Udostępnij za pośrednictwem


TPM-CSP Autoenrollment failing with 0x8010002e SCARD_E_NO_READERS_AVAILABLE

We're attempting to enroll for certificates using a TPM chip on a laptop - it fails when autoenrollment is involved but works when done manually via the MMC.

 

According to http://msdn.microsoft.com/en-us/library/bb905527.aspx on the Smart Card Resource Manager service:

“By default, the service is configured for manual mode. Smart card reader driver authors must configure the service to start automatically and call a predefined entry point in winscard.dll that will start the service. Using this method ensures that the service is
enabled when it is needed but is also disabled for the vast majority of users that do not use smart cards.“

… in other words it is expected the Smartcard Resource Manager service is set to manual and not started on a system that doesn't have a smartcard reader attached.

 

 

For manual enrollment using the MMC and a TPM CSP, you manually specify the storage location (the TPM chip) and the CSP to be used - no enumeration of attached readers is required.

 

For autoenrollment however, the enrollment code enumerates the list of readers and smartcards on the system and this enumeration fails if the Smartcard Resource Manager service is stopped.

 

I.e. the problem the customer was dealing with here was caused by the combination of the stopped SCRM service and the TPM CSP registering itself as a smartcard CSP.

After starting the SCRM service autoenrollment worked normally (the alternative would be to obtain a TPM CSP that doesn't register itself as a SC CSP).

 

Key Storage Property Identifiers (Windows)

http://msdn.microsoft.com/en-us/library/windows/desktop/aa376242(v=vs.85).aspx