SmartCard removal monitoring in GINA under Terminal Services / Citrix

  • Thread starter Thread starter Igor Jovanovski
  • Start date Start date
I

Igor Jovanovski

We have a cascading GINA that supports a proprietery SmartCard logon
for XP and 2003. Now it needs also to support this SmartCard logon on
Terminal Services and Citrix.
The problem I am having and don't fully understand is that the
SmartCard removal on a re-connected session is not recognized. First
let me explain what I know and observed so far:
Environment:
Windows 2003 32 bit (SRV) where our GINA is installed
XP Pro SP3 32 bit (XP1)
XP Pro SP3 32 bit (XP2)
(the follwoing described scenarios are similar for TS and Citrix)
- XP1:
start mstsc.exe (NOT mstsc.exe /admin) and connect to SRV via our
proprietery SC logon.
New Session "A" is created.
Remove the card and the Workstation locks.
- XP2:
start mstsc.exe (NOT mstsc.exe /admin) and the temporary session "B"
is created.
Authenticate again via the proprietery SC logon.
Somewhere at this point WlxDisconnectNotify is called on session "A",
session "B" ends, and session "A" Winlogon calls WlxReconnectNotify.

so far, so good. Now when I remove the card on XP2 the workstation
does not locks because Session "A" does not know that it should
monitor the card because session "B" that performed that SmartCard
logon did not "tell" it the SC reader name to monitor (our GINA has
its own thread for SC removal monitoring).
I know that there is the function WlxGetConsoleSwitchCredentials but
it never gets called (neither on session "A" nor on session "B").
Is this function only for console-sessions (the ones started by
mstsc.exe /admin and the ones towards XP)? I tried a RDP console
session to the 2003 server but it still does not gets called. Could it
be that it is only used when doing a remote desktop to an XP system
because there the switch between the console and the non-console
session occurs?
I have read that WlxQueryConsoleSwitchCredentials should be called
from WlxLoggedOutSAS when WLX_SAS_TYPE_AUTHENTICATED gets sent, but I
am not getting that SAS type at all (both sessions).
How can I tell session "A" from session "B" that it is now accessed
from another workstation and there is a new SC reader to monitor for
removal? I was hopeing for the
WLX_CONSOLESWITCH_CREDENTIALS_INFO_V1_0's PrivateData member but as
already mentioned I am not sure under what circumstances is this
available.

Any light on this issue would be highly appriciated.
I.J.
 
I did browse the internet pretty much on this topic these days but
could not find this particular issue discussed anywhere,
so anybody having an advice how the communication between the sessions/
GINa-s can be done?

When I instead use the Microsoft native SmartCard CSP Kerberos logon
the monitoring of the Smartcard is somehow handed over from the
temporary session used to login the user to the session that was
created during the very first logon. Then when the user removes the
card the session locks or disconnects. So this session has somehow
received the information that it was a Smartcard logon and probably
also the reader name so that it knows which smartcardreader to
monitor.

How can I let the GINA in the session "A" know that there was a logon
with SmartCard in temporary session "B" so that session "A" continues
monitoring that card?

Are the WlxDisconnectNotify, WlxReconnectNotify and
WlxGetConsoleSwitchCredentials ment for that, or they are only
meaningfull for console sessions (like an RDP to XP)?

IJ
 
Back
Top