Certificate requirements for smart card logon
Certificate requirements for Windows XP and earlier
The smart card certificate has specific format requirements when it is used with Windows XP and earlier platforms.
Table 10 Pre-Windows Vista certificate requirements
Component | Requirement |
CRL Distribution Point (CDP) location | The location must be populated, online, and available. For example: [1]CRL Distribution Point
Distribution Point Name:
Full Name:
URL=http://server1.contoso.com/CertEnroll/caname.crl |
Key usage | Digital signature |
Basic constraints | [Subject Type=End Entity, Path Length Constraint=None] (Optional) |
Enhanced Key Usage | · Client Authentication (1.3.6.1.5.5.7.3.2) · (The client authentication object identifier is required only if a certificate is used for SSL authentication.) · Smart Card Logon (1.3.6.1.4.1.311.20.2.2) |
Subject Alternative Name | Other Name: Principal Name= (UPN). For example: UPN = user1@contoso.com The UPN OtherName OID is "1.3.6.1.4.1.311.20.2.3". The UPN OtherName value must be ASN1-encoded UTF8 string |
Subject | Distinguished name of user. This field is a mandatory extension, but the population of this field is optional. |
There are two predefined types of private keys. These keys are Signature Only (AT_SIGNATURE) and Key Exchange (AT_KEYEXCHANGE). Smartcard logon certificates must have a Key Exchange (AT_KEYEXCHANGE) private key type in order for smartcard logon to function correctly.
Certificate requirements for Windows Vista
Table 11 Windows Vista certificate requirements
Component | Requirement |
CRL | Not required |
UPN | Not required |
Key usage | Digital signature |
Enhanced Key Usage | Smart card logon object identifier not required. See Table 7. |
Subject Alternative Name | E-mail ID is not required for smart card logon. See Table 7. |
Key exchange (AT_KEYEXCHANGE field) | Not required for smart card logon certificates. |
You can enable any certificate to be visible for the smart card credential provider. If an EKU is present, then it must contain the smart card logon EKU. Certificates with no EKU can be used for logon.
How does smart card logon work in Windows?
Although Microsoft Windows 2000 and later versions included support for smart cards, the types of certificates that smart cards could contain were limited. The limitations were:
· Each certificate needed to have a User Principal Name (UPN) and needed to contain the smart card logon object identifier (also known as OID) in the EKU attribute field. If the EKU is present, then it must have smart card logon OID present. There is a group policy setting to make EKU optional.
· Each certificate had to be stored in the AT_KEYEXCHANGE portion of the default CAPI container.
 Note
|
Non-Default CAPI containers are not supported. |
· Certificates are required to have a digital signature key usage value. This requirement continues for Windows Vista.
To improve support for smart card deployments, changes to Windows were made to enable support for a range of certificates that do not have the previous limitations.
Smart card-based logon in Windows Vista
Smart card logon on Windows Vista has changed in several key aspects. The primary differences are highlighted below:
· Logon is no longer triggered on smart card insertion. Users are normally required to press CTRL+ALT+DEL to start the logon process.
· Valid certificates are enumerated and displayed from all smart cards and presented to the user. The smart card must be inserted before the user can enter the PIN.
· Keys are no longer restricted to being in the default container, and certificates in different smart cards can be chosen.
· The CSP is accessed (as discussed in Smart Card Logon Flow in Windows Vista) in lsass.exe. The CSP is never loaded into the Winlogon process.
· Multiple Terminal Services sessions are supported in a single process. Because Windows Vista is integrated with Terminal Services to provide Fast User Switching, you should not overlook this fact.
· ECC-based certificates are not supported for smart card logon in Windows. ECC-based PKINIT is still being standardized as a part of IETF (http://www.ietf.org/html.charters/krb-wg-charter.html).
Certificate enumeration
When a smart card is inserted, the following steps are performed:
Note |
Unless otherwise mentioned, all operations are performed silently (CRYPT_SILENT is passed to CryptAcquireContext). |
1. The smart card resource manager database queries for the smart card's CSP.
2. A qualified container name is constructed using the reader name obtained and is passed to the CSP. The format for that name is as follows: \\.\<Reader name>\
3. CryptAcquireContext is called to retrieve a context to the default container. A failure here would cause the smart card to be unusable for smart card logon.
4. The name of the container is retrieved by requesting the PP_CONTAINER parameter using CryptGetProvParam.
5. Using the context acquired in Step 3, the CSP is queried for the PP_USER_CERTSTORE parameter, which was added in Windows Vista. (See Smart card subsystem architecture for more information.) If the operation is successful, a certificate store is returned, and the program flow skips to Step 8.
6. If the operation in Step 5 fails, then the default container context from Step 3 is queried for the AT_KEYEXCHANGE key.
7. The certificate is then queried from the key context using KP_CERTIFICATE. The certificate is added to an in-memory certificate store.
8. For each certificate in the certificate store from either Step 5 or Step 7, the following checks are performed:
a. The certificate must be valid based on the computer system clock (not expired or valid in the future).
b. The certificate must not be in the AT_SIGNATURE part of a container.
c. The certificate must have a valid UPN.
d. The certificate must have the Digital Signature Key Usage.
e. The certificate must have the smart card logon EKU.
These requirements are the same requirements as in Windows 2003, but they are performed before the user enters the PIN. You can override many of them by using Group Policy settings.
Any certificate that meets these requirements is displayed to the user along with the certificate's UPN (or e-mail address or subject, depending on the presence of the certificate extensions).
9. A certificate is then chosen, and the PIN is entered.
10. LogonUI.exe packages the information and sends it to lsass.exe to process the logon attempt.
11. If successful, logonUI.exe is torn down. This causes the context acquired in Step 3 to be released.
Smart card logon flow in Windows Vista
Most problems during authentication will occur because of session behavior. Also, the LSA does not reacquire the context; it relies instead on the CSP to handle the session change.
enables support of client certificates that do not contain a UPN in the subjectAltName (SAN) field of the certificate and supports a much wider variety of certificates, including multiple certificates.
However, these changes are not enabled by default, except for multiple certificates support. (Some certificates are excluded.) Administrators need to set the registry keys on clients (for example, with Group Policy) to enable the functionality.
clients by default would filter the client's certificates in the smart card by using the client authentication EKU. The credential provider also has a policy, AllowSignatureOnlyKeys (corresponding to the AT_SIGNATURE key value in CAPI), to determine if it needs to filter the client certificates based on a requirement that the logon certificate be able to do encryption by allowing the user to display and select signing-only certificates. These policy settings have a direct bearing on the filtering and resulting display of certificates on the logon UI.
Figure 16 illustrates how smart card logon works in Windows Vista.
Figure 16 Smart card logon flow
Flow sequence:
1. WinLogon requests the logon UI credential information.
2. Asynchronously, smart card resource manager starts. The smart card credential provider:
a. Gets credential information, a list of known credentials or none, or that Windows detected a smart card reader.
b. Gets a list of smart card readers (uses WinSCard API) and the list of smart cards inserted in each of them.
c. Enumerates each card to check if a logon certificate (signing) controlled by Group Policy is present. If the certificate is present, the smart card credential provider copies it into a temporary secure cache on the terminal.
d. Notifies the logon UI that it has new credentials.
3. The logon UI requests the new credentials from the smart card credential provider. As a response, the smart card credential provider provides to the logon UI each logon certificate for which a corresponding logon tile is displayed. The user selects a smart card-based logon certificate tile, and Windows displays a PIN dialog box.
4. The user enters the PIN and clicks Go. The smart card credential provider encrypts the PIN.
5. The credential provider that resides in the LogonUI process (system) collects the PIN. As part of packaging credentials in the smart card credential provider, the data is packaged in a KERB_CERTIFICATE_LOGON structure (defined in CredentialProviders.h). The main contents of the KERB_CERTIFICATE_LOGON structure are smart card PIN, cspdata (contains reader name, container name, etc), User Name and Domain Name. User Name is required if the logon domain is not in the same forest, because it enables a certificate to be mapped to multiple user accounts.
6. The credential provider now wraps the data (such as encrypted PIN, container name, reader name, and card Key Spec) and is sent back to LogonUI.
7. LogonUI presents the data to LSA with Winlogon for LSALogonUser.
8. LSA calls Kerberos Authentication Package (Kerberos SSP) to create a Kerberos Authentication Service Request (KRB_AS_REQ) containing a pre-authenticator (as specified in RFC 4556: Public Key Cryptography for Initial Authentication in Kerberos (PKINIT) (http://go.microsoft.com/fwlink/?LinkId=93352)).
If the authentication is performed using a certificate with a key usage of digital signature, then the pre-authentication data consists of the user’s public certificate, and the certificate is digitally signed with the corresponding private key.
If the authentication is with a certificate with a key usage of key encipherment, then the pre-authentication data consists of the user’s public certificate, and the certificate is encrypted with the corresponding private key.
9. To sign the request digitally (as per RFC 4556), a call is made to the corresponding CSP for a private key operation. Because the private key in this case is stored in a smart card, the smart card sub-system is called, and the necessary operation is completed. The result is sent back to the Kerberos SSP.
10. The Kerberos SSP sends an authentication request (as per RFC 4556) to the Key Distribution Center (KDC) service that runs on a domain controller, to request a Ticket Granting Ticket (TGT).
11. The KDC finds the user’s account object in the active directory, as detailed in Client Certificate Mappings, and uses the user’s certificate to verify the signature.
12. The KDC validates the user’s certificate (time, path, and revocation status) to ensure that the certificate is from a trusted source. The KDC uses CryptoAPI (CAPI2) to build a certification path from the user’s certificate to a Root CA certificate that resides in the root store on the domain controller. The KDC then uses CryptoAPI (CAPI2) to verify the digital signature on the authenticator that was included as signed data in the pre-authentication data fields. The domain controller verifies the signature and uses the public key from the user’s certificate to prove that the request originated from the owner of the private key that corresponds to the public key. The KDC also verifies that the issuer is trusted and appears in the NTAUTH certificate store.
13. The KDC service retrieves user account information from Active Directory. The KDC constructs a TGT based on the user account information that it retrieves from Active Directory. The TGT includes the user's security identifier (SID), the SIDs for universal and global domain groups to which the user belongs, and (in a multi-domain environment) the SIDs for any universal groups of which the user is a member. The TGT’s authorization data fields include the list of SIDs.
14. The domain controller returns the TGT to the client as part of the KRB_AS_REP response.
Note |
The KRB_AS_REP packet consists of: Privilege attribute certificate (PAC) User’s security identifier (SID) SIDs of any groups of which the user is a member A request for Ticket Granting Service (TGS) Pre-authentication data |
15. The response is as per RFC 4556. TGT is encrypted with the master key of the KDC, and the session key is encrypted with a temporary key. This temporary key is derived based on RFC 4556. Using CAPI2 APIs, the temporary key is decrypted. As part of the decryption process, if the private key for the same happens to be on a smart card, then the call is made back to the smart card subsystem using the specified Cryptographic Service Provider to extract the certificate corresponding to the user’s public key. (Programmatic calls include CryptAcquireContext, CryptSetProvParam with the PIN, CryptgetUserKey, CryptGetKeyParam for the certificate.). After the temporary key is obtained, the \ Kerberos SSP decrypts the session key.
16. The client validates the reply from the KDC (time, path and revocation status). It first verifies the KDC’s signature by the construction of a certification path from the KDC’s certificate to a trusted root CA, and then it uses the KDC’s public key to verify the reply signature.
17. Now that a TGT has been obtained, the client obtains a Service Ticket to the local computer in order to log on to the computer.
18. On success, LSA stores the tickets and returns success to the LSALogonUser. On this success message, user profile, Group Policy, and other actions are performed.
19. Once the user profile is loaded, CertPropSvc picks up this event, reads the certificates from the card (including the root certificates), and then populates them into the user’s certificate store (MYSTORE).
20. CSP to smart card resource manager communication happens on LRPC Channel.
21. On successful authentication, certificates will be propagated to the user’s store (MYSTORE) asynchronously by the Certificate Propagation Service (CertPropSvc).
22. When the card is removed, certificates in the temporary secure cache store are removed. The Certificates are no longer available for logon, but they will remain the user’s certificate store (MYSTORE).
Note |
A SID is a security identifier that is created for each user or group, at the time a user account or a group account is created within either the local security accounts database on Windows NT or higher computers, or within Active Directory. The SID never changes, even if the user or group account is renamed. |
For more information about Kerberos, see How the Kerberos Version 5 Authentication Protocol Works (http://go.microsoft.com/fwlink/?LinkID=27175).
By default, the KDC verifies that the client's certificate contains the smartcard client authentication EKU szOID_KP_SMARTCARD_LOGON. However, there is a policy that allows the KDC not to require the SC-LOGON EKU (SCLogonEKUNotRequired – See Table 7). SC-LOGON EKU is not required for account mappings that are based on the public key.
KDC certificate
Active Directory Certificate Services provides three kinds of certificate templates:
· Domain controller
· Domain controller authentication
· Kerberos authentication (new in Windows Server® 2008)
Depending on the configuration of the domain controller, one of these types of certificate is sent as a part of the AS_REP packet. For more information on certificate templates, see Active Directory Certificate Server Enhancements in Windows Server 2008 (http://go.microsoft.com/fwlink/?LinkId=83212).
Client certificate mappings
Certificate mapping is based on the UPN that is contained in the subjectAltName (SAN) field of the certificate. Client certificates that do not contain the subjectAltName extension in the certificate are also supported.
SSL/TLS can map certificates that do not have SAN, and the mapping is done using the AltSecID attributes on client accounts. The X509 AltSecID used by SSL/TLS client authentication is of the form "X509:<I>"<Issuer Name>"<S>"<Subject Name>. Here the <Issuer Name> and <Subject Name> are taken from the client certificate, with '\r' and '\n' replaced with ','.
Figure 17 CRL distribution points
Figure 18 UPN in Subject Alternative Name field
Figure 19 Subject and Issue fields
This account mapping is to be supported by the KDC. The KDC also supports six other mapping methods. The following figure shows a flow of user account mapping logic used by KDC.
Figure 20 High-level flow of certificate processing for logon
The certificate object is parsed to look for certain contents to perform user account mapping. When a user name is also provided with the certificate, then the user name is used to locate the account object. This operation is the fastest, because string matching occurs. When only the certificate object is provided, then a series of operations are performed to locate the user to map the user to an account object. When no domain information is available for authentication, the local domain is used by default. If any other domain is to be used for lookup, then a domain name hint should be provided to perform the mapping and binding. Mapping based on generic attributes is not possible, because there is no generic API to retrieve attributes from a certificate.
Currently, the first method that locates an account successfully wins, and the search stops. But if two mapping methods map the same certificate to different user accounts when the client does not supply the client name via the mapping hints, then it is a configuration error.
For more information on mapping certificates to user accounts, see Deploying a Public Key Infrastructure (http://go.microsoft.com/fwlink/?LinkId=93737).
Figure 21 illustrates the process of mapping user accounts for logon in the directory by looking at various entries in the certificate. NT_AUTH policy is best described in CertVerifyCertificateChainPolicy (http://go.microsoft.com/fwlink/?LinkId=93738) under CERT_CHAIN_POLICY_NT_AUTH.
Figure 21 Certificate processing logic
Smart card logon of a single user with one certificate into multiple accounts
A single user certificate can be mapped to multiple accounts. For example, a user might be able to log on to his user account and also to log on as a domain administrator. The mapping is done using the constructed AltSecID based on attributes from client accounts. See Client Certificate Mappings on how this mapping is evaluated.
Note |
Because each account has a different user name, we recommend that you enable the X509Hints Group Policy Object to provide the user information for whom he/she will want to login as. |
The following lists the conditions for logon, based on the certificate contents:
1. If no UPN is present in the certificate:
a. Logon can happen in the local forest or in another forest if a single user with one certificate needs to logon to different accounts.
b. A hint must be supplied if mapping is not unique (more than one user mapped to the same certificate).
2. If a UPN is present in the certificate:
a. The certificate cannot be mapped to multiple users in the same forest.
b. The certificate can be mapped to multiple users in different forests. In order to logon user in other forests, an X509 hint must be supplied to the user.
Smart card logon of multiple users into a single account
A group of users might log on to a single account (for example, an administrator account). For that account, user certificates are mapped so that they are enabled for logon.
Several distinct certificates can also be mapped to a single account (for this to work properly, the certificate cannot have UPNs).
For example, if Certificate1 has CN=CNName1, Certificate2 has CN=User1, and Certificate3 has CN=User2, then the AltSecID of these certificates can be mapped to a single account by using the Active Directory Users and Computers Name Mapping.
Smart card logon across forests
In order for account mapping to work across forests, especially in cases where not enough information is available on the certificate, the user might enter a hint (in the form of a user name such as Domain\User or a fully qualified UPN such as User@DNSNameOfDomain.com).
Note |
For the hint field to appear during smartcard logon, the X509HintsNeeded registry key must be set on the client to enable display of an additional hints field to the logon UI with the PIN field (see Table 7). |
OCSP support for PKINIT
Online Certificate Status Protocol (OCSP), defined in RFC 2560, enables applications to obtain timely information about a certificate's revocation status. Because OCSP responses are small and well bounded, constrained clients might want to use OCSP to check the validity of the certificates for Kerberos KDC, in order to avoid transmission of large certificate revocation lists (CRLs) and save bandwidth on constrained networks.
Microsoft’s KDC will always try to get the OCSP responses and use them when available. There is no policy that can be used to turn that off. CAPI2 APIs for OCSP caches OCSP responses and the status of the responses. KDC only supports OCSP response for signer certificate.
Windows clients will always try to request the OCSP responses and use them in the reply, when they are available. There is no policy that can be used to turn that off.
Certificate revocation support
Table 12 itemizes the keys and the corresponding values to turn off CRL checking (on the wire) at the KDC or client. Both settings are required.
Table 12 CRL checking registry keys
Key | Description |
HKLM\SYSTEM\CCS\Services\Kdc\UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors | Type = DWORD Value = 1 |
HKLM\SYSTEM\CCS\Control\LSA\Kerberos\Parameters\UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors | Type = DWORD Value = 1 |
Smart card root certificate requirements for use with domain join
There are some specific conditions that the smart card certificate must meet in order for smart card-based domain join to work.
· Smart card certificate must contain a Subject field that contains the DNS domain name in the DN. If it does not, then resolution to appropriate domain will fail, and TS and domain join with smartcard will fail.
OR
· Smart card certificate must contain a UPN where the domain part of the UPN must resolve to the actual domain. For example, UPN "username@engineering.corp.contoso.com" would work, but "username@engineering.contoso.com" would not work, because the Kerberos client would not be able to find the appropriate domain.
The workaround is to supply a hint (enabled via GPO setting X509HintsNeeded as specified in Table 7) in the credentials user interface for domain join.
If the client computer is not joined to the domain (or if it is joined to a different domain), then the client will be able to resolve the server domain only by looking at the DN on the certificate (not the UPN). For this scenario to work, the certificate needs a full Subject (including “DC=…”) for domain name resolution.
To deploy root certificates on smart card for the currently joined domain, you can use the following command:
certutil –scroots
Terminal Services and Smart Cards
In Vista, smart card redirection logic and WinSCard have been combined to support multiple redirected sessions into a single process.
Smart card support with Terminal Services is required to enable many scenarios. These include:
· Ability to RAS in a Fast User Switching (or remote by using terminal services) environment. A user is not able to establish a redirected smartcard-based RAS connection. That is, the connect attempt will not be successful in fast user switching or from a Terminal Services session.
· EFS will not be able to locate the user’s smart card reader from the LSA process in Fast User Switching or in a Terminal Services session. As a result, EFS will be unable to decrypt user files.
Terminal server redirection
In a Terminal Server scenario, a user is using a remote server for running services. But the smart card is local to the system the user is using. In a smart card logon scenario, the remote server’s smart card service (SCardSvr.exe or SVCHost.exe) will appropriately talk (or redirect) to the smart card reader connected to the remote system from which the user is trying to log on.
Figure 22 Terminal server redirection
Notes about the redirection model:
1. The scenario being described is a remote logon session on a Terminal Server computer. In the remote session (labeled as “Client Session”), the user runs net use /smart card.
2. The arrows represent the flow of the PIN that the user types from the command prompt process, cmd.exe, to the user’s smart card in a reader plugged into the Terminal Services client computer.
3. The authentication work is performed by the LSA in session 0.
4. The Crypto API work is performed in the LSA (lsass.exe). This is possible because rdpdr.sys will allow per-session, rather than per-process, context.
5. The WinScard and SCRedir components, which were tightly coupled yet separate modules before Vista, are now rolled into one module. The ScHelper library is a Crypto API wrapper that is specific to Kerberos.
6. Redirection decision is made on a per smart card context basis, based on the session of the thread doing the SCardEstablishContext call.
7. Changes to WinSCard.dll implementation have been made in Vista to allow for smart card redirection.
Terminal server single sign-on experience
As a part of Common Criteria (CC) compliance, the MSTSC client must be configurable to use Credentials Manager to acquire and save the user’s password or smart card PIN. CC requires that applications not have direct access to the user’s password or PIN.
CC requires specifically that the password/PIN never leave the LSA in the clear. Applied to a distributed scenario, it should allow the password/PIN to travel between one trusted LSA and another, as long as it is not in the clear during transit.
In the Windows Vista Terminal Services SSO solution, when using a smart card users will need to sign in for every new Terminal Services session (no SSO support). However, the user is not prompted for a PIN more than once in order to establish a Terminal Services session. For example, after the user double clicks on a Microsoft Word document icon that resides on a remote computer, the user will be prompted to enter a PIN. This PIN will be passed using a secure channel that the credential SSP has established. The PIN is routed back to the Terminal Services client over the secure channel and passed to Winlogon, and the user does not see any additional UI (no additional prompts for the PIN, unless the PIN is incorrect or there are smart card-related failures).
Terminal services and smart card logon
The purpose of this feature is to enable users to log on with a smart card by entering a PIN on the terminal services client side and passing it to the server in a manner similar to authentication based on user name and password.
Smart card logon with terminal services was first introduced in Windows XP. It is not available in any earlier releases. In Windows XP, the user could log on using only one certificate from the default container.
Note |
If a Windows Vista terminal services client is used and a Windows 2003 Server is used, then only a single certificate on a smart card in the default container is supported. To avail Windows Vista support for multiple certificates and domain hints features, use only Windows Vista and Windows Server 2008 computers. |
In addition to enabling the necessary group policies, policies specific to terminal services need to be enabled for smart card-based logon.
To enable smart card logon to a terminal services server, the KDC certificate must be present on the terminal services client local computer. If the computer is not in the same domain or workgroup, then the following command line tool can be used to deploy the certificate.
Format:
certutil –dspublish NTAuthCA "DSCDPContainer"
The DSCDPContainer CN is usually the CA computer name.
Example:
certutil –dspublish NTAuthCA <CertFile> “CN=NTAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration,DC=engineering,DC=contoso,DC=com”
Terminal Services and smart card logon across domains
Scenario: RAS into enterprise
To enable this scenario, the root certificate for the domain must be provisioned on the smart card. To provision this on the smart card from a domain-joined computer, run the following at the command line:
certutil –scroots update
For terminal services across domains, KDC certificate of the terminal services server computer must also be present in the client computer's NTAUTH store. To add the store, run the following at the command line:
certutil –addstore –enterprise NTAUTH <CertFile>
Where <CertFile> is the root certificate of the KDC certificate issuer.
Note |
If you use the credential SSP on Windows Vista to log on with a smart card from a non-domain-joined computer, the smart card must contain the root certification of the domain controller. A PKI secure channel cannot be established without the root certification of the domain controller. |
Cross domain terminal services logon will work only if the UPN in the certificate uses the following form: <Something>@<DomainDNSName>
UPN in the certificate must include a real domain which can resolve. Otherwise, Kerberos has no idea where to go. Enabling, GPO X509 domain hints is a way around this. For more information about this setting, see Table 7.
Terminal services and smart card logon Group Policy settings
Windows enforces the settings for smart card logon with terminal services after it enforces the credential SSP and local security policy (set with secpol.msc).
Table 13 Terminal services and smart card logon Group Policy settings
Policy | Setting |
Smart card logon is the only supported logon method | HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CredentialsDelegation · Value name: AllowFreshCredentials · Value type: Binary · Value setting: 1 |
User also has a corresponding password-enabled account | HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CredentialsDelegation · Value name: AllowFreshCredentialsWhenNTLMOnly · Value type: Binary · Value setting: 1 |
If you are using terminal services with smart card logon, you cannot delegate default and saved credentials. The following corresponding Group Policy settings are ignored under HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CredentialsDelegation:
· AllowDefCredentials
· AllowDefCredentialsWhenNTLMOnly
· AllowSavedCredentials
· AllowSavedCredentialsWhenNTLMOnly
Fast User Switching
This is for the active session only.
Debugging and Developer Information
Developers can use tools and services in Windows Vista, to help identify certificate problems.
CertUtil
Listing certificates available on the smart card
Command to list certificates that are available on the smart card: certutil –scinfo
Entering a PIN is not required for this operation. Hitting Escape at each PIN dialog will work, because the objective is to read the public certificates on the card.
Deleting certificates on the smart card
When you delete a certificate on the card, you are actually deleting a container that corresponds to that certificate. Each certificate is enclosed in a container. For example, to delete a container, you can use the following command:
Certutil –delkey –csp “Microsoft Base Smart Card Crypto Provider” “38f813f2-ec3b-4e96-ba19-38b830923be9”
To deploy a domain root certificate on a smart card, see Smart Card Root Certificate Requirements for User with a Domain Join.
To publish certificates to the NTAUTH store, see Terminal Services and Smart Card Logon.
Kerberos debugging and tracing
You can use the following resources to begin troubleshooting Kerberos:
· Troubleshooting Kerberos Errors (http://go.microsoft.com/fwlink/?LinkId=93730).
· Troubleshooting Kerberos Delegation (http://go.microsoft.com/fwlink/?LinkId=93731).
· The Trace Log tool in the Windows 2000 Resource Kit (http://go.microsoft.com/fwlink/?LinkId=93732) is a utility that you can use to debug Kerberos authentication failures.
To begin tracing, you can use tracelog.exe. Different components use different control GUIDs.
NTLM
To enable tracing for NTLM authentication, run the following at the command line:
tracelog.exe -kd -rt -start ntlm -guid #5BBB6C18-AA45-49b1-A15F-085F7ED0AA90 -f .\ntlm.etl -flags 0x15003 -ft 1
To stop tracing for NTLM authentication, run the following at the command line:
tracelog -stop ntlm
Kerberos
To enable tracing for Kerberos authentication, run the following at the command line:
tracelog.exe -kd -rt -start kerb -guid #6B510852-3583-4e2d-AFFE-A67F9F223438 -f .\kerb.etl -flags 0x43 -ft 1
To stop tracing for Kerberos authentication, run the following at the command line:
tracelog.exe -stop kerb
KDC
To enable tracing for the KDC, run the following at the command line:
tracelog.exe -kd -rt -start kdc -guid #1BBA8B19-7F31-43c0-9643-6E911F79A06B -f .\kdc.etl -flags 0x803 -ft 1
To stop tracing for the KDC, run the following at the command line:
tracelog.exe -stop kdc
Note |
To stop tracing remotely, run the following at the command line: logman.exe -s <ComputerName> The default location for logman.exe is %systemroot%system32\. Use the -s option to supply a computer name. |
Configure tracing with the registry
You can also configure tracing by editing registry values.
Table 14 Kerberos tracing registry settings
Method | Registry key setting |
NTLM | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0 · Value name: NtLmInfoLevel · Value type: DWORD · Value data: c0015003 |
Kerberos | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters · Value name: KerbDebugLevel · Value type: DWORD · Value data: c0000043 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos · Value name: LogToFile · Value type: DWORD · Value data: 00000001 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters · Value name: LogToFile · Value type: DWORD · Value data: 00000001 |
KDC | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc · Value name: KdcDebugLevel · Value type: DWORD · Value data: c0000803 |
If you used tracelog.exe, look for the log file kerb.etl/kdc.etl/ntlm.etl in your current directory. Otherwise, if you used the registry files shown in Table 13, look for the generated trace log files at the following locations:
· NTLM: %systemroot%\tracing\msv1_0
· Kerberos: %systemroot%\tracing\kerberos
· KDC: %systemroot%\tracing\kdcsvc
To decode event trace files, you can use Tracefmt (tracefmt.exe). Tracefmt is a command-line tool that formats and displays trace messages from an event trace log file (.etl) or a real-time trace session. Tracefmt can display the messages in the Command Prompt window or save them in a text file. It is located in the \tools\tracing subdirectory of the Microsoft Windows Driver Kit (WDK). For more information about Tracefmt, see Tracefmt at MSDN (http://go.microsoft.com/fwlink/?LinkId=93734).
Smart card service
To check if the smart card service is running
1. Press CTRL+ALT+DEL, and then click Start Task Manager.
2. In the Windows Task Manager dialog box, click the Services tab.
3. Click the Name column to sort the list alphabetically, and then type s.
4. In the Name column, look for SCardSvr, and then look under the Status column to see if the service is running or stopped.
To restart the smart card service
1. Click the Start button, type cmd, right-click cmd.exe, and then click Run as administrator.
2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
3. At the command prompt, type net stop SCardSvr
4. At the command prompt, type net start SCardSvr
You can use the following command at the command prompt to check whether the service is running:
sc queryex scardsvr
The following is example output from running this command:
Copy Code
SERVICE_NAME: scardsvr
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PID : 1320
FLAGS :
C:\>
Smart card readers
To check whether the smart card reader is connected and working properly
1. Click the Start button, right-click Computer, and then click Properties.
2. Under Tasks, click Device Manager.
3. In Device Manager, expand Smart card readers, select the smart card reader about which you want information, and then click Properties.
Note |
If the smart card reader is not listed in Device Manager, in the Action menu, click Scan for hardware changes. |
CAPI2 Diagnostics
CAPI2 Diagnostics is a feature in Windows Vista and Windows Server 2008 that helps administrators in troubleshooting PKI problems. CAPI2 Diagnostics logs events in the Windows event log that contains detailed information about certificate chain validation, certificate store operations, and signature verification. This information makes it easier to identify the root causes of problems and reduces the time required for diagnosis.
For more information on CAPI2 Diagnostics, see Troubleshooting PKI Problems on Windows Vista (http://go.microsoft.com/fwlink/?LinkId=89570).