Smart Card Logon on Windows Vista

Differences in Vista

Smart card logon under Windows Vista has changed in several key aspects. The primary differences are highlighted below:

· Logon is no longer triggered to smart card insertion. Users are required to press Cntrl+Alt+Del (CAD) to start the logon process

· Valid certificates are enumerated and displayed from all smartcards and presented to the user.

· Keys are no longer restricted to being in the default container and certificates in different smart cards can be chosen

· The CSP is opened in the both the logonUI.exe and lsass.exe. The CSP is never loaded into the winlogon process.

· Multiple TS sessions are supported in a single process. Since Windows Vista is tightly integrated with Terminal Services to provide fast user switching, this fact should not be overlooked.

Certificate enumeration

When a smart card is inserted, the following steps are followed in order:

(Note: Unless otherwise mentioned, all operations are performed silently (CRYPT_SILENT is passed to CryptAcquireContext)

1. The Cryptographic Services Provider for that smart card is queried from the Smart card Resource Manager database.

2. A qualified container name is constructed using the reader name and is passed to the CSP. The format for that name is as follows: \\.\<Reader name>\

3. CryptAcquireContext is called to retrieve a context to the default container. A failure here would cause the smart card be unusable for smart card logon

4. The name of the container is retrieved by requesting the PP_CONTAINER parameter using CryptGetProvParam

5. Using the context acquired in 3 the CSP is queried for the PP_USER_CERTSTORE parameter, which was added in Vista (See Section on new CAPI properties for more information). On success, a certificate store is returned and program flow skips to step 8.

6. If 5. Fails, then the default container context (from 3) is queried for the AT_KEYEXCHANGE key.

7. The certificate is then queried from the key context using KP_CERTIFICATE. The certificate is added to an in memory certificate store.

8. For each certificate in the certificate store (Either from 5 or 7), the following checks are performed. These are the same requirements as in Windows 2003 but they are performed before the user enters their PIN. Many of these can be overridden using group policy settings:

a. The certificate must be valid based on the computer system clock. (Not expired or valid in the future)

b. The certificate must not be in the AT_SIGNATURE part of a container

c. The certificate must have a valid UPN.

d. The certificate must have the Digital Signature Key Usage

e. The certificate must have the smart card logon EKU

Certificates which meet the above are displayed to the user display the certificates Common Name in large text along with the certificates UPN (or email address or subject depending on presence of the extensions).

9. A certificate is then chosen and the PIN is entered.

10. LogonUI.exe packages up the information and sends the information to lsass.exe to process the logon attempt. See the section below for its usage there.

11. If successful, logonUI.exe is torn down causing the context acquired in 3 to be released.

New session management in Windows Vista

In order for smart card applications to work properly under Vista, the correct handling of sessions must be observed. The first user account gets session 1, the second gets session 2. Temporary sessions (used when the user chooses disconnect instead of log off) are also assigned a session number. Sessions last for the length of the user logon. On a reconnect (such as over TS or in a Fast User Switching (FUS) scenarios), the temporary session will be destroyed.

A key distinction is that a disconnected logon session is treated identically to a disconnected remote session. Also sessions can transfer between local and remote without requiring a process restart.

Winscard enforcement of session separation

By default, the smart card readers on the local machine are only available to the current active console. This is handled by restricting access to the smart card resource manager and is enforced by the winscard layer. Consider the following example:

1. User A logs in and is assigned a session of 1.

2. User A launches Application XYZ which monitors for smart card removal.

3. User A then locks the computer and presses the FUS button so others can use the computer.

4. A new session (2) is created which launches logonUI.exe.

5. At this point all smart card contexts acquire in session 1 are invalid due to the session change. Any use of the contexts will result in an error. These contexts should be closed.

6. Application XYZ receives the error SCARD_E_SYSTEM_CANCELLED from their SCardGetStatusChange call. Performs any actions based on this return.

7. Application XYZ then calls SCardAccessStartedEvent () and waits for the smart card resource manager to “start up” again.

8. User A returns to the computer and logs on and is reconnected to session 1.

9. The next two operations occur at the same time

a. All contexts associated with session 2 are invalidated in the same way as those contexts for session 1 where in Number 5.

b. The event from 7 is signaled and Application XYZ can call SCardEstablishContext to communicate with the smart card.

10. User A calls "run as /smartcard" when he is returned to the desktop

Smart card logon in the LSA using Kerberos

The operations performed in smart card logon are very similar to the ones performed in previous versions of Windows. The primary exception is that previously the smart card operations were done via a call back into winlogon. Now with the improved session handling in the Smart Card Resource Manager, CSP contexts are used directly in the LSA.

All CSP calls are made impersonating the caller. This means initial logon will under the system context but operations such as runas /smartcard will be performed under the context of the current user.

The majority of trouble in getting authentications will occur due to the session behavior. Also, the LSA does not reacquire the Context instead relying on the CSP to handle the session change. In the above example, step 8 would have caused a context to be acquired by Kerberos under a session 2 impersonation token (under system context). In Step 10, that same context would be reused but under a different impersonation token (the user token). This could cause trouble with some CSP implementations.

(thanks to Dan Sledz for information)

Comments

  • Anonymous
    July 22, 2007
    Hi Shivaram, Many thanks for this post, which has cleared up (or at least shed a different light on) a few things I have been struggling with during the past couple of weeks! Do you know if there is a way to switch on logging for smart card events in Vista?  I don't seem to be able to find any logging options in the Event Log (Applications and Services Logs / Microsoft / Windows / ...) nor in the auditpol.exe settings... Best regards,  Jan.

  • Anonymous
    August 08, 2007
    Look for Kerberos Tracing info in http://blogs.msdn.com/shivaram/archive/2007/02/26/smart-card-tools-and-debugging.aspx

  • Anonymous
    September 14, 2007
    Thanks Shivaram, but I didn't refer to smart card logon events, for which Kerberos and CAPI2 tracing is indeed very helpful. I really meant smart card events, such as the starting and stopping of the smart card resource manager in a particular session. The information (also in your whitepaper) is very scarce on the topic of how the smart card manager behaves when sessions are switched, despite the remark that session switching should not be overlooked.  I definitely don't want to overlook this (since it's causing a lot of headaches) but I need more information on the do's and don't's. E.g., when using smart card transactions, it's not uncommon to see smart card API calls get blocked when a session change occures, e.g. when the user typed the SAS.  This cannot be solved by using the SCardAccesStartedEvent(), which sometimes still indicates the SRM is up; nor by using SCardIsValidContext() which will block by itself.  The result is a hanging application, until the user withdraws the smart card. Hence, any information on the changes to the smart card environment in Vista would be greatly appreciated... Thanks,  Jan.

  • Anonymous
    September 27, 2007
    COULD PLEAES ARRAGES THAT WHEN I USE MY CARD COULD YOU PLEASE ARRAGES THAT I CAN REMOVE FROM THE CARD   BANK CASH A SUM OF NIL LESS THAN $1000 TO PAY CARD ONLY OR OTHER WAY ECT REVERT TO GLOBAL MATTERS FOR MENTIONED   ASK FOR LBR REVERT TO NOTES. CASH REQUIRED. FORM CAR WHEN WITH DRAWING. ECT CARD USE ECT . WILL PAY $ 150.000 TO COMPLEATE  AND $ 25.00 DOLLOURS WITH DRAW FROM CARD . TO SPEAK TO GLOBAL LBR.

  • Anonymous
    October 29, 2007
    There appears to be a problem with smartcard removal behavior on Vista, since regardless of the configration or type of logon (w/wo smatcard) nothing happens with the card is removed from the reader. Is there a work-around?

  • Anonymous
    November 03, 2007
    Unlike previous versions of Windows, Vista requires the "Smart Card Removal Policy" service be running in order for the GPO settings to actually do anything. So you have to include in your GPO another setting to force the service to run, and set it to automatic as the service is on Manual by default - not very smart MSFT, this should be a core OS feature as it always has been, not a service bolt on!

  • Anonymous
    December 20, 2007
    Very happy to see that you can logon your domain without certificates containing EKU or UPN but I wonder if this feature in Vista requires a change from W2003Server to W2008Server? Best regards, Jonas

  • Anonymous
    January 25, 2008
    I have a computer with the vista program. I need to work from home and be able to get into the citrix program that is used at work. I would just like to get my e-mail for work which I have to go through the citrix to do so. I downlaoad all the iformation for the Adtive client. it's ok to that point but when I try to logon to citrix with the home citrix address it tells me That I am not authorized user. and I need a certicate can you help me.

  • Anonymous
    April 15, 2008
    Shivaram , can you point me to a good guide or source code illuminating how exactly the LogonUser api gets called using  sertificate read from smartcard . i am completely lost. thanx in advance.

  • Anonymous
    April 15, 2008
    First, - Thanks for the good posts! Question: Can a Vista credential provider be launched during a session that is already started? Consider the following scenario. A user logon and then want to sign an email in outlook. To be allowed to sign the email one more user verification is needed before using the certificate (lets say the certificate is retreived from a smart card). How would this extra credential be collected? Should the CSP collect it or could a credential provider be launched again?

  • Anonymous
    May 12, 2008
    Shivaram, I am experiencing a problem with smartcard behavior that I can't find any information on elsewhere.  After I pull my smartcard and the computer locks, most of the time, when I reinsert the card and enter the passphrase, the O/S logs me back on, I then see the user screen for about a second and the O/S locks the screen again, as if I had removed the smartcard. Any thoughts?

  • Anonymous
    May 12, 2008
    Shivaram, I am experiencing a problem with smartcard behavior that I can't find any information on elsewhere.  After I pull my smartcard and the computer locks, most of the time, when I reinsert the card and enter the passphrase, the O/S logs me back on, I then see the user screen for about a second and the O/S locks the screen again, as if I had removed the smartcard. Any thoughts?

  • Anonymous
    June 29, 2008
    I am having problems setting up a scenario in which I can log on to an account configured for smart card logon in Windows Vista.   I think I comply with all the specified requirements pointed out in the paper published by Microsoft that is titled 'Windows Vista Smart Card Infrastructure'(http://www.microsoft.com/downloads/details.aspx?FamilyID=AC201438-3317-44D3-9638-07625FE397B9&displaylang=en). When I try to log on I get an error saying "The system could not log you on. Your credentials could not be verified" and in event viewer I can see the following error:

  • <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  • <System>  <Provider Name="Smart Card Logon" />  <EventID Qualifiers="1">7</EventID>  <Level>2</Level>  <Task>0</Task>  <Keywords>0x80000000000000</Keywords>  <TimeCreated SystemTime="2008-06-29T12:32:12.000Z" />  <EventRecordID>414</EventRecordID>  <Channel>Application</Channel>  <Computer>gloriasLaptop.cyum.es</Computer>  <Security />  </System>
  • <EventData>  <Data>El proveedor no pudo realizar la acción ya que el contexto se adquirió de forma silenciosa.</Data>  <Binary>22000980</Binary>  </EventData>  </Event> The error message in english is: error in the signature using the inserted smart card: the provider couldn't do such operation because the context was acquired in a silent way. Any clues why this is happening? Thanks in advance.
  • Anonymous
    July 30, 2008
    I have a problem with smartcard loggon too. Im using a third party software to Winlogon. Well when I try lo logon thru Smartcard option the Win Vista displays "Reading smartcard" and some seconds later display “No valid certificates found. Check that the card is inserted correctly and fits tighly.” I don't why. In Win XP works perfectly the smartcard logon and the Smart Card Removal Policy too. Any clue?

  • Anonymous
    July 30, 2008
    Hi Moises, I am facing the same problem. Which company card you are using? Are your sofwtare using BaseCSP to enumarate the certificates?

  • Anonymous
    August 04, 2008
    Amit, Im using a safenet smartcard 330 and the third party software is from safenet too. I don't know if the software using BaseCSP, how can I verify that?

  • Anonymous
    August 26, 2008
    Shivaram, thank you for this informative blog.  btw, just 1 question.  if i get the blob directly from the card and i put it in 'MY' certificate store using its PCCERT_CONTEXT handle, is there a way i can get the CA root of this certificate by using its handle? more power. tugak

  • Anonymous
    October 16, 2008
    I'm receiving "An untrusted certificate used for authentication..." when trying to logon with a smartcard to my Vista workstation connected to a 2003 domain.  Any suggestions?

  • Anonymous
    September 03, 2009
    Hi there, With BaseCsp, What is the file format for ksc00, kxc00 certificats? should we return der encoded certificat when CardReadFile request ksc00 file, other format? Thank you for help.

  • Anonymous
    October 04, 2009
    The comment has been removed

  • Anonymous
    October 15, 2009
    The comment has been removed

  • Anonymous
    April 06, 2010
    Hi. When i try to enroll a certificate with Microsoft Enhanced Crptographic Provider v1.0 and it is successfull but if i try to enroll a certificate using Smart Card (Microsoft Base Smart Card Crypto Provider) it is giving error as 0x8010001D ( The Smart card resource manager is not running) but i have checked that the smart card service is running in services. Could you help me to solve this problem?. Thanks in Advance

  • Anonymous
    October 03, 2010
    Dear Moises Zamora When I insert smart card, it demands for PIN in windowsXP but when I provide PIN(either it is correct or I provide wrong one) it says " the system could not log you on. the smart card was removed. But smart card is inserted. how can i successfully login to windows XP successfully? Regards