|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Problems with Win2K Smartcard Logon using third-party CA
From: Ian MacDonald (ianmacd
BISMAC.COM)
Date: Tue Mar 25 2003 - 18:11:53 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Thanks Eric,
I finally figured out what was going wrong. It was a stupid mistake on my
part. (I was getting the feeling it had to be.) When generating the
keypair for the smartcard during enrollment, I was creating a signature
keypair and not a keyexchange keypair. All of my tests outside of
Smartcard Logon were performed only with the signature keypair and thus
were working. I just now realized that Smartcard Logon only uses the
keyexchange keypair which in my case would normally be absent (since I
wasn't generating one). However, for some reason and at some time earlier,
I manually created a bogus keyexchange keypair which had never been cleaned
out of my test container. This bogus keyexchange keypair was causing all
the problems. Once I corrected my enrollment process to generate a proper
keyexchange keypair, Smartcard Logon started working.
Sorry for the confusion earlier, I was running my tests on a single machine
which is a standalone DC. My tests involved performing a local Smartcard
Logon to this DC. The Smartcard Logon client are server were the same host.
Thanks again for your help,
-- Ian
On Tue, 25 Mar 2003 13:09:20 -0800, Eric Perlin
<ericperlWINDOWS.MICROSOFT.COM> wrote:
>I am getting confused.
>Do you get the eventlog entry below on the client or on the DC?
>
>I thought it was on the client but then it doesn't match the sequence
>(the code that logs this error on the client doesn't seem to be
>executed).
>If it is on the server, then it's the signature at step 30 that's wrong
>(i.e. the DC can't verify it).
>
>Eric Perlin [MS]
>
>-----Original Message-----
>From: Ian MacDonald [mailto:ianmacdBISMAC.COM]
>Sent: Monday, March 24, 2003 10:33 PM
>To: SmartCardSDKDISCUSS.MICROSOFT.COM
>Subject: Re: Problems with Win2K Smartcard Logon using third-party CA
>
>
>After step #32 where the second of two hash objects are destroyed, my
>CSP receives two unexpected CPReleaseContext calls whereupon the long
>sequence aborts. Calling GetLastError() at this point sometimes returns
>0 and other times returns 0x80090006 (Invalid Signature). In either
>case, I receive the "Invalid Signature" event in the application log.
>None of the CryptAPI calls that my CSP makes are failing with any
>errors.
>
>Thanks,
>
>-- Ian
>
>> -----Original Message-----
>> From: SmartCardSDK
>> [mailto:SmartCardSDKDISCUSS.MICROSOFT.COM] On Behalf Of Eric Perlin
>> Sent: Monday, March 24, 2003 7:05 PM
>> To: SmartCardSDKDISCUSS.MICROSOFT.COM
>> Subject: Re: [SmartCardSDK] Problems with Win2K Smartcard
>> Logon using third-party CA
>>
>>
>> The error message you are seeing comes from one function only
>> on the client so I am pretty sure about the step that fails.
>> Where does your call sequence differ from the one in the
>> cookbook (i.e. which step)?
>>
>> Eric Perlin [MS]
>>
>> -----Original Message-----
>> From: Ian MacDonald [mailto:ianmacdBISMAC.COM]
>> Sent: Monday, March 24, 2003 5:52 PM
>> To: SmartCardSDKDISCUSS.MICROSOFT.COM
>> Subject: Re: Problems with Win2K Smartcard Logon using third-party CA
>>
>>
>> Given that the same CSP is used in the working scenario (with
>> the MS CA signed cert) as in the non-working case (with the
>> third-party CA signed cert), where could I look to effect a
>> solution? To me it doesn't look like our CSP could/should do
>> anything different since I'm currently just forwarding the
>> calls to the MS CSP.
>>
>> After comparing our CSP log with the "Interactive Win2K
>> Logon" scenario described in the Smartcard Cook Book and
>> given the new info you
>> provided:
>> it appears that something is going wrong before the signed
>> PKCS message you mentioned is processed. Our logon sequence
>> is failing very early on after signing the second of two MD5
>> hashes. The first hash is from 4 bytes of data the second
>> hash is from 127 bytes. There have been no keys imported
>> into the CSP nor any data decrypted or verified at this point.
>>
>> Unfortunately the logon sequence described in the Smartcard
>> Cook Book scenario does not provide any context for the data
>> the CSP is operating on so it doesn't help me to determine
>> where things might be going wrong.
>>
>> Thanks again for your help,
>>
>> -- Ian
>>
>> On Mon, 24 Mar 2003 17:02:19 -0800, Eric Perlin
>> <ericperlWINDOWS.MICROSOFT.COM> wrote:
>>
>> >One of the replies from the KDC is first decrypted by the card. The
>> >result (a signed PKCS message) is then verified.
>> >
>> >That leaves you with 2 points of failure:
>> >1/ decryption is not returning what it is supposed to (encryption
>> >performed with MS CSP on KDC). 2/ (win2k only because it is
>> done by MS
>> >CSP on XP and later) verification of the signed message by your CSP
>> >fails.
>> >
>> >I don't believe this is a trust issue. It looks like a
>> crypto interop
>> >problem.
>> >
>> >Hope that helps
>> >Eric Perlin [MS]
>> >
>> >-----Original Message-----
>> >From: Ian MacDonald [mailto:ianmacdBISMAC.COM]
>> >Sent: Monday, March 24, 2003 3:25 PM
>> >To: SmartCardSDKDISCUSS.MICROSOFT.COM
>> >Subject: Re: Problems with Win2K Smartcard Logon using third-party CA
>> >
>> >
>> >Hi Eric,
>> >
>> >Here is the message I get in the application event log:
>> >
>> >Event Type: Information
>> >Event Source: Smart Card Logon
>> >Event Category: None
>> >Event ID: 8
>> >Date: 3/24/2003
>> >Time: 1:13:45 PM
>> >User: N/A
>> >Computer: KYBER
>> >Description:
>> >An error occurred while verifying a signed message using the
>> inserted
>> >smart
>> >card: Invalid Signature.
>> >
>> >Data:
>> >0000: 06 00 09 80 ...€
>> >
>> >I have done some basic interop testing of our Smartcard CSP which at
>> >this point implements all its crypto functionality in terms of the
>> >MS_ENHANCED_PROV software CSP. In effect our CSP is currently a
>> wrapper
>> >around the MS_ENHANCED_PROV CSP. When we use a cert generated by the
>> MS
>> >Smartcard Enrollment Control and signed by the MS CA with our CSP,
>> >Smartcard Logon works fine. The problem occurs when we try to use a
>> >cert signed by our third-party CA with this same CSP. This would, I
>> >think, reasonably rule out a problem with our CSP.
>> >
>> >Running certutil -verify indicates that the CDP and CRL seem to be
>> fine.
>> >Running dsstore -checksc also indicates that there are no problems.
>> >
>> >I've added the root cert of our CA to the Group Policy object of my
>> >domain. I've imported the root cert of our CA into the NTAuth store
>> >using ldifde. I then refreshed the Group Policy with secedit.
>> >
>> >The only clue I can see that indicates a problem is that my CSP log
>> >shows the Smartcard logon sequence abruptly terminating
>> after signing a
>> >hash.
>> >
>> >Thanks again,
>> >
>> >-- Ian
>> >
>> >
>> >On Mon, 24 Mar 2003 13:51:02 -0800, Eric Perlin
>> ><ericperlWINDOWS.MICROSOFT.COM> wrote:
>> >
>> >>No. there is no requirement that both certs come from the same CA.
>> >>Please post the entire eventlog entry for the error you are getting
>> >>(copy/paste button in eventvwr).
>> >>
>> >>Also I assume that you have done interop testing with your
>> CSP (i.e.
>> >>sign/encrypt/decrypt with your CSP and corresponding inverse
>> operations
>> >>with a software CSP).
>> >>
>> >>Eric Perlin [MS]
>> >>
>> >>-----Original Message-----
>> >>From: Ian MacDonald [mailto:ianmacdBISMAC.COM]
>> >>Sent: Friday, March 21, 2003 10:33 PM
>> >>To: SmartCardSDKDISCUSS.MICROSOFT.COM
>> >>Subject: Re: Problems with Win2K Smartcard Logon using
>> third-party CA
>> >>
>> >>
>> >>Thanks for the response Eric (and in
>> microsoft.public.win2000.security)
>> >>
>> >>I wasn't sure how often you check the NNTP group so I
>> initially posted
>> >>in both places.
>> >>
>> >>So does this mean that since I have both the MS CA in place
>> as well as
>> >>using a third-party CA for the smartcard certs, I don't
>> need to worry
>> >>about DC certs? That is to say, there's no requirement that the DC
>> >>certs and the smartcard certs be signed by the same CA?
>> >>
>> >>Any idea as to why I would be getting an "Invalid
>> Signature" message
>> >>from the Smart Card Logon source in the event log? As far as I can
>> >>tell,
>> >the
>> >>certs from the third-party CA work fine for everything else I've
>> tried.
>> >>
>> >>Thanks,
>> >>
>> >>-- Ian MacDonald
>> >>
>> >>On Fri, 21 Mar 2003 12:01:29 -0800, Eric Perlin
>> >><ericperlWINDOWS.MICROSOFT.COM> wrote:
>> >>
>> >>>The DC cert is verified on the client.
>> >>>DCs automatically enroll to enterprise CAs...
>> >>>
>> >>>Eric Perlin [MS]
>> >>>
>> >>>-----Original Message-----
>> >>>From: Ian MacDonald [mailto:ianmacdBISMAC.COM]
>> >>>Sent: Friday, March 21, 2003 10:28 AM
>> >>>To: SmartCardSDKDISCUSS.MICROSOFT.COM
>> >>>Subject: Problems with Win2K Smartcard Logon using third-party CA
>> >>>
>> >>>
>> >>>I'm having a bit of a problem trying to get Smartcard Logon to work
>> in
>> >>>Win2K
>> >>>with a third-party CA.
>> >>>
>> >>>We are using our own in-house developed smartcard reader,
>> CSP and CA.
>> >>>
>> >>>Everything works find if we use a certificate from the
>> Microsoft CA
>> >>>which we also have installed. However when we try to use our
>> >>>third-party certificate
>> >>>we get the "Your credentials could not be verified" message. The
>> >event
>> >>>log
>> >>>contains an "Invalid Signature" error message from the Smart Card
>> >Logon
>> >>>source.
>> >>>
>> >>>If I use the certutil tool, I can verify the third-party
>> certificate
>> >>>without problems. I can also use the certificate with its keys to
>> sign/verify
>> >>>and
>> >>>encrypt/decrypt data without problems using the CryptoAPI
>> functions.
>> >>>I've also verified the certificate chain and revocation status
>> successfully
>> >>>using
>> >>>the CryptoAPI functions.
>> >>>
>> >>>I've followed all the instructions in the KB Q281245 and Q295663
>> >>>articles except for one (explained below). I've verified that the
>> certificates
>> >>>have
>> >>>the same extension attributes as those from the Microsoft CA
>> >documented
>> >>>in
>> >>>the Q281256 article.
>> >>>
>> >>>The only step I skipped in Q281245 was to not get a Domain
>> Controller
>> >>>certificate using our third-party CA. Since I've already installed
>> >and
>> >>>am
>> >>>using the Microsoft CA plus the fact that Smartcard logons are
>> working
>> >>>when
>> >>>using MS CA signed certificates, I reasoned that
>> third-party signed
>> >>>certs for the DC was unnecessary. Was this is a mistake? Do
>> >>>Smartcard
>> >>logons
>> >>>with third-party CA certs not work if you don't also have
>> third-party
>> >>>signed DC certs as well?
>> >>>
>> >>>If it's of any help, our CSP log reports that the authentication
>> >>process
>> >>>abruptly stops with an unexpected CryptReleaseContext
>> after step #32
>> >of
>> >>>the
>> >>>"Windows 2000 interactive logon" scenario documented in
>> the Smartcard
>> >>>CSP Cookbook. There are no errors reported by our CSP. I
>> can post
>> >>>the
>> >log
>> >>>if
>> >>>needed.
>> >>>
>> >>>Anybody have any ideas?
>> >>>
>> >>>Thanks,
>> >>>
>> >>>-- Ian MacDonald
>>
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]