Custom smartcard and remote desktop client error ERROR_SMARTCARD_SUBSYSTEM_FAILURE RRS feed

  • Question

  • I have developed a custom read-only virtual smartcard. The solution includes  both reader and minidriver.

    The smartcard passes a lot of tests. Those include but not limited to:
    1. Certutil.exe –scinfo
    2. Cmck.exe from Windows Hardware Certification Kit
    3. LsaLogonUser API with KERB_SMART_CARD_LOGON
    4. Smartcard logon onto a remote computer using non-NLA (legacy) mode

    The problem is that it does not work with remote desktop client (mstsc.exe) in NLA mode.

    When launched the RDP client enumerates readers and smartcards, then it displays logon UI prompt and asks for the smartcard PIN.  After PIN is provided and credential tile is submitted an expected communication with reader and minidriver starts to happen from both mstsc.exe and lsass.exe. However no calls to CardSignData or CardRSADecrypt are made and the client finally fails with the message "The Kerberos protocol encountered an error while attempting to utilize the smartcard subsystem" which corresponds to ERROR_SMARTCARD_SUBSYSTEM_FAILURE.

    I have a pretty verbose logging in my code and what puzzles me a lot is that neither reader nor mini-driver return errors during this run. Windows event log does not provide any hints either.

    Technet suggests [1] using WPP tracing on several system components, but it does not seem to be useful as MS do not provide corresponded TMF files to decode binary logging files. I may be mistaken here as I have little experience in this area.

    Did you have similar problems or perhaps have an idea what could be done to understand the cause of the error?

    [1] https://technet.microsoft.com/en-us/library/ff404296%28v=ws.10%29.aspx

    Tuesday, July 14, 2015 9:45 AM