Smart Card Tools and debugging

CertUtil is a tool available on Windows Vista and Windows 2003 Server Admin Pack

CertUtil (tool available on Vista and W2K3 Admin pack)

Listing Certificates available on the card:

Command to list Certificates available on the Smart Card: certutil –scinfo

Entering PIN is not required for this operation. Hitting Escape at each PIN dialog will work as the objective is to read the public certificates on the card.

Deleting Certificates on the card:

To delete a certificate on the card, you are actually deleting a container corresponding to that certificate. Each certificate is enclosed in a container. The following command is used to delete container:

Certutil –delkey –csp “Microsoft Base Smart Card Crypto Provider” “38f813f2-ec3b-4e96-ba19-38b830923be9”

 

Kerberos debugging and trace

The Kerberos Authentication in Windows portal (https://www.microsoft.com/kerberos) is a good place to start. There are two troubleshooting docs:

• Troubleshooting Kerberos Errors (https://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerberr.mspx)
• Troubleshooting Kerberos Delegation (https://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerbdel.mspx)

Smart Card Service (SCardSvr.exe – XP and SVCHost - Vista)

To restart “SCardSvr” services, the following commands from a Windows Command window will help.

C:\> net stop SCardSvr

C:\> net start SCardSvr

To findout if Smart Card Service is running (Note: the state field tells if the service is running or stopped):

 C:\>sc queryex scardsvr

SERVICE_NAME: scardsvr
        TYPE               : 20  WIN32_SHARE_PROCESS
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
        PID                : 1320
        FLAGS              :

C:\>

CAPI2 Diagnostics

CAPI2 Diagnostics is a feature in Microsoft® Windows® Vista and Microsoft® Windows® Server code name “Longhorn” which helps administrators with troubleshooting PKI problems. CAPI2 Diagnostics logs events in the Windows Event Log containing detailed information about certificate chain validation, certificate store operations and signature verification. This makes it easier to identify the root cause of problems and reduces the time required for diagnosis.

For more information on CAPI2 Diagnostics, refer to this whitepaper on "Trouble Shooting PKI problems on Windows Vista"

Comments

• Anonymous
  February 26, 2007
  PingBack from http://activedirectorytool.com/smart-card-tools-and-debugging/

• Anonymous
  March 01, 2007
  hi expert :-) I am trying to create a mini-driver for a virtual smart card (with the purpose of later on writing a real one). I implemented most of the cardmod.h stuff and added the card to registry and created a manifest which resides along with the dll in windowssystem32 (this is a vista machine). still the certutil can't find any smart card readers... any ideas what am I doing wrong ? thanks - Yoav.

• Anonymous
  June 12, 2007
  To locate Readers, you need to write a Smart Card reader Driver API (winscard.h)

• Anonymous
  January 23, 2008
  hello all! I'm developing a new card module for a smart card and I wonder if somebody could be so kind of telling me the different calls of functions that are invoked in the following scenarios:

• enrollment
• signature creation
• asymmetric decryption This information can be found in "the Smart Card Service Provider Cookbook" for the old architecture (xp and w2000) (http://msdn2.microsoft.com/en-us/library/ms953432.aspx). Is there in anywhere some similar cookbook for the new architecture?

• Anonymous
  February 16, 2008
  I bought IDVault.  I have the smart card service running (verified using your instructions) however when I try to insert the ID Vault it tells me the smart card service is not running.  Any idea how to debug this? bruce@gotexitstrategy.com

• Anonymous
  January 03, 2009
  Hi all, I was running a diagnostic on my laptop running Vista.  It said that the Smart Card Resource Manager had been abnormally stopped, i tried running the command: net start SCardSvr and got the error System error 5 has occurred Access is denied. Any have any clues? Thanks Alex

• Anonymous
  February 03, 2009
  I'm using our smartcards now with Cisco SSL VPN and going to have our users just authenticate with username credentials but we'd like to block smartcards so that they can ONLY be used with VPN and not authenticate to Active Directory if they try to use the smart card to login to their machine...any ideas? Thanks a million. Ian ian_fleming007@yahoo.com

• Anonymous
  September 29, 2009
  to restart the smart card service tried the above mentioned commands but its not working.... pls help

• Anonymous
  November 09, 2009
  I have developed a new logon module, call by Microsoft WinLogon, which will verify the finger print data stored in smart card with live sample captured from finger print scanner.  If verification is OK, then using userid and password stored in smart card to logon to the domain. I want to know the default Microsoft smart card service allow me to do the verification first before reading the userid and password from smart card. Can anyone out there help me? Thanks, Chris.