Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
Re: Problems with Win2K Smartcard Logon using third-party CA
From: Eric Perlin (ericperlWINDOWS.MICROSOFT.COM)
Date: Mon Mar 24 2003 - 19:02:19 CST
One of the replies from the KDC is first decrypted by the card.
The result (a signed PKCS message) is then verified.
That leaves you with 2 points of failure:
1/ decryption is not returning what it is supposed to (encryption
performed with MS CSP on KDC).
2/ (win2k only because it is done by MS CSP on XP and later)
verification of the signed message by your CSP fails.
I don't believe this is a trust issue. It looks like a crypto interop
Hope that helps
Eric Perlin [MS]
From: Ian MacDonald [mailto:ianmacdBISMAC.COM]
Sent: Monday, March 24, 2003 3:25 PM
Subject: Re: Problems with Win2K Smartcard Logon using third-party CA
Here is the message I get in the application event log:
Event Type: Information
Event Source: Smart Card Logon
Event Category: None
Event ID: 8
Time: 1:13:45 PM
An error occurred while verifying a signed message using the inserted
card: Invalid Signature.
0000: 06 00 09 80 ...€
I have done some basic interop testing of our Smartcard CSP which at
point implements all its crypto functionality in terms of the
MS_ENHANCED_PROV software CSP. In effect our CSP is currently a wrapper
around the MS_ENHANCED_PROV CSP. When we use a cert generated by the MS
Smartcard Enrollment Control and signed by the MS CA with our CSP,
Smartcard Logon works fine. The problem occurs when we try to use a
signed by our third-party CA with this same CSP. This would, I think,
reasonably rule out a problem with our CSP.
Running certutil -verify indicates that the CDP and CRL seem to be fine.
Running dsstore -checksc also indicates that there are no problems.
I've added the root cert of our CA to the Group Policy object of my
domain. I've imported the root cert of our CA into the NTAuth store
ldifde. I then refreshed the Group Policy with secedit.
The only clue I can see that indicates a problem is that my CSP log
the Smartcard logon sequence abruptly terminating after signing a hash.
On Mon, 24 Mar 2003 13:51:02 -0800, Eric Perlin
>No. there is no requirement that both certs come from the same CA.
>Please post the entire eventlog entry for the error you are getting
>(copy/paste button in eventvwr).
>Also I assume that you have done interop testing with your CSP (i.e.
>sign/encrypt/decrypt with your CSP and corresponding inverse operations
>with a software CSP).
>Eric Perlin [MS]
>From: Ian MacDonald [mailto:ianmacdBISMAC.COM]
>Sent: Friday, March 21, 2003 10:33 PM
>Subject: Re: Problems with Win2K Smartcard Logon using third-party CA
>Thanks for the response Eric (and in microsoft.public.win2000.security)
>I wasn't sure how often you check the NNTP group so I initially posted
>So does this mean that since I have both the MS CA in place as well as
>using a third-party CA for the smartcard certs, I don't need to worry
>about DC certs? That is to say, there's no requirement that the DC
>and the smartcard certs be signed by the same CA?
>Any idea as to why I would be getting an "Invalid Signature" message
>the Smart Card Logon source in the event log? As far as I can tell,
>certs from the third-party CA work fine for everything else I've tried.
>-- Ian MacDonald
>On Fri, 21 Mar 2003 12:01:29 -0800, Eric Perlin
>>The DC cert is verified on the client.
>>DCs automatically enroll to enterprise CAs...
>>Eric Perlin [MS]
>>From: Ian MacDonald [mailto:ianmacdBISMAC.COM]
>>Sent: Friday, March 21, 2003 10:28 AM
>>Subject: Problems with Win2K Smartcard Logon using third-party CA
>>I'm having a bit of a problem trying to get Smartcard Logon to work in
>>with a third-party CA.
>>We are using our own in-house developed smartcard reader, CSP and CA.
>>Everything works find if we use a certificate from the Microsoft CA
>>also have installed. However when we try to use our third-party
>>we get the "Your credentials could not be verified" message. The
>>contains an "Invalid Signature" error message from the Smart Card
>>If I use the certutil tool, I can verify the third-party certificate
>>problems. I can also use the certificate with its keys to sign/verify
>>encrypt/decrypt data without problems using the CryptoAPI functions.
>>also verified the certificate chain and revocation status successfully
>>the CryptoAPI functions.
>>I've followed all the instructions in the KB Q281245 and Q295663
>>except for one (explained below). I've verified that the certificates
>>the same extension attributes as those from the Microsoft CA
>>the Q281256 article.
>>The only step I skipped in Q281245 was to not get a Domain Controller
>>certificate using our third-party CA. Since I've already installed
>>using the Microsoft CA plus the fact that Smartcard logons are working
>>using MS CA signed certificates, I reasoned that third-party signed
>>for the DC was unnecessary. Was this is a mistake? Do Smartcard
>>with third-party CA certs not work if you don't also have third-party
>>DC certs as well?
>>If it's of any help, our CSP log reports that the authentication
>>abruptly stops with an unexpected CryptReleaseContext after step #32
>>"Windows 2000 interactive logon" scenario documented in the Smartcard
>>Cookbook. There are no errors reported by our CSP. I can post the
>>Anybody have any ideas?
>>-- Ian MacDonald