Smart card logon problem from remote with GemSafe
Pier Paolo Glave
I have a problem with smart card logon on a Metaframe 3.0 server.
The same problem also occurs if I try to use Remote Desktop Connection
from the windows client. So, I think it is not strictly related to
Citrix.
I'm using GemSafe 16K cards, and my reader is a GemPlus GemPC 430
(USB).
I installed on the Metaframe server (which is a Win 2003 server,
standard edition) the GemSafe Logon software, which includes the CSP
for the kind of smart card that I'm using.
I installed an user logon certificate on the smart card, following the
standard procedure described by Microsoft (Article ID 257480), and I
could make a local logon on the server with the smart card.
Then, I tried to make a remote login from ICA clients 8.0 running on:
- Windows 2000 Professional (with drivers for the smart card reader
installed)
- Linux (with pcsc-lite package installed, and drivers for the smart
card reader)
In both cases, the smart card seems to be correctly detected by the
server, because the login interface asks me for the PIN when I insert
the card into the reader.
But, after the PIN insertion, the logon stops with an error,
indicating to look at the server Event Log for details.
In the Event Log there is this entry:
- Source: Smart Card Logon
- ID: 5
- Description: An error occurred while retrieving a digital
certificate from the inserted smart card. An internal error occurred.
Do you have any hints to solve it?
Thank you
--
Pier
anonymous
problem...clearly the problem is from Terminal Services - RDP it doesn't know
to work with RDP-USB and smart cards.
S. Pidgorny <MVP>
smart cards with USB reader. I will however try to use crypto token for
Terminal Services logon tomorrow and will post back.
--
Svyatoslav Pidgorny, MVP, MCSE
-= F1 is the key =-
"anonymous" <anon...@discussions.microsoft.com> wrote in message
news:549CC059-5589-4BD5...@microsoft.com...
S. Pidgorny <MVP>
I'm not familiar with GemSafe software yet, but I have two questions:
1. Have you installed GemSafe on the client PC and can you do smart card
logon to the domain from it?
2. For remote desktop connectivity, I only need same CSP on the client and
server - and nothing more. Is GemSafe Logon more tham just the CSP? If it
replaces GINA, for example, there could be problems.
--
Svyatoslav Pidgorny, MVP, MCSE
-= F1 is the key =-
"Pier Paolo Glave" <gl...@inwind.it> wrote in message
news:f038c9d7.05022...@posting.google.com...
Pier Paolo Glave
> 1. Have you installed GemSafe on the client PC and can you do smart card
> logon to the domain from it?
Yes, GemSafe is installed on the client as well (at least on the
windows client - on the linux client this is not applicable).
I actually was not able to do smart card logon to the domain from the
windows client, but I got a different error: something like "The root
authority certificate is not trusted". I believe this is a different
problem, and that is however better than the "remote" case, in which I
think that the smart card is not even accessed (because the same error
occurs if I type the wrong PIN, in the remote case)
> 2. For remote desktop connectivity, I only need same CSP on the client and
> server - and nothing more. Is GemSafe Logon more tham just the CSP? If it
> replaces GINA, for example, there could be problems.
In effect, GemSafe Logon includes a GINA, but I'm not using it: I
actually use only the CSP and the PIN programming utilies.
But I found out that my release of GemSafe Logon, which is 2.0, is
based on a release of GemSafe Libraries (4.1) which is declared as
"not Citrix compliant" and "not Terminal Services compliant". Maybe
this can be the problem?
Thank you
Bye
--
Pier
S. Pidgorny <MVP>
libraries is not Citrix-compatible, you better use one that is. However, I
find it strange: the CSP is abstracted from the logon screen, and there
shouldn't be compatibility issues, really. Can you provide the link to
Gemsafe doco that states Citrix incompatibility?
Pier Paolo Glave
> libraries is not Citrix-compatible, you better use one that is. However, I
> find it strange: the CSP is abstracted from the logon screen, and there
> shouldn't be compatibility issues, really. Can you provide the link to
> Gemsafe doco that states Citrix incompatibility?
>
Well, I can't actually provide a link on the web, since I just
received by mail the "readme" file for the newest version of GemSafe
Libraries.
Here it is, anyway.
Bye
--
Pier
GemSafe™ Libraries 4.2.0-015 : Gold Release
This document describes the limitations of GemSafe™ Libraries 4.2.0
and major
improvements that have been made since the launch of its initial 4.1.i
version.
Please read this document carefully for the most recent updates.
Improvements Since launch of GemSafe™ Libraries 4.1.i
-----------------------------------------------------
- Import / export certificat
- Remote unblock PIN (Help Desk tool not provided)
- Citrix compliant
- Terminal Services compliant
- Support GemXpresso GemSafe-IS smart card (Identrus keys only)
- Support GemXpresso GemSafe smart card with user PIN (for non
Identrus keys)and Identrus PIN (for Identrus keys)
- VASCO reader support (driver not included)
- Support Windows XP SP2
- Japanese language supported
Limitations:
------------
Caution: Some non-standard installation path names are not supported
and will disable
the installation procedure.
• The configuration file (.gsl) is not compliant between the different
GemSafe™
Libraries releases (Id 320)
• Uninstalling the drivers readers is not recommended
• GemSafe™ ToolBox does not support low Color Quality settings (i.e.,
less than 256
colors) for the display. (Id 134)
• The GemSafe™ ToolBox requires the use of the mouse (Id 135)
• In some situations, the function "erase all" does not erase every
object on the card, and the amount of card
memory space is less than expected. Likely propriatary objects occupy
the used memory space. (Id 430)
• The configuration of the Unblock PIN remotely window (help desk
information and phone number) is done in the HelpDesk.ini,
which is found in the root of the default installation directory.
• The Weak PIN list on the Pin Policy tool is limited to 50 entries
with PIN lengths of 16, and
100 entries with PIN lengths of 8. (Id 603)
• GemSafe™ Libraries supports a public or private Elementary File with
a maximun size of 16384 bytes. (Id 601)
• There are limitations with the PKCS#11 signature mechanisms
CKM_MD5_RSA_PKCS and CKM_SHA1_RSA_PKCS.
The use CKM_RSA_PKCS is recommended. (Id 604)
• Installation / Uninstallation limitations
- If during installation the CD is removed , the installation process
will stop. You
should therefore contact the Gemplus Hot line (Id 187)
- Installing the Administrator package and an End-user package on the
same PC will
not provide any additional features than those already offered with
the installation of
the Administrator package only. This kind of mixed configuration is
not supported by
GemSafe™ Libraries.
- After copying and pasting the contents of the EULA licence to a text
editor the
installation screen window will be empty but you can continue the
installation as
normal. (Id 124)
- If you have an issue installing GemSafe™ Libraries over top of a
former GemSafe™ Librarires, please manually remove
the old GemSafe™ Librariries before installing. (Id 446)
• Limitations using Windows 9x, Me & NT4 Operating Systems:
- During installation, the following InstallShield message occurs
"Files in Use". Click
Ignore and continue the installation as normal. (Id 167)
- In the SmartDiag utility the error message "scardsvr.exe file is
missing", may appear.
If you receive this message you should execute the RegTool again after
its first use in
a new installation. (Id 170)
- After the installation of GemSafe™ Libraries, we recommend that you
restart the
program twice to allow the Registration Tool to detect the smart card.
(Id 260)
- Smart cards personalized with the T=1 protocol are not supported on
the 9x and NT4 operating systems. (Id 580)
• Limitations using VPN software
- Sometimes the pin dialog box is displayed behind another
application; use the ALT + TAB key to select this dialog box.
• "Registration Tool" limitations
- The reader must be connected before launching the RegTool (Id 297)
- With the smart card, if the the user tries to use the "Force user to
change his PIN" feature and the user PIN is blocked,
the RegTool displays the Change PIN dialog box, even though the card
is blocked. Click on the "Cancel button".
Use the ToolBox to unblock the PIN.(Id 272)
- If the Regtool is launched and active, erasing a certificate with
the Certificate Tool will not be registered
in the Regtool and the certificate icon is still present.
In order to refresh the view, extract and re-insert your smart card.
(id 432)
• GemPCKey reader limitation
- We recommend that you insert the GemPCKey reader to start your PC
- We do not recommend you use the GemPCKey reader with Kerberos login
when
another card is already inserted. (Id 363)
• Limitations using Internet Explorer and Netscape
- If you export a certificate from a smart card, and the certificate
has an associated key pair, the export process
will fail using these programmes. Use the export function of the
Certificat tool instead. (Id 412)
Behavior:
---------
• Kerberos Login behavior (under Windows 2000 and XP)
Depending on your Windows OS, entering the wrong PIN code during
Kerberos Login
(without the correct certificate on the smart card) could change the
behavior of the PIN
ratification counter. Furthermore, although the PIN code is
systematically requested to
launch a Kerberos login, it is not systematically presented to the
smart card.
WinLogon makes the preliminary verifications on the card, so that if a
problem is
detected, the Kerberos login will fail before the PIN is presented.
(Id 110)
Note: When the incorrect PIN has been entered an ad hoc "Wrong PIN
code" message
is displayed.
• If the user PIN on your smart card is not initialized, the error
"Your credentials could
not be read" appears when trying Kerberos login. Use the manual
kerberos login
procedure and change your user pin with the GemSafe™ ToolBox software.
(Id 165)
• The behavior of the CSP (Cryptographic System Provider) is different
to GemSafe™
version 3.2.x during a certificate request. The CSP does not display
any progress
information during the request. This information should be provided by
the API,
which calls the CSP. (Id 214)
• Localization
-The words "Admin", "User" and "Identrus" are not localized, i.e. not
translated. These are present in the list box
of the PIN section in the PIN Management tool.
In order to translate these words, you must modify the section on the
policyname.ini file. (Id 505)
• Chip and card serial number
- By default, the PKCS#11 function C_GetTokenInfo returns the Card
Serial Number instead of the Chip Serial Number.
The administrator can configure GemSafe™ Libraries to return the Chip
Serial Number. Please contact Gemplus for support.
(Id 597)
S. Pidgorny <MVP>
to the new version across the board e.g all clients and servers, try again.
It might be a good idea to use Gemplus support - I'm not sure when I can get
my hands on the new Gemsafe libraries.
--
Svyatoslav Pidgorny, MVP, MCSE
-= F1 is the key =-
"Pier Paolo Glave" <gl...@inwind.it> wrote in message
news:f038c9d7.05022...@posting.google.com...
> "S. Pidgorny <MVP>" <slav...@yahoo.com> wrote in message
> > Well, I guess, you have answered your own question. If the version of
the
> > libraries is not Citrix-compatible, you better use one that is. However,
I
> > find it strange: the CSP is abstracted from the logon screen, and there
> > shouldn't be compatibility issues, really. Can you provide the link to
> > Gemsafe doco that states Citrix incompatibility?
> >
>
> Well, I can't actually provide a link on the web, since I just
> received by mail the "readme" file for the newest version of GemSafe
> Libraries.
>
> Here it is, anyway.
> Bye
> --
> Pier
>
> GemSafeT Libraries 4.2.0-015 : Gold Release
>
> This document describes the limitations of GemSafeT Libraries 4.2.0
> and major
> improvements that have been made since the launch of its initial 4.1.i
> version.
> Please read this document carefully for the most recent updates.
>
>
> Improvements Since launch of GemSafeT Libraries 4.1.i
> -----------------------------------------------------
> - Import / export certificat
> - Remote unblock PIN (Help Desk tool not provided)
> - Citrix compliant
> - Terminal Services compliant
> - Support GemXpresso GemSafe-IS smart card (Identrus keys only)
> - Support GemXpresso GemSafe smart card with user PIN (for non
> Identrus keys)and Identrus PIN (for Identrus keys)
> - VASCO reader support (driver not included)
> - Support Windows XP SP2
> - Japanese language supported
>
>
> Limitations:
> ------------
> Caution: Some non-standard installation path names are not supported
> and will disable
> the installation procedure.
> . The configuration file (.gsl) is not compliant between the different
> GemSafeT
> Libraries releases (Id 320)
> . Uninstalling the drivers readers is not recommended
> . GemSafeT ToolBox does not support low Color Quality settings (i.e.,
> less than 256
> colors) for the display. (Id 134)
> . The GemSafeT ToolBox requires the use of the mouse (Id 135)
>
>
> . In some situations, the function "erase all" does not erase every
> object on the card, and the amount of card
> memory space is less than expected. Likely propriatary objects occupy
> the used memory space. (Id 430)
> . The configuration of the Unblock PIN remotely window (help desk
> information and phone number) is done in the HelpDesk.ini,
> which is found in the root of the default installation directory.
> . The Weak PIN list on the Pin Policy tool is limited to 50 entries
> with PIN lengths of 16, and
> 100 entries with PIN lengths of 8. (Id 603)
> . GemSafeT Libraries supports a public or private Elementary File with
> a maximun size of 16384 bytes. (Id 601)
> . There are limitations with the PKCS#11 signature mechanisms
> CKM_MD5_RSA_PKCS and CKM_SHA1_RSA_PKCS.
> The use CKM_RSA_PKCS is recommended. (Id 604)
>
> . Installation / Uninstallation limitations
> - If during installation the CD is removed , the installation process
> will stop. You
> should therefore contact the Gemplus Hot line (Id 187)
> - Installing the Administrator package and an End-user package on the
> same PC will
> not provide any additional features than those already offered with
> the installation of
> the Administrator package only. This kind of mixed configuration is
> not supported by
> GemSafeT Libraries.
> - After copying and pasting the contents of the EULA licence to a text
> editor the
> installation screen window will be empty but you can continue the
> installation as
> normal. (Id 124)
> - If you have an issue installing GemSafeT Libraries over top of a
> former GemSafeT Librarires, please manually remove
> the old GemSafeT Librariries before installing. (Id 446)
>
> . Limitations using Windows 9x, Me & NT4 Operating Systems:
> - During installation, the following InstallShield message occurs
> "Files in Use". Click
> Ignore and continue the installation as normal. (Id 167)
> - In the SmartDiag utility the error message "scardsvr.exe file is
> missing", may appear.
> If you receive this message you should execute the RegTool again after
> its first use in
> a new installation. (Id 170)
> - After the installation of GemSafeT Libraries, we recommend that you
> restart the
> program twice to allow the Registration Tool to detect the smart card.
> (Id 260)
> - Smart cards personalized with the T=1 protocol are not supported on
> the 9x and NT4 operating systems. (Id 580)
>
> . Limitations using VPN software
> - Sometimes the pin dialog box is displayed behind another
> application; use the ALT + TAB key to select this dialog box.
>
> . "Registration Tool" limitations
> - The reader must be connected before launching the RegTool (Id 297)
> - With the smart card, if the the user tries to use the "Force user to
> change his PIN" feature and the user PIN is blocked,
> the RegTool displays the Change PIN dialog box, even though the card
> is blocked. Click on the "Cancel button".
> Use the ToolBox to unblock the PIN.(Id 272)
> - If the Regtool is launched and active, erasing a certificate with
> the Certificate Tool will not be registered
> in the Regtool and the certificate icon is still present.
> In order to refresh the view, extract and re-insert your smart card.
> (id 432)
>
> . GemPCKey reader limitation
> - We recommend that you insert the GemPCKey reader to start your PC
> - We do not recommend you use the GemPCKey reader with Kerberos login
> when
> another card is already inserted. (Id 363)
>
> . Limitations using Internet Explorer and Netscape
> - If you export a certificate from a smart card, and the certificate
> has an associated key pair, the export process
> will fail using these programmes. Use the export function of the
> Certificat tool instead. (Id 412)
>
>
> Behavior:
> ---------
> . Kerberos Login behavior (under Windows 2000 and XP)
> Depending on your Windows OS, entering the wrong PIN code during
> Kerberos Login
> (without the correct certificate on the smart card) could change the
> behavior of the PIN
> ratification counter. Furthermore, although the PIN code is
> systematically requested to
> launch a Kerberos login, it is not systematically presented to the
> smart card.
> WinLogon makes the preliminary verifications on the card, so that if a
> problem is
> detected, the Kerberos login will fail before the PIN is presented.
> (Id 110)
> Note: When the incorrect PIN has been entered an ad hoc "Wrong PIN
> code" message
> is displayed.
> . If the user PIN on your smart card is not initialized, the error
> "Your credentials could
> not be read" appears when trying Kerberos login. Use the manual
> kerberos login
> procedure and change your user pin with the GemSafeT ToolBox software.
> (Id 165)
> . The behavior of the CSP (Cryptographic System Provider) is different
> to GemSafeT
> version 3.2.x during a certificate request. The CSP does not display
> any progress
> information during the request. This information should be provided by
> the API,
> which calls the CSP. (Id 214)
> . Localization
> -The words "Admin", "User" and "Identrus" are not localized, i.e. not
> translated. These are present in the list box
> of the PIN section in the PIN Management tool.
> In order to translate these words, you must modify the section on the
> policyname.ini file. (Id 505)
> . Chip and card serial number
> - By default, the PKCS#11 function C_GetTokenInfo returns the Card
> Serial Number instead of the Chip Serial Number.
> The administrator can configure GemSafeT Libraries to return the Chip
Pier Paolo Glave
I tried again, but this time I got a different error when logging from
ICA:
"The system could not log you on. The requested key container does not
exist on the smart card."
The same error occurs either if I type the right PIN or the wrong one.
What does it mean?
Thank you
Bye
--
Pier
"S. Pidgorny <MVP>" <slav...@yahoo.com> wrote in message news:<u#2oSfXHF...@TK2MSFTNGP14.phx.gbl>...
S. Pidgorny <MVP>
The statement below regarding USB tokens is incorrect. I have tested
Terminal Services with G&D Starkey USB token (using AET SafeSign CSP) and it
worked without any problems in all testing scenarios, including hot plugging
and using runas from within open terminal session.
Perhaps the problem takes place with iKey tokens but certainly doesn't apply
to all USB tokens.
Regards
Slav
S. Pidgorny <MVP>
server, and sometimes when I change cards while working.
Install the same version on the client and the server.
Reboot after installation.
Retry.
--
Svyatoslav Pidgorny, MVP, MCSE
-= F1 is the key =-
"Pier Paolo Glave" <gl...@inwind.it> wrote in message
news:f038c9d7.05030...@posting.google.com...