Hi Douglas, I tried this fix but it does not work :(
I will also test the one from Viktor and will send new logs. Thanks ! William -----Message d'origine----- De : Douglas E. Engert [mailto:deeng...@anl.gov] Envoyé : vendredi 27 mai 2011 21:52 À : HOURY William Cc : opensc-devel@lists.opensc-project.org Objet : Re: [opensc-devel] First Smartcard logon issue on XP SP3 with OpenSC 12.1 Try the attached fix. I tried it in XP with a 16 byte serial and it works, it should work with a shorter serial number too. and fill in the trailing nulls with 08090c0d... Note it also has the low level debugging turned on. On 5/27/2011 7:30 AM, HOURY William wrote: > I tried to play with this value but it still fails... > > If I put a too big value like 50sec, it will hang and I will not even get an > error message... > > Thks > > William > > -----Message d'origine----- > De : Douglas E. Engert [mailto:deeng...@anl.gov] > Envoyé : jeudi 26 mai 2011 21:35 > À : HOURY William > Cc : opensc-devel@lists.opensc-project.org > Objet : Re: [opensc-devel] First Smartcard logon issue on XP SP3 with OpenSC > 12.1 > > Could this be a timeout issue? > The HKLM\Software\Microsoft\Cryptography\Defaults\Provider\Microsoft Base > Smart Card Crypto Provider > has a TransactionTimeoutMilliseconds = 0x5DC or 1.5 seconds > Not sure how this is used... > > On 5/26/2011 10:02 AM, HOURY William wrote: >> The kb909520 was already installed and i'm not using roaming profile :(.... >> >> I have recompiled the minidriver and activated the debugs logs in case it >> brings some interesting info. I put them attached. >> >> Thanks for your help. >> >> William >> >> -----Message d'origine----- >> De : Douglas E. Engert [mailto:deeng...@anl.gov] >> Envoyé : jeudi 26 mai 2011 16:34 >> À : HOURY William >> Cc : opensc-devel@lists.opensc-project.org >> Objet : Re: [opensc-devel] First Smartcard logon issue on XP SP3 with OpenSC >> 12.1 >> >> >> >> On 5/26/2011 3:07 AM, HOURY William wrote: >>> >>> Is this a login to AD, or just to the XP machine locally? >>> ==> This is a login to AD >>> >>> It may have to do with the CA certificates. Did you add the CA cert >>> to the machine before hand? >>> ==> the machine is part of the domain, yes the CA cert is in the IE store >>> >>> You say it is the first login after the card was "personalized". If you use >>> a working card on a machine that has never seen that card, does it work? >>> i.e. is this a card first time issue or an issue using a working card on a >>> new system? >>> ==> It is an issue using a working card on a new system >>> >>> You say you have to reboot. If you don't I assume it does not work >>> until you do. >>> ==> correct >>> >>> If you get a failure, but before rebooting, can you login using a password >>> and look at the certstore using certutil or Control Panel->Internet >>> Options->Content->Certificates >>> and see if the cert for the card is listed under personal? >>> ==> Yes the cert is there (valid& trusted) >>> >>> If you were to use the certutil or Control Panel->Internet >>> Options->Content->Certificates >>> and delete the certificate out of the Personal list (certutil calls >>> this"My") >>> can you login? What if you do the same, then reboot? >>> ==> if I remove the cert& logoff, I still cannot logon >>> If I remove the cert& reboot, I can logon >> >> What it sounds like, is the GINA opens the cert store and does not find the >> cert. >> When the other process reads the cert from the card, it adds the cert to the >> store >> but the GINA's cache version does not see it. So when the GINA is give >> control again >> the cert is not there. Only after reboot does the store get back in sync. >> >> This may or may not fix the problem, but see if it is on your system: >> http://support.microsoft.com/kb/909520 >> >> The user's personal store is in the user's profile, are you using roaming >> profiles? >> >> See these, as there are some issues. >> http://technet.microsoft.com/en-us/library/cc700806.aspx >> http://technet.microsoft.com/en-us/library/cc700823.aspx >> http://technet.microsoft.com/en-us/library/cc700848.aspx >> >> I don't have a good XP test system, it has too many other smart card >> software installed. >> >>> >>> >>> Is this only an XP problem? Do you have Vista or W7 to try this on? >>> ==> I don't have the issue with a 2008 Server; I don't have a vista or W7 >>> >>> Thanks >>> >>> William >>> >>> -----Message d'origine----- >>> De : opensc-devel-boun...@lists.opensc-project.org >>> [mailto:opensc-devel-boun...@lists.opensc-project.org] De la part de >>> Douglas E. Engert >>> Envoyé : mercredi 25 mai 2011 18:00 >>> À : opensc-devel@lists.opensc-project.org >>> Objet : Re: [opensc-devel] First Smartcard logon issue on XP SP3 with >>> OpenSC 12.1 >>> >>> >>> >>> On 5/25/2011 4:30 AM, HOURY William wrote: >>>> Hi all, >>>> >>>> I'm experiencing a strange issue when trying to perform a smartcard logon >>>> for the 1st time (just after the card perso) on a XP SP3 with OpenSC 12.1 >>>> and an Athena ASEPCOS Smartcard logon card. >>>> >>>> Scenario: >>>> - The card is personalized on another PC >>>> - The XP SP3 PC is started and is at the Gina level, OpenSC 12.1 is well >>>> installed and the minidriver well configured >>>> - When trying to logon with the just personalized card, I always get a >>>> "signature not valid" error in the event log >>>> - If I reboot the PC, I can perform my smartcard logon without any issue, >>>> and it will never fail again. >>> >>> Is this a login to AD, or just to the XP machine locally? >>> >>> I suspect that it has something to do with the cert store, the first time >>> a card is used on a particular machine. >>> >>> It may have to do with the CA certificates. Did you add the CA cert >>> to the machine before hand? >>> >>> You say it is the first login after the card was "personalized". If you >>> use a working card on a machine that has never seen that card, >>> does it work? i.e. is this a card first time issue or an issue using >>> a working card on a new system? >>> >>> You say you have to reboot. If you don't I assume it does not work >>> until you do. >>> >>> If you get a failure, but before rebooting, can you login using a password >>> and look at the certstore using certutil or Control Panel->Internet >>> Options->Content->Certificates >>> and see if the cert for the card is listed under personal? >>> If not, then reboot, login with password and look again? >>> >>> If you were to use the certutil or Control Panel->Internet >>> Options->Content->Certificates >>> and delete the certificate out of the Personal list (certutil calls >>> this"My") >>> can you login? What if you do the same, then reboot? >>> >>> Is this only an XP problem? Do you have Vista or W7 to try this on? >>> >>>> >>>> I put attached 2 logs: one (opensc-debug-XPSP3-logonKO.log) when the >>>> smartcard logon is failing just after the card perso; and another one >>>> (opensc-debug-XPSP3-logonOK.log) when the smartcard logon works well just >>>> after the reboot of the PC. >>>> >>>> I can provide more info if needed. >>>> >>>> Thanks for your help, >>>> >>>> William >>>> ________________________________ >>>> >>>> >>>> Ce message et les pièces jointes sont confidentiels et réservés à l'usage >>>> exclusif de ses destinataires. Il peut également être protégé par le >>>> secret professionnel. Si vous recevez ce message par erreur, merci d'en >>>> avertir immédiatement l'expéditeur et de le détruire. L'intégrité du >>>> message ne pouvant être assurée sur Internet, la responsabilité du groupe >>>> Atos Origin ne pourra être recherchée quant au contenu de ce message. Bien >>>> que les meilleurs efforts soient faits pour maintenir cette transmission >>>> exempte de tout virus, l'expéditeur ne donne aucune garantie à cet égard >>>> et sa responsabilité ne saurait être recherchée pour tout dommage >>>> résultant d'un virus transmis. >>>> >>>> This e-mail and the documents attached are confidential and intended >>>> solely for the addressee; it may also be privileged. If you receive this >>>> e-mail in error, please notify the sender immediately and destroy it. As >>>> its integrity cannot be secured on the Internet, the Atos Origin group >>>> liability cannot be triggered for the message content. Although the sender >>>> endeavours to maintain a computer virus-free network, the sender does not >>>> warrant that this transmission is virus-free and will not be liable for >>>> any damages resulting from any virus transmitted. >>>> >>>> >>>> >>>> _______________________________________________ >>>> opensc-devel mailing list >>>> opensc-devel@lists.opensc-project.org >>>> http://www.opensc-project.org/mailman/listinfo/opensc-devel >>> >> > -- Douglas E. Engert <deeng...@anl.gov> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
