VPN, Smart Card, Kerberos

  • Thread starter Thread starter John McNamee
  • Start date Start date
J

John McNamee

My corporate VPN requires a Smart Card (USB security token) for remote
access. This works fine. The problem is that this card is only intended for
VPN, and doesn't work for Windows Logon or domain authentication.

If I leave the Smart Card inserted after the VPN starts, the first access to
each remote share takes ~30 seconds, while Windows tries unsuccessfully to
use the card. Eventually it gives up and prompts for a user/password.

If I remove the Smart Card and try to access a share, I get an error 1264:
"The kerberos protocol encountered an error while attempting to utilize the
smartcard subsystem.". The Application event log also gets several "An error
occurred while signing a message using the inserted smart card: Provider
could not perform the action since the context was acquired as silent."
entries.

Is there any way to stop Windows from trying to use the Smart Card to
authenticate network access?

Note: I'm running Windows XP SP3 on a standalone (non-domain member)
system. Any fix needs to be totally on the client. I have no control over
the Smart Card, the VPN server, or the remote server shares.
 
John McNamee said:
My corporate VPN requires a Smart Card (USB security token) for remote
access. This works fine. The problem is that this card is only intended
for
VPN, and doesn't work for Windows Logon or domain authentication.

If I leave the Smart Card inserted after the VPN starts, the first access
to
each remote share takes ~30 seconds, while Windows tries unsuccessfully to
use the card. Eventually it gives up and prompts for a user/password.

If I remove the Smart Card and try to access a share, I get an error 1264:
"The kerberos protocol encountered an error while attempting to utilize
the
smartcard subsystem.". The Application event log also gets several "An
error
occurred while signing a message using the inserted smart card: Provider
could not perform the action since the context was acquired as silent."
entries.

Is there any way to stop Windows from trying to use the Smart Card to
authenticate network access?

Note: I'm running Windows XP SP3 on a standalone (non-domain member)
system. Any fix needs to be totally on the client. I have no control
over
the Smart Card, the VPN server, or the remote server shares.
Click to expand...
You probably need to be an administrator of the remote servers to resolve
this problem.
 
Try connecting using a commandline, for example:

net use x: \\servername\sharename /user:username {password}

This may bypass the smartcard susbsystem.

Note that if you make this into a batchfile it is inadvisable to include the
password, for obvious reasons.
 
Thank you for the reply.

This is actually what I've been doing (using IPC$ rather than a specific
share). It's not a bad solution for servers that I use often (those can go
in the batch file), but it's less than ideal for ad-hoc server connections.
I was really hoping there was some way to stop XP from using the Smart Card.
 
From: "John McNamee" <[email protected]>

| Thank you for the reply.

| This is actually what I've been doing (using IPC$ rather than a specific
| share). It's not a bad solution for servers that I use often (those can go
| in the batch file), but it's less than ideal for ad-hoc server connections.
| I was really hoping there was some way to stop XP from using the Smart Card.


I don't have the answer but my guess is LSA and Kerberos authentication and a possible
modification.

The below may be of assistance.

http://technet.microsoft.com/en-us/library/cc738673.aspx
 
John McNamee said:
While I don't control most of the servers I need to connect to, I am an
admin
on some of them. A partial solution is better than no solution :-) What
can
be done on the server side to fix this?
Click to expand...
Sorry, I could not tell you how to fix this from the server side. I would
think that the best solution for users would be an integrated and
standardised approach. I would start at the MSDN smart card reference web
page.
http://msdn.microsoft.com/en-us/library/aa380142(VS.85).aspx
 
Back
Top