Smart Card Certs, Run As and Run As Other User

NTDEV
1

Does anyone know what the flow is like between the two Run As options?

I am debugging a case where selecting a SC Cert for validation of a Run As will succeed, but the same for Run As Other User will fail in a call for CryptAcquireCerticatePrivateKey. This only occurs when I am using my SC Reader driver with more than one reader on a system. My driver is only controlling one of the readers.

Thanks,

Nik Twerdochlib
Software Developer

+1.601.607.8309 O
+1.866.522.8678 F

BOMGAR | Enterprise Remote Support™

One of the Fastest-Growing Technology Companies in America | Technology Fast 500™

2

This is probably because when you run as another user, that other user doesn’t have the certificate available in their personal certificate store, therefore it’s not possible to locate the private key.

-Jeff

3

This is a good point I did not consider. What I have managed to do is change the CERT_KEY_PROV_PROP_ID structure for all certs in the current users store such that the container name is in Type I format and this does seem to work.

At what point though would that process attempt to read the store of the “other user”? Or is it possible that the flow of this process is such that it tries to use the cert directly off the selected card? Which I am guessing is not true since the above test worked.

I don’t suppose there is a way to force Type I container naming to be used?

I am referring to Type I as \.[reader name][container name]

Thanks,

Nik Twerdochlib
Software Developer

+1.601.607.8309 O
+1.866.522.8678 F

BOMGAR | Enterprise Remote Support™

One of the Fastest-Growing Technology Companies in America | Technology Fast 500™

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@microsoft.com
Sent: Friday, May 25, 2012 4:00 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Smart Card Certs, Run As and Run As Other User

This is probably because when you run as another user, that other user doesn’t have the certificate available in their personal certificate store, therefore it’s not possible to locate the private key.

-Jeff

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

4

>same for Run As Other User will fail in a call for CryptAcquireCerticatePrivateKey.

And what will be the error code?


Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com

5

Should have included that.

  • Result Cannot find the certificate and private key for decryption.

[value] 8009200B

If I run a utility I wrote to update the convention of the container name to be Type I (\.\reader named\container name), then it will work. I don’t want to have try to address timing issues of getting the certs in the user cert store updated “in time” before the user tries to use the card.

Nik Twerdochlib
Software Developer

+1.601.607.8309 O
+1.866.522.8678 F

BOMGAR | Enterprise Remote Support™

One of the Fastest-Growing Technology Companies in America | Technology Fast 500™

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Maxim S. Shatskih
Sent: Sunday, May 27, 2012 11:00 PM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] Smart Card Certs, Run As and Run As Other User

same for Run As Other User will fail in a call for CryptAcquireCerticatePrivateKey.

And what will be the error code?


Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer