. > >> I have recompiled the minidriver and activated the debugs logs in case it >> brings some interesting info. I put them attached. >> > That should be helpful. As expected the code path is different. > In the OK case, these never change, as a single context can be used. > pCardData->hSCardCtx:0xCD010002 hScard:0xEA010001 > > In the KO case, after reading the serial number, > at line 137 a CardDeleteContext is done, > and the Opens SC context is released. (I assume this means because it did > not find the cert in the cert store.) > > But at line 144, the same process and thread does a CardReadFile > and a new OpenSC context has to be done. The cardcf returned is then > all zero, indicating we may have missed something here. > > But it goes on, and does 2 sign operations against the card, then > at line 291 CardDeauthenticateuser and appears to be done. > > With your log file, was it set to be writable by everyone? > If not we could be missing some data in the log. > > Maybe someone else in OpenSC can see something?
I'm also actually looking into this logs and it seems strange the after releasing of context it starts to read the cardcf . In any case the 'zero' cardcf can be disturbing for baseCSP. Actually the cardcf is emulated by rand() or get_challenge(). Probably it would be better to implement the 'hard' cardcf and to read it every time from the card. The same, probably, for the other minidriver/CSP specific files. As far as I know the cards of different producers have the minidriver dedicated files that are not covered by pkcs#15 descriptors. We can do it also like this or to implement it like the public 'DATA' objects. Kind regards, Viktor. >> Thanks for your help. >> >> William >> >> -----Message d'origine----- >> De : Douglas E. Engert [mailto:deeng...@anl.gov] >> Envoyé : jeudi 26 mai 2011 16:34 >> À : HOURY William >> Cc : opensc-devel@lists.opensc-project.org >> Objet : Re: [opensc-devel] First Smartcard logon issue on XP SP3 with OpenSC >> 12.1 >> >> >> >> On 5/26/2011 3:07 AM, HOURY William wrote: >>> Is this a login to AD, or just to the XP machine locally? >>> ==> This is a login to AD >>> >>> It may have to do with the CA certificates. Did you add the CA cert >>> to the machine before hand? >>> ==> the machine is part of the domain, yes the CA cert is in the IE store >>> >>> You say it is the first login after the card was "personalized". If you use >>> a working card on a machine that has never seen that card, does it work? >>> i.e. is this a card first time issue or an issue using a working card on a >>> new system? >>> ==> It is an issue using a working card on a new system >>> >>> You say you have to reboot. If you don't I assume it does not work >>> until you do. >>> ==> correct >>> >>> If you get a failure, but before rebooting, can you login using a password >>> and look at the certstore using certutil or Control Panel->Internet >>> Options->Content->Certificates >>> and see if the cert for the card is listed under personal? >>> ==> Yes the cert is there (valid& trusted) >>> >>> If you were to use the certutil or Control Panel->Internet >>> Options->Content->Certificates >>> and delete the certificate out of the Personal list (certutil calls >>> this"My") >>> can you login? What if you do the same, then reboot? >>> ==> if I remove the cert& logoff, I still cannot logon >>> If I remove the cert& reboot, I can logon >> What it sounds like, is the GINA opens the cert store and does not find the >> cert. >> When the other process reads the cert from the card, it adds the cert to the >> store >> but the GINA's cache version does not see it. So when the GINA is give >> control again >> the cert is not there. Only after reboot does the store get back in sync. >> >> This may or may not fix the problem, but see if it is on your system: >> http://support.microsoft.com/kb/909520 >> >> The user's personal store is in the user's profile, are you using roaming >> profiles? >> >> See these, as there are some issues. >> http://technet.microsoft.com/en-us/library/cc700806.aspx >> http://technet.microsoft.com/en-us/library/cc700823.aspx >> http://technet.microsoft.com/en-us/library/cc700848.aspx >> >> I don't have a good XP test system, it has too many other smart card >> software installed. >> >>> >>> Is this only an XP problem? Do you have Vista or W7 to try this on? >>> ==> I don't have the issue with a 2008 Server; I don't have a vista or W7 >>> >>> Thanks >>> >>> William >>> >>> -----Message d'origine----- >>> De : opensc-devel-boun...@lists.opensc-project.org >>> [mailto:opensc-devel-boun...@lists.opensc-project.org] De la part de >>> Douglas E. Engert >>> Envoyé : mercredi 25 mai 2011 18:00 >>> À : opensc-devel@lists.opensc-project.org >>> Objet : Re: [opensc-devel] First Smartcard logon issue on XP SP3 with >>> OpenSC 12.1 >>> >>> >>> >>> On 5/25/2011 4:30 AM, HOURY William wrote: >>>> Hi all, >>>> >>>> I'm experiencing a strange issue when trying to perform a smartcard logon >>>> for the 1st time (just after the card perso) on a XP SP3 with OpenSC 12.1 >>>> and an Athena ASEPCOS Smartcard logon card. >>>> >>>> Scenario: >>>> - The card is personalized on another PC >>>> - The XP SP3 PC is started and is at the Gina level, OpenSC 12.1 is well >>>> installed and the minidriver well configured >>>> - When trying to logon with the just personalized card, I always get a >>>> "signature not valid" error in the event log >>>> - If I reboot the PC, I can perform my smartcard logon without any issue, >>>> and it will never fail again. >>> Is this a login to AD, or just to the XP machine locally? >>> >>> I suspect that it has something to do with the cert store, the first time >>> a card is used on a particular machine. >>> >>> It may have to do with the CA certificates. Did you add the CA cert >>> to the machine before hand? >>> >>> You say it is the first login after the card was "personalized". If you >>> use a working card on a machine that has never seen that card, >>> does it work? i.e. is this a card first time issue or an issue using >>> a working card on a new system? >>> >>> You say you have to reboot. If you don't I assume it does not work >>> until you do. >>> >>> If you get a failure, but before rebooting, can you login using a password >>> and look at the certstore using certutil or Control Panel->Internet >>> Options->Content->Certificates >>> and see if the cert for the card is listed under personal? >>> If not, then reboot, login with password and look again? >>> >>> If you were to use the certutil or Control Panel->Internet >>> Options->Content->Certificates >>> and delete the certificate out of the Personal list (certutil calls >>> this"My") >>> can you login? What if you do the same, then reboot? >>> >>> Is this only an XP problem? Do you have Vista or W7 to try this on? >>> >>>> I put attached 2 logs: one (opensc-debug-XPSP3-logonKO.log) when the >>>> smartcard logon is failing just after the card perso; and another one >>>> (opensc-debug-XPSP3-logonOK.log) when the smartcard logon works well just >>>> after the reboot of the PC. >>>> >>>> I can provide more info if needed. >>>> >>>> Thanks for your help, >>>> >>>> William >>>> ________________________________ >>>> >>>> >>>> Ce message et les pièces jointes sont confidentiels et réservés à l'usage >>>> exclusif de ses destinataires. Il peut également être protégé par le >>>> secret professionnel. Si vous recevez ce message par erreur, merci d'en >>>> avertir immédiatement l'expéditeur et de le détruire. L'intégrité du >>>> message ne pouvant être assurée sur Internet, la responsabilité du groupe >>>> Atos Origin ne pourra être recherchée quant au contenu de ce message. Bien >>>> que les meilleurs efforts soient faits pour maintenir cette transmission >>>> exempte de tout virus, l'expéditeur ne donne aucune garantie à cet égard >>>> et sa responsabilité ne saurait être recherchée pour tout dommage >>>> résultant d'un virus transmis. >>>> >>>> This e-mail and the documents attached are confidential and intended >>>> solely for the addressee; it may also be privileged. If you receive this >>>> e-mail in error, please notify the sender immediately and destroy it. As >>>> its integrity cannot be secured on the Internet, the Atos Origin group >>>> liability cannot be triggered for the message content. Although the sender >>>> endeavours to maintain a computer virus-free network, the sender does not >>>> warrant that this transmission is virus-free and will not be liable for >>>> any damages resulting from any virus transmitted. >>>> >>>> >>>> >>>> _______________________________________________ >>>> opensc-devel mailing list >>>> opensc-devel@lists.opensc-project.org >>>> http://www.opensc-project.org/mailman/listinfo/opensc-devel -- Viktor Tarasov <viktor.tara...@opentrust.com> _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
