I am looking for information on how windows enumerates smart devices and how the sc minidrivers are associated the readers that contains the card.
Sorry if I am asking for the world here, but any information that could head me in the right direction would be very much appreciated.
Nik Twerdochlib
Software Developer
+1.601.607.8309 O
+1.866.522.8678 F
BOMGAR | Enterprise Remote Support™
One of the Fastest-Growing Technology Companies in America | Technology Fast 500™
Are you asking about the reader itself being enumerated ? or the card inserted into the reader? For the latter (the card), there is an upper filter which queries the card, builds a hardware ID for it from the information retrieved and then enumerates a PDO with that hardware ID. If there is a corresponding match on windows update, the appropriate card software (DLLs that plug in to the authentication framework I would guess) are downloaded and installed (no driver is installed on the card PDO)
d
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Nik Twerdochlib
Sent: Wednesday, May 09, 2012 2:30 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] smart card device enumeration
I am looking for information on how windows enumerates smart devices and how the sc minidrivers are associated the readers that contains the card.
Sorry if I am asking for the world here, but any information that could head me in the right direction would be very much appreciated.
Nik Twerdochlib
Software Developer
+1.601.607.8309 O
+1.866.522.8678 F
BOMGAR | Enterprise Remote Support™
One of the Fastest-Growing Technology Companies in America | Technology Fast 500™
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
What I am most interested in is when you are prompted for a pin on a system that has two readers, both having cards, how does the OS work back to the correct card/reader? I am seeing a unique issue where we are prompted for the pin of the correct card, then it appears as the pin is being applied to the other card in the system.
This system has a physical reader, and a virtual reader (our driver). I am thinking that our driver might not be setting up the device correctly in this situation. If we use the virtual reader by itself there is no issue.
Nik Twerdochlib
Software Developer
+1.601.607.8309 O
+1.866.522.8678 F
BOMGAR | Enterprise Remote Support™
One of the Fastest-Growing Technology Companies in America | Technology Fast 500™
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Doron Holan
Sent: Wednesday, May 09, 2012 5:36 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] smart card device enumeration
Are you asking about the reader itself being enumerated ? or the card inserted into the reader? For the latter (the card), there is an upper filter which queries the card, builds a hardware ID for it from the information retrieved and then enumerates a PDO with that hardware ID. If there is a corresponding match on windows update, the appropriate card software (DLLs that plug in to the authentication framework I would guess) are downloaded and installed (no driver is installed on the card PDO)
d
From: xxxxx@lists.osr.commailto:xxxxx [mailto:xxxxx@lists.osr.com]mailto: On Behalf Of Nik Twerdochlib
Sent: Wednesday, May 09, 2012 2:30 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] smart card device enumeration
I am looking for information on how windows enumerates smart devices and how the sc minidrivers are associated the readers that contains the card.
Sorry if I am asking for the world here, but any information that could head me in the right direction would be very much appreciated.
Nik Twerdochlib
Software Developer
+1.601.607.8309 O
+1.866.522.8678 F
BOMGAR | Enterprise Remote Support™
One of the Fastest-Growing Technology Companies in America | Technology Fast 500™
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer</mailto:></mailto:xxxxx>
Dear Nicholas Twerdochlib,
For differentiate the smart card slot ( in same reader ), you need to define your slot number.
Your reader is based to CCID ?
If it’s the case, you can add an “usb driver” for communicate with your reader.
And define all slot number for each smartcard slot ( on CCID, offSet byte 5 ).
And for “communicate” you create a fileObject for exchange data with the concerned slot.
Now for differenciate 2 readers.
You need to define a global variable for know the number of reader pluged.
You increase the value when you plug a reader, and you decrease it when you unplug it.
(Sorry for my english)
Best regards,
Kamel
@Kamel No need to apologize for a language that is not your native tongue. Although we are not CCID, this is interesting information. Thank you.
Nik Twerdochlib
Software Developer
+1.601.607.8309 O
+1.866.522.8678 F
BOMGAR | Enterprise Remote Support™
One of the Fastest-Growing Technology Companies in America | Technology Fast 500™
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@hotmail.com
Sent: Thursday, May 10, 2012 4:46 AM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] smart card device enumeration
Dear Nicholas Twerdochlib,
For differentiate the smart card slot ( in same reader ), you need to define your slot number.
Your reader is based to CCID ?
If it’s the case, you can add an “usb driver” for communicate with your reader.
And define all slot number for each smartcard slot ( on CCID, offSet byte 5 ).
And for “communicate” you create a fileObject for exchange data with the concerned slot.
Now for differenciate 2 readers.
You need to define a global variable for know the number of reader pluged.
You increase the value when you plug a reader, and you decrease it when you unplug it.
(Sorry for my english)
Best regards,
Kamel
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
Hi, Nik. Could you provide some more information on exactly what you’re seeing? Which OS version is this happening? Does this happen for all operations or only certain ones? For example, if you run ‘certutil -scinfo’, does the PIN you put in get applied to the wrong card? If you are able to provide the ‘certutil -scinfo’ output, that would also be useful for seeing if I can help track down your issue.
Thanks.
-Jeff
Completely missed your reply. Need to figure out a better method to manage the emails on this list.
I have recently been testing with certutil. I have been addressing issues where it fails, but for the most part it does succeed, even when a “run as other user” selecting a cert on that reader will fail with :
[value] 8009200B
I will reply with a failure from certutil as soon as I can.
Thanks,
Nik Twerdochlib
Software Developer
+1.601.607.8309 O
+1.866.522.8678 F
BOMGAR | Enterprise Remote Support™
One of the Fastest-Growing Technology Companies in America | Technology Fast 500™
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@microsoft.com
Sent: Thursday, May 10, 2012 4:56 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] smart card device enumeration
Hi, Nik. Could you provide some more information on exactly what you’re seeing? Which OS version is this happening? Does this happen for all operations or only certain ones? For example, if you run ‘certutil -scinfo’, does the PIN you put in get applied to the wrong card? If you are able to provide the ‘certutil -scinfo’ output, that would also be useful for seeing if I can help track down your issue.
Thanks.
-Jeff
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
This is output from certutil -scinfo “my reader name”. I ran this right after getting the 0x8009200B CAPI2 error (CryptCertificateAcquirePrivateKey) during a “run as other user” operation.
The Microsoft Smart Card Resource Manager is running.
Current reader/card status:
Readers: 1
0: SCM Microsystems Inc. Virtual SmartCard Reader 1
— Reader: SCM Microsystems Inc. Virtual SmartCard Reader 1
— Status: SCARD_STATE_PRESENT | SCARD_STATE_INUSE
— Status: The card is being shared by a process.
— Card: CSSI CardOS V4.3B
— ATR:
3b f4 18 00 02 c1 0a 31 fe 58 56 34 63 76 c5 ;…1.XV4cv.
=======================================================
Analyzing card in reader: SCM Microsystems Inc. Virtual SmartCard Reader 1
--------------===========================--------------
================ Certificate 0 ================
— Reader: SCM Microsystems Inc. Virtual SmartCard Reader 1
— Card: CSSI CardOS V4.3B
Provider = Charismathics Smart Security Interface CSP
Key Container = le-SmartcardLogon-9c3ce75b-39da-4ac2-93f8-04af6725801a
Performing AT_SIGNATURE public key matching test…
Public key matching test succeeded
Key Container = le-SmartcardLogon-9c3ce75b-39da-4ac2-93f8-04af6725801a
Provider = Charismathics Smart Security Interface CSP
ProviderType = 1
Flags = 1
KeySpec = 2 – AT_SIGNATURE
Private key verifies
Performing cert chain verification…
Chain validates
Smart Card Logon: Chain validates
dwFlags = CA_VERIFY_FLAGS_NT_AUTH (0x10)
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
Application[0] = 1.3.6.1.4.1.311.20.2.2 Smart Card Logon
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_NT_AUTH
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwRevocationFreshnessTime: 6 Hours, 50 Minutes, 44 Seconds
SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwRevocationFreshnessTime: 6 Hours, 50 Minutes, 44 Seconds
CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0
Issuer: CN=dev-AD-CA, DC=dev, DC=bomgar, DC=local
NotBefore: 5/24/2012 11:29 PM
NotAfter: 5/24/2013 11:29 PM
Subject: CN=VSC01 Test, CN=Users, DC=dev, DC=bomgar, DC=local
Serial: 297698de000000000019
SubjectAltName: Other Name:Principal Name=xxxxx@dev.bomgar.local
Template: SmartcardLogon
7b e1 2d af 35 75 86 53 13 69 3b 55 d0 7a 04 d5 3c f9 d5 b8
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
CRL 55:
Issuer: CN=dev-AD-CA, DC=dev, DC=bomgar, DC=local
e8 a8 98 1b 7d 2c 4a b8 aa 81 f2 ba 7c ad 34 6c f3 89 f6 95
Delta CRL 5a:
Issuer: CN=dev-AD-CA, DC=dev, DC=bomgar, DC=local
27 25 43 98 09 90 cf 71 48 38 78 40 36 86 39 fd b8 ba 28 3f
Application[0] = 1.3.6.1.5.5.7.3.2 Client Authentication
Application[1] = 1.3.6.1.4.1.311.20.2.2 Smart Card Logon
CertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0
Issuer: CN=dev-AD-CA, DC=dev, DC=bomgar, DC=local
NotBefore: 3/2/2012 6:07 PM
NotAfter: 3/2/2017 6:17 PM
Subject: CN=dev-AD-CA, DC=dev, DC=bomgar, DC=local
Serial: 70626203288ecb9b41ce2081f5def96a
3d 79 07 42 7e da e0 5c e5 c7 26 e8 84 b7 aa 21 16 bf 5a a8
Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
Verified Issuance Policies: None
Verified Application Policies:
1.3.6.1.5.5.7.3.2 Client Authentication
1.3.6.1.4.1.311.20.2.2 Smart Card Logon
Displayed AT_SIGNATURE cert for reader: SCM Microsystems Inc. Virtual SmartCard Reader 1
Performing AT_KEYEXCHANGE public key matching test…
Public key matching test succeeded
Key Container = le-SmartcardLogon-9c3ce75b-39da-4ac2-93f8-04af6725801a
Provider = Charismathics Smart Security Interface CSP
ProviderType = 1
Flags = 1
KeySpec = 1 – AT_KEYEXCHANGE
Private key verifies
Performing cert chain verification…
Chain validates
Smart Card Logon: Chain validates
dwFlags = CA_VERIFY_FLAGS_NT_AUTH (0x10)
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
Application[0] = 1.3.6.1.4.1.311.20.2.2 Smart Card Logon
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_NT_AUTH
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwRevocationFreshnessTime: 6 Hours, 50 Minutes, 49 Seconds
SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwRevocationFreshnessTime: 6 Hours, 50 Minutes, 49 Seconds
CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0
Issuer: CN=dev-AD-CA, DC=dev, DC=bomgar, DC=local
NotBefore: 5/24/2012 11:29 PM
NotAfter: 5/24/2013 11:29 PM
Subject: CN=VSC01 Test, CN=Users, DC=dev, DC=bomgar, DC=local
Serial: 297698de000000000019
SubjectAltName: Other Name:Principal Name=xxxxx@dev.bomgar.local
Template: SmartcardLogon
7b e1 2d af 35 75 86 53 13 69 3b 55 d0 7a 04 d5 3c f9 d5 b8
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
CRL 55:
Issuer: CN=dev-AD-CA, DC=dev, DC=bomgar, DC=local
e8 a8 98 1b 7d 2c 4a b8 aa 81 f2 ba 7c ad 34 6c f3 89 f6 95
Delta CRL 5a:
Issuer: CN=dev-AD-CA, DC=dev, DC=bomgar, DC=local
27 25 43 98 09 90 cf 71 48 38 78 40 36 86 39 fd b8 ba 28 3f
Application[0] = 1.3.6.1.5.5.7.3.2 Client Authentication
Application[1] = 1.3.6.1.4.1.311.20.2.2 Smart Card Logon
CertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0
Issuer: CN=dev-AD-CA, DC=dev, DC=bomgar, DC=local
NotBefore: 3/2/2012 6:07 PM
NotAfter: 3/2/2017 6:17 PM
Subject: CN=dev-AD-CA, DC=dev, DC=bomgar, DC=local
Serial: 70626203288ecb9b41ce2081f5def96a
3d 79 07 42 7e da e0 5c e5 c7 26 e8 84 b7 aa 21 16 bf 5a a8
Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
Verified Issuance Policies: None
Verified Application Policies:
1.3.6.1.5.5.7.3.2 Client Authentication
1.3.6.1.4.1.311.20.2.2 Smart Card Logon
Displayed AT_KEYEXCHANGE cert for reader: SCM Microsystems Inc. Virtual SmartCard Reader 1
--------------===========================--------------
================ Certificate 1 ================
— Reader: SCM Microsystems Inc. Virtual SmartCard Reader 1
— Card: CSSI CardOS V4.3B
Provider = Charismathics Smart Security Interface CSP
Key Container = le-SmartcardLogon-f51c5220-2950-4e42-a97b-6ae09936aa6f [Default Container]
Performing AT_SIGNATURE public key matching test…
Public key matching test succeeded
Key Container = le-SmartcardLogon-f51c5220-2950-4e42-a97b-6ae09936aa6f
Provider = Charismathics Smart Security Interface CSP
ProviderType = 1
Flags = 1
KeySpec = 2 – AT_SIGNATURE
Private key verifies
Performing cert chain verification…
Chain validates
Smart Card Logon: Chain validates
dwFlags = CA_VERIFY_FLAGS_NT_AUTH (0x10)
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
Application[0] = 1.3.6.1.4.1.311.20.2.2 Smart Card Logon
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_NT_AUTH
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwRevocationFreshnessTime: 6 Hours, 50 Minutes, 55 Seconds
SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwRevocationFreshnessTime: 6 Hours, 50 Minutes, 55 Seconds
CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0
Issuer: CN=dev-AD-CA, DC=dev, DC=bomgar, DC=local
NotBefore: 5/24/2012 11:29 PM
NotAfter: 5/24/2013 11:29 PM
Subject: CN=Alt.VSC01 Test, CN=Users, DC=dev, DC=bomgar, DC=local
Serial: 2977446900000000001a
SubjectAltName: Other Name:Principal Name=xxxxx@dev.bomgar.local
Template: SmartcardLogon
7c 48 47 82 fd fb b2 3f 7f f6 6a 45 f2 b3 8d 6c d6 5f 7d fc
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
CRL 55:
Issuer: CN=dev-AD-CA, DC=dev, DC=bomgar, DC=local
e8 a8 98 1b 7d 2c 4a b8 aa 81 f2 ba 7c ad 34 6c f3 89 f6 95
Delta CRL 5a:
Issuer: CN=dev-AD-CA, DC=dev, DC=bomgar, DC=local
27 25 43 98 09 90 cf 71 48 38 78 40 36 86 39 fd b8 ba 28 3f
Application[0] = 1.3.6.1.5.5.7.3.2 Client Authentication
Application[1] = 1.3.6.1.4.1.311.20.2.2 Smart Card Logon
CertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0
Issuer: CN=dev-AD-CA, DC=dev, DC=bomgar, DC=local
NotBefore: 3/2/2012 6:07 PM
NotAfter: 3/2/2017 6:17 PM
Subject: CN=dev-AD-CA, DC=dev, DC=bomgar, DC=local
Serial: 70626203288ecb9b41ce2081f5def96a
3d 79 07 42 7e da e0 5c e5 c7 26 e8 84 b7 aa 21 16 bf 5a a8
Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
Verified Issuance Policies: None
Verified Application Policies:
1.3.6.1.5.5.7.3.2 Client Authentication
1.3.6.1.4.1.311.20.2.2 Smart Card Logon
Displayed AT_SIGNATURE cert for reader: SCM Microsystems Inc. Virtual SmartCard Reader 1
Performing AT_KEYEXCHANGE public key matching test…
Public key matching test succeeded
Key Container = le-SmartcardLogon-f51c5220-2950-4e42-a97b-6ae09936aa6f
Provider = Charismathics Smart Security Interface CSP
ProviderType = 1
Flags = 1
KeySpec = 1 – AT_KEYEXCHANGE
Private key verifies
Performing cert chain verification…
Chain validates
Smart Card Logon: Chain validates
dwFlags = CA_VERIFY_FLAGS_NT_AUTH (0x10)
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
Application[0] = 1.3.6.1.4.1.311.20.2.2 Smart Card Logon
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_NT_AUTH
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwRevocationFreshnessTime: 6 Hours, 51 Minutes
SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwRevocationFreshnessTime: 6 Hours, 51 Minutes
CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0
Issuer: CN=dev-AD-CA, DC=dev, DC=bomgar, DC=local
NotBefore: 5/24/2012 11:29 PM
NotAfter: 5/24/2013 11:29 PM
Subject: CN=Alt.VSC01 Test, CN=Users, DC=dev, DC=bomgar, DC=local
Serial: 2977446900000000001a
SubjectAltName: Other Name:Principal Name=xxxxx@dev.bomgar.local
Template: SmartcardLogon
7c 48 47 82 fd fb b2 3f 7f f6 6a 45 f2 b3 8d 6c d6 5f 7d fc
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
CRL 55:
Issuer: CN=dev-AD-CA, DC=dev, DC=bomgar, DC=local
e8 a8 98 1b 7d 2c 4a b8 aa 81 f2 ba 7c ad 34 6c f3 89 f6 95
Delta CRL 5a:
Issuer: CN=dev-AD-CA, DC=dev, DC=bomgar, DC=local
27 25 43 98 09 90 cf 71 48 38 78 40 36 86 39 fd b8 ba 28 3f
Application[0] = 1.3.6.1.5.5.7.3.2 Client Authentication
Application[1] = 1.3.6.1.4.1.311.20.2.2 Smart Card Logon
CertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0
Issuer: CN=dev-AD-CA, DC=dev, DC=bomgar, DC=local
NotBefore: 3/2/2012 6:07 PM
NotAfter: 3/2/2017 6:17 PM
Subject: CN=dev-AD-CA, DC=dev, DC=bomgar, DC=local
Serial: 70626203288ecb9b41ce2081f5def96a
3d 79 07 42 7e da e0 5c e5 c7 26 e8 84 b7 aa 21 16 bf 5a a8
Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
Verified Issuance Policies: None
Verified Application Policies:
1.3.6.1.5.5.7.3.2 Client Authentication
1.3.6.1.4.1.311.20.2.2 Smart Card Logon
Displayed AT_KEYEXCHANGE cert for reader: SCM Microsystems Inc. Virtual SmartCard Reader 1
SCardGetCardTypeProviderName: The system cannot find the file specified. 0x2 (WIN32: 2)
Cannot retrieve Provider Name for CSSI CardOS V4.3B
--------------===========================--------------
Done.
CertUtil: -SCInfo command completed successfully.
Nik Twerdochlib
Software Developer
+1.601.607.8309 O
+1.866.522.8678 F
BOMGAR | Enterprise Remote Support™
One of the Fastest-Growing Technology Companies in America | Technology Fast 500™
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Nik Twerdochlib
Sent: Thursday, May 31, 2012 12:26 AM
To: Windows System Software Devs Interest List
Subject: RE: RE:[ntdev] smart card device enumeration
Completely missed your reply. Need to figure out a better method to manage the emails on this list.
I have recently been testing with certutil. I have been addressing issues where it fails, but for the most part it does succeed, even when a “run as other user” selecting a cert on that reader will fail with :
[value] 8009200B
I will reply with a failure from certutil as soon as I can.
Thanks,
Nik Twerdochlib
Software Developer
+1.601.607.8309 O
+1.866.522.8678 F
BOMGAR | Enterprise Remote Support™
One of the Fastest-Growing Technology Companies in America | Technology Fast 500™
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@microsoft.com
Sent: Thursday, May 10, 2012 4:56 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] smart card device enumeration
Hi, Nik. Could you provide some more information on exactly what you’re seeing? Which OS version is this happening? Does this happen for all operations or only certain ones? For example, if you run ‘certutil -scinfo’, does the PIN you put in get applied to the wrong card? If you are able to provide the ‘certutil -scinfo’ output, that would also be useful for seeing if I can help track down your issue.
Thanks.
-Jeff
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
I think this definitely falls under what I was discussing with you on the other thread. The “other user” doesn’t have the certificate in their personal store so it cannot find the private key. From the documentation of CryptAcquireCertificatePrivateKey, it says “This function can only be used by the owner of a private key and not by any other user.” This makes sense because the system does believe that the other user does not own that private key due to the certificate not being in their personal store. If you logged in to the other user’s desktop and inserted the card to allow the certificate to propagate, then using the certificate when logged in via “run as other user” should work as expected.
I believe what folks do in this situation is to manually load up the appropriate CSP and enumerate the certificates looking for the correct container rather than using CryptAcquireCertificatePrivateKey. Here are a couple relevant threads I found on the web. I hope they’re helpful:
http://us.generation-nt.com/answer/error-using-cryptacquirecertificateprivatekey-help-59725482.html
http://ureader.com/msg/1659379.aspx
I’m not sure about the setting of CERT_KEY_PROV_INFO_PROP_ID, which you indicated was a manual workaround for you, but I’ll do some poking around to see if I can find more info about that.
-Jeff
Hi, Nicholas. I’ve confirmed that in-box Windows components will never use Type I container naming (i.e. including a reader name) when setting CERT_KEY_PROV_INFO_PROP_ID since it can possibly change. I do not believe there is a way to force it, either.
Thank you very much for the reply. Right now I have a test app that is reformatting the container name to Type I, and thus far it works… I can’t remember if I mentioned that our driver is a virtual reader, thus acquiring the initial of the context is not very quick.
Another interesting piece of information. If I simulate the exact same setup and test scenario with two physical readers this functions without any error. I am reading the links you provided now.
Nik Twerdochlib
Software Developer
+1.601.607.8309 O
+1.866.522.8678 F
BOMGAR | Enterprise Remote Support™
One of the Fastest-Growing Technology Companies in America | Technology Fast 500™
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@microsoft.com
Sent: Thursday, May 31, 2012 4:58 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] smart card device enumeration
I think this definitely falls under what I was discussing with you on the other thread. The “other user” doesn’t have the certificate in their personal store so it cannot find the private key. From the documentation of CryptAcquireCertificatePrivateKey, it says “This function can only be used by the owner of a private key and not by any other user.” This makes sense because the system does believe that the other user does not own that private key due to the certificate not being in their personal store. If you logged in to the other user’s desktop and inserted the card to allow the certificate to propagate, then using the certificate when logged in via “run as other user” should work as expected.
I believe what folks do in this situation is to manually load up the appropriate CSP and enumerate the certificates looking for the correct container rather than using CryptAcquireCertificatePrivateKey. Here are a couple relevant threads I found on the web. I hope they’re helpful:
http://us.generation-nt.com/answer/error-using-cryptacquirecertificateprivatekey-help-59725482.html
http://ureader.com/msg/1659379.aspx
I’m not sure about the setting of CERT_KEY_PROV_INFO_PROP_ID, which you indicated was a manual workaround for you, but I’ll do some poking around to see if I can find more info about that.
-Jeff
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
Interesting. We are seeing this issue occur under two middle ware packages: Charismathics and Active Identity. Both act as standalone CSP’s. This makes me think there is a whole host of new functionality that is not being taken advantage of. Active Identity is used heavily by the US Government, so I suspect update adoption is a long process.
In testing I have also found that the certs in the users store for the provider does have the PP_SMARTCARD_READER property set, though it does not seem to be used.
Are you familiar with either of these products? I am trying to determine if they integrate with any of the existing OS CSP/KSP functionality. Active Identity does at least utilize mini drivers… so I might have answered my question for that one. CSSI seems to be self-contained. Both products install and register as a CSP.
I guess where I keep coming back to is testing this with more than one physical reader there does not seem to be any issue. However, putting our virtual driver in place of one physical reader it seems that container can no longer be located… Unless the container name modification is done.
Again, thanks for your input.
Nik Twerdochlib
Software Developer
+1.601.607.8309 O
+1.866.522.8678 F
BOMGAR | Enterprise Remote Support™
One of the Fastest-Growing Technology Companies in America | Technology Fast 500™
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@microsoft.com
Sent: Thursday, May 31, 2012 5:39 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] smart card device enumeration
Hi, Nicholas. I’ve confirmed that in-box Windows components will never use Type I container naming (i.e. including a reader name) when setting CERT_KEY_PROV_INFO_PROP_ID since it can possibly change. I do not believe there is a way to force it, either.
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
Unfortunately I don’t have any experience with those products so I’m not sure of their specific behaviors.
-Jeff
Just for closure on this issue. This turned out to be an issue in my driver, due to an interpretation of the both MS Docs and the PSCS Spec. Our driver really falls in a grey area since it is virtual (virtualizes a physical reader). The problem came down to the following:
This is where the problem was created.
In our failure scenario, from the system point of view we would have two readers installed. Both with the same Vendor Name (not an uncommon issue), both having a different Reader Type (apparently not taking into account), and now both with a channel id of 0. This is where we created confusion for the OS. There was no longer a means to delineate one from the other, so the first one always won. This explains why when our driver was loaded first it worked, but if not if failed. I could have possible found this problem sooner but in my error I don’t think I tested validating a cert from the physical reader when it was the second device. Perhaps any example of why devs make poor testers 
I have changed my driver to set a static value for the Vendor Name that represents our company, and we are setting the IFD Type to a value from the Physical reader driver just to establish a visual relationship. I am also now setting the Channel ID to the value of the FDO instance just to help ensure it is unique.
I am still trying to confirm what values in the reader capabilities are used to uniquely identify each reader on the system. I am reviewing the open source pcsc-lite library in hopes to find this answer, but I guess there is no guarantee it will answer the question for the Windows environment.
Nik Twerdochlib
Software Developer
+1.601.607.8309 O
+1.866.522.8678 F
BOMGAR | The Box That’s Revolutionizing Remote Support™
One of the Fastest-Growing Technology Companies in America | Technology Fast 500™
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@microsoft.com
Sent: Friday, June 01, 2012 5:45 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] smart card device enumeration
Unfortunately I don’t have any experience with those products so I’m not sure of their specific behaviors.
-Jeff
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer