On 6/19/2012 8:30 AM, Brian Thomas wrote: > Hello Everybody, > > My company is developing a laptop running Windows XP SP3 which will be > joined to a Windows Server Enterprise 2008 RC2 domain controller in the > field. A minidriver has been implemented to provide an interface to the > Athena ASE smartcard formatted with the PKCS#15 profile.
Is this the OpenSC minidriver? Is it signed? > For our laptop > recovery image, we basically take the original Windows XP CD, perform > some minor customization, then seal it using SysPrep. When the new > image is installed on the laptop, the user is presented with the Windows > XP First Run Wizard. The user can successfully join the domain at this > point using an administrator account with password authentication. The > problem occurs at first login--when the system boots, users cannot > authenticate to the system using their smart cards. The following error > is presented: "Your credentials cannot be verified". If during the > creation of the recovery image--sysprep is not used to seal the image; > the domain can be joined and smart card authentication does work. Has > anybody ever encountered any issue such as this or know what could > possibly be causing this issue? Since no one has answered your question, I will just make some comments. I have no experience with SysPprep, but use OpenSC on Windows. It sounds like sysprep is removing something, which could be the minidriver, if it is not signed. It could also be removing the registry entries used by the minidriver. Some things to try after login using a password with the user or admin Then with the card plugged in: (1) See if the "Internet Options" can read the user's certificates on the card. (2) Then in a cmd window try: runas /smartcard /user:user@domain cmd.exe or runas /smartcard /user:user@domain /netonly cmd.exe to see if smart card login works at all. If during your tests, you are testing before the image is created, with a card, then after a new image is created you are testing with the same card, it could be that the user's certificate or CA certificates have been saved in the cert store in the image. SysPrep would most likely clean these out and remove any local users when you do a seal. It could also be your minidriver is not handling login correctly, as it needs to read certificates off the card before the user logins. > > Thanks, > > Brian Thomas > _______________________________________________ > opensc-devel mailing list > opensc-devel@lists.opensc-project.org > http://www.opensc-project.org/mailman/listinfo/opensc-devel > > -- Douglas E. Engert <deeng...@anl.gov> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
