Could this be a timeout issue? The HKLM\Software\Microsoft\Cryptography\Defaults\Provider\Microsoft Base Smart Card Crypto Provider has a TransactionTimeoutMilliseconds = 0x5DC or 1.5 seconds Not sure how this is used...
On 5/26/2011 10:02 AM, HOURY William wrote: > The kb909520 was already installed and i'm not using roaming profile :(.... > > I have recompiled the minidriver and activated the debugs logs in case it > brings some interesting info. I put them attached. > > Thanks for your help. > > William > > -----Message d'origine----- > De : Douglas E. Engert [mailto:deeng...@anl.gov] > Envoyé : jeudi 26 mai 2011 16:34 > À : HOURY William > Cc : opensc-devel@lists.opensc-project.org > Objet : Re: [opensc-devel] First Smartcard logon issue on XP SP3 with OpenSC > 12.1 > > > > On 5/26/2011 3:07 AM, HOURY William wrote: >> >> Is this a login to AD, or just to the XP machine locally? >> ==> This is a login to AD >> >> It may have to do with the CA certificates. Did you add the CA cert >> to the machine before hand? >> ==> the machine is part of the domain, yes the CA cert is in the IE store >> >> You say it is the first login after the card was "personalized". If you use >> a working card on a machine that has never seen that card, does it work? >> i.e. is this a card first time issue or an issue using a working card on a >> new system? >> ==> It is an issue using a working card on a new system >> >> You say you have to reboot. If you don't I assume it does not work >> until you do. >> ==> correct >> >> If you get a failure, but before rebooting, can you login using a password >> and look at the certstore using certutil or Control Panel->Internet >> Options->Content->Certificates >> and see if the cert for the card is listed under personal? >> ==> Yes the cert is there (valid& trusted) >> >> If you were to use the certutil or Control Panel->Internet >> Options->Content->Certificates >> and delete the certificate out of the Personal list (certutil calls this"My") >> can you login? What if you do the same, then reboot? >> ==> if I remove the cert& logoff, I still cannot logon >> If I remove the cert& reboot, I can logon > > What it sounds like, is the GINA opens the cert store and does not find the > cert. > When the other process reads the cert from the card, it adds the cert to the > store > but the GINA's cache version does not see it. So when the GINA is give > control again > the cert is not there. Only after reboot does the store get back in sync. > > This may or may not fix the problem, but see if it is on your system: > http://support.microsoft.com/kb/909520 > > The user's personal store is in the user's profile, are you using roaming > profiles? > > See these, as there are some issues. > http://technet.microsoft.com/en-us/library/cc700806.aspx > http://technet.microsoft.com/en-us/library/cc700823.aspx > http://technet.microsoft.com/en-us/library/cc700848.aspx > > I don't have a good XP test system, it has too many other smart card software > installed. > >> >> >> Is this only an XP problem? Do you have Vista or W7 to try this on? >> ==> I don't have the issue with a 2008 Server; I don't have a vista or W7 >> >> Thanks >> >> William >> >> -----Message d'origine----- >> De : opensc-devel-boun...@lists.opensc-project.org >> [mailto:opensc-devel-boun...@lists.opensc-project.org] De la part de Douglas >> E. Engert >> Envoyé : mercredi 25 mai 2011 18:00 >> À : opensc-devel@lists.opensc-project.org >> Objet : Re: [opensc-devel] First Smartcard logon issue on XP SP3 with OpenSC >> 12.1 >> >> >> >> On 5/25/2011 4:30 AM, HOURY William wrote: >>> Hi all, >>> >>> I'm experiencing a strange issue when trying to perform a smartcard logon >>> for the 1st time (just after the card perso) on a XP SP3 with OpenSC 12.1 >>> and an Athena ASEPCOS Smartcard logon card. >>> >>> Scenario: >>> - The card is personalized on another PC >>> - The XP SP3 PC is started and is at the Gina level, OpenSC 12.1 is well >>> installed and the minidriver well configured >>> - When trying to logon with the just personalized card, I always get a >>> "signature not valid" error in the event log >>> - If I reboot the PC, I can perform my smartcard logon without any issue, >>> and it will never fail again. >> >> Is this a login to AD, or just to the XP machine locally? >> >> I suspect that it has something to do with the cert store, the first time >> a card is used on a particular machine. >> >> It may have to do with the CA certificates. Did you add the CA cert >> to the machine before hand? >> >> You say it is the first login after the card was "personalized". If you >> use a working card on a machine that has never seen that card, >> does it work? i.e. is this a card first time issue or an issue using >> a working card on a new system? >> >> You say you have to reboot. If you don't I assume it does not work >> until you do. >> >> If you get a failure, but before rebooting, can you login using a password >> and look at the certstore using certutil or Control Panel->Internet >> Options->Content->Certificates >> and see if the cert for the card is listed under personal? >> If not, then reboot, login with password and look again? >> >> If you were to use the certutil or Control Panel->Internet >> Options->Content->Certificates >> and delete the certificate out of the Personal list (certutil calls this"My") >> can you login? What if you do the same, then reboot? >> >> Is this only an XP problem? Do you have Vista or W7 to try this on? >> >>> >>> I put attached 2 logs: one (opensc-debug-XPSP3-logonKO.log) when the >>> smartcard logon is failing just after the card perso; and another one >>> (opensc-debug-XPSP3-logonOK.log) when the smartcard logon works well just >>> after the reboot of the PC. >>> >>> I can provide more info if needed. >>> >>> Thanks for your help, >>> >>> William >>> ________________________________ >>> >>> >>> Ce message et les pièces jointes sont confidentiels et réservés à l'usage >>> exclusif de ses destinataires. Il peut également être protégé par le secret >>> professionnel. Si vous recevez ce message par erreur, merci d'en avertir >>> immédiatement l'expéditeur et de le détruire. L'intégrité du message ne >>> pouvant être assurée sur Internet, la responsabilité du groupe Atos Origin >>> ne pourra être recherchée quant au contenu de ce message. Bien que les >>> meilleurs efforts soient faits pour maintenir cette transmission exempte de >>> tout virus, l'expéditeur ne donne aucune garantie à cet égard et sa >>> responsabilité ne saurait être recherchée pour tout dommage résultant d'un >>> virus transmis. >>> >>> This e-mail and the documents attached are confidential and intended solely >>> for the addressee; it may also be privileged. If you receive this e-mail in >>> error, please notify the sender immediately and destroy it. As its >>> integrity cannot be secured on the Internet, the Atos Origin group >>> liability cannot be triggered for the message content. Although the sender >>> endeavours to maintain a computer virus-free network, the sender does not >>> warrant that this transmission is virus-free and will not be liable for any >>> damages resulting from any virus transmitted. >>> >>> >>> >>> _______________________________________________ >>> opensc-devel mailing list >>> opensc-devel@lists.opensc-project.org >>> http://www.opensc-project.org/mailman/listinfo/opensc-devel >> > -- Douglas E. Engert <deeng...@anl.gov> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
