locked
Custom Credential provider supporting Smart card authentication facing issues in SCardEstablishContext RRS feed

  • Question

  • Hi,
     
    We have a custom credential provider which supports login based on smart card authentication. We are facing an issue with Fast user switching where the application functionality breaks on Vista/Win 7/Win2k8. The issue is described below
     
    Scenario
    1> User1 logs in to the system using the smart card.
    2> User1 clicks "Switch User" and comes to the logon screen.
    3> Here User1 selects his own logged on session and enters the PIN for the smart card.
     
    In the above scenario, we impersonate the logged on user for the particular session. After successful impersonation we call SCardEstablishContext to start authentication process but the call to the API fails with error code 0x5(Access denied). The user has sufficient privileges. The exact same code path is executed  for workstation unlock scenario and the call succeeds.
     
    Other Data
    1> Impersonation cannot be removed as this is required for other features of the product.
    2> If we do not impersonate, the call succeeds as LOGONUI process is running as SYSTEM.
    3> As far as we understand, the unlock scenario is similar to above switch user scenario and same code path is executed.
    4> This happens for both admin an well as non admin users.
    5> Since LOGONUI does not have the SeTcbPrivilege, we cannot use WTSQueryUserToken. We instead enumerate processes running on the interactive user's desktop and copy the user token handle off one of those processes.
    6> The Smart Card service is running as LocalService on the system.
    Any guidance/data that would help us in resolving the issue would be really great.
    Thanks,
    Abhishek Prasad
    Saturday, November 12, 2011 7:34 AM

All replies

  • Hi,
     
    We have a custom credential provider which supports login based on smart card authentication. We are facing an issue with Fast user switching where the application functionality breaks on Vista/Win 7/Win2k8. The issue is described below
     
    Scenario
    1> User1 logs in to the system using the smart card.
    2> User1 clicks "Switch User" and comes to the logon screen.
    3> Here User1 selects his own logged on session and enters the PIN for the smart card.
     
    In the above scenario, we impersonate the logged on user for the particular session. After successful impersonation we call SCardEstablishContext to start authentication process but the call to the API fails with error code 0x5(Access denied). The user has sufficient privileges. The exact same code path is executed  for workstation unlock scenario and the call succeeds.
     
    Other Data
    1> Impersonation cannot be removed as this is required for other features of the product.
    2> If we do not impersonate, the call succeeds as LOGONUI process is running as SYSTEM.
    3> As far as we understand, the unlock scenario is similar to above switch user scenario and same code path is executed.
    4> This happens for both admin an well as non admin users.
    5> Since LOGONUI does not have the SeTcbPrivilege, we cannot use WTSQueryUserToken. We instead enumerate processes running on the interactive user's desktop and copy the user token handle from one of those processes.
    6> The Smart Card service is running as LocalService on the system.
    7> I have also tried teh steps mentioned at http://blogs.msdn.com/b/alejacma/archive/2011/05/19/scardestablishcontext-fails-with-scard-e-no-service-error.aspx but it did not help.
    Any guidance/data that would help us in resolving the issue would be really great.
    Thanks,
    Abhishek Prasad
    • Merged by Jie Bao Tuesday, November 15, 2011 3:21 AM duplicate
    Monday, November 14, 2011 6:53 AM