Prev: log(0) causing a crash on one particular windows XP (SP3) machine
Next: How can VS2010 setup continue as an elevated admin after reboot?
From: Igor Jovanovski on 20 Apr 2010 08:44 We have a cascading GINA that supports a proprietery SmartCard logon for XP and 2003. Now it needs also to support this SmartCard logon on Terminal Services and Citrix. The problem I am having and don't fully understand is that the SmartCard removal on a re-connected session is not recognized. First let me explain what I know and observed so far: Environment: Windows 2003 32 bit (SRV) where our GINA is installed XP Pro SP3 32 bit (XP1) XP Pro SP3 32 bit (XP2) (the follwoing described scenarios are similar for TS and Citrix) - XP1: start mstsc.exe (NOT mstsc.exe /admin) and connect to SRV via our proprietery SC logon. New Session "A" is created. Remove the card and the Workstation locks. - XP2: start mstsc.exe (NOT mstsc.exe /admin) and the temporary session "B" is created. Authenticate again via the proprietery SC logon. Somewhere at this point WlxDisconnectNotify is called on session "A", session "B" ends, and session "A" Winlogon calls WlxReconnectNotify. so far, so good. Now when I remove the card on XP2 the workstation does not locks because Session "A" does not know that it should monitor the card because session "B" that performed that SmartCard logon did not "tell" it the SC reader name to monitor (our GINA has its own thread for SC removal monitoring). I know that there is the function WlxGetConsoleSwitchCredentials but it never gets called (neither on session "A" nor on session "B"). Is this function only for console-sessions (the ones started by mstsc.exe /admin and the ones towards XP)? I tried a RDP console session to the 2003 server but it still does not gets called. Could it be that it is only used when doing a remote desktop to an XP system because there the switch between the console and the non-console session occurs? I have read that WlxQueryConsoleSwitchCredentials should be called from WlxLoggedOutSAS when WLX_SAS_TYPE_AUTHENTICATED gets sent, but I am not getting that SAS type at all (both sessions). How can I tell session "A" from session "B" that it is now accessed from another workstation and there is a new SC reader to monitor for removal? I was hopeing for the WLX_CONSOLESWITCH_CREDENTIALS_INFO_V1_0's PrivateData member but as already mentioned I am not sure under what circumstances is this available. Any light on this issue would be highly appriciated. I.J.
From: Igor Jovanovski on 26 Apr 2010 05:01
I did browse the internet pretty much on this topic these days but could not find this particular issue discussed anywhere, so anybody having an advice how the communication between the sessions/ GINa-s can be done? When I instead use the Microsoft native SmartCard CSP Kerberos logon the monitoring of the Smartcard is somehow handed over from the temporary session used to login the user to the session that was created during the very first logon. Then when the user removes the card the session locks or disconnects. So this session has somehow received the information that it was a Smartcard logon and probably also the reader name so that it knows which smartcardreader to monitor. How can I let the GINA in the session "A" know that there was a logon with SmartCard in temporary session "B" so that session "A" continues monitoring that card? Are the WlxDisconnectNotify, WlxReconnectNotify and WlxGetConsoleSwitchCredentials ment for that, or they are only meaningfull for console sessions (like an RDP to XP)? IJ |