TPM-CSP Autoenrollment failing with 0x8010002e SCARD_E_NO_READERS_AVAILABLE

We’re attempting to enroll for certificates using a TPM chip on a laptop – it fails when autoenrollment is involved but works when done manually via the MMC.   According to http://msdn.microsoft.com/en-us/library/bb905527.aspx on the Smart Card Resource Manager service: “By default, the service is configured for manual mode. Smart card reader driver authors must configure the…

0

Why am I seeing LsaSrv 45058 events on my client?

From Julio: I recently installed a new server running Windows 2008 R2 (as a DC) and the related computers running Windows 7 Pro. The computers are joined to the domain. In a computer, which is shared by two users (userA and UserB), I see the following event on the Event Viewer while userA was logged…

0

XP and W2k3 Clients are by default unable to enroll from W2k12 CA servers

RPC Packet-level Authentication is by default turned on in Windows 2012 CA’s. This can also be turned on in W2k8+ but defaults to off there. …..   From http://technet.microsoft.com/library/hh831373 When a certificate request is received by a certification authority (CA), encryption for the request can be enforced by the CA via the RPC_C_AUTHN_LEVEL_PKT, as described…

1

The tale of the phantom cached logon entry

We’re logging on with smartcards to our laptops but we’ve recently discovered that you’re also able to perform cached logons on to the laptops using a username/password combination even if you’ve only ever logged on using smartcards! This is by design, smartcard logons generate a secondary logon that creates an additional lscache entry that contains NTLM credentials….*UNLESS*…

0

How to identify if your ADCS has issued any certificates with public keys <1024 bits (in preparation for KB2661254)

On August 14th October 14th an update will be released that will by default affect chain validation for public keys that are 1023 bits or less – please read http://blogs.technet.com/b/pki/archive/2012/06/12/rsa-keys-under-1024-bits-are-blocked.aspx and http://blogs.technet.com/b/pki/archive/2012/07/13/blocking-rsa-keys-less-than-1024-bits-part-2.aspx for more details and the MSRC blog on http://blogs.technet.com/b/msrc/archive/2012/06/12/certificate-trust-list-update-and-the-june-2012-bulletins.aspx as well as the IE blog on http://blogs.msdn.com/b/ieinternals/archive/2012/06/13/windows-internet-explorer-block-rsa-key-shorter-than-1024-bits.aspx. The following certutil command can be run against a Windows…

0

The certificate template requires too many RA signatures

After copying the default Smartcard Logon or Smartcard User certificate template on a Windows 2008 R2 CA server, the template may not show up as selectable during Enroll on Behalf Of operations such as EOBO smartcard enrollment. Clicking ‘Show all templates’ you may see the following error message for the template: The certificate template requires…

1

Controlling CSP selection during autoenrollment through the pKIDefaultCSPs attribute

Now that I’ve switched roles within Microsoft I will also be posting occasionally on the Swedish PFE Platforms blog on http://blogs.technet.com/pfesweplat. Posted http://blogs.technet.com/b/pfesweplat/archive/2012/05/08/controlling-csp-selection-during-autoenrollment-through-the-pkidefaultcsps-attribute.aspx there yesterday.

0

Cheat sheet for Smartcard Redirection on W2k8 R2 RDP servers

Available Updates for Remote Desktop Services (Terminal Services) in Windows Server 2008 R2http://support.microsoft.com/kb/2601888 Latest BaseCSP.DLL (as of April 2012): You may wait for up to 30 seconds when you use a smart card to unlock a computer that is running Windows 7 or Windows Server 2008 R2http://support.microsoft.com/kb/2577550   Latest Winscard.dll (as of April 2012) A…

2

New hotfix for intermittent OCSP revocation failure issues on domain controllers available

A new hotfix for Cryptnet.dll on Windows Server 2008 R2 has been released which covers a scenario which could cause a Domain Controller (or any service doing frequent revocation checking of certificates, such as NPS or ISA Server) to get into a state where revocation checks started failing.The revocation check failures on the DC would then…

0

Alternative methods to getting a standalone CA to issue smartcard certificates

We want to implement a smartcard solution but we’re not ready for an implementation internally.  We considered implementing a standalone CA to avoid making changes to the Configuration partition but as it isn’t able to issue smartcard certificates we’re now considering a 3rd party solution instead. A Standalone CA can actually issue smartcard logon certificates…

0