If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Display Modes |
#1
|
|||
|
|||
VPN, Smart Card, Kerberos
My corporate VPN requires a Smart Card (USB security token) for remote
access. This works fine. The problem is that this card is only intended for VPN, and doesn't work for Windows Logon or domain authentication. If I leave the Smart Card inserted after the VPN starts, the first access to each remote share takes ~30 seconds, while Windows tries unsuccessfully to use the card. Eventually it gives up and prompts for a user/password. If I remove the Smart Card and try to access a share, I get an error 1264: "The kerberos protocol encountered an error while attempting to utilize the smartcard subsystem.". The Application event log also gets several "An error occurred while signing a message using the inserted smart card: Provider could not perform the action since the context was acquired as silent." entries. Is there any way to stop Windows from trying to use the Smart Card to authenticate network access? Note: I'm running Windows XP SP3 on a standalone (non-domain member) system. Any fix needs to be totally on the client. I have no control over the Smart Card, the VPN server, or the remote server shares. |
Ads |
#2
|
|||
|
|||
VPN, Smart Card, Kerberos
"John McNamee" wrote in message ... My corporate VPN requires a Smart Card (USB security token) for remote access. This works fine. The problem is that this card is only intended for VPN, and doesn't work for Windows Logon or domain authentication. If I leave the Smart Card inserted after the VPN starts, the first access to each remote share takes ~30 seconds, while Windows tries unsuccessfully to use the card. Eventually it gives up and prompts for a user/password. If I remove the Smart Card and try to access a share, I get an error 1264: "The kerberos protocol encountered an error while attempting to utilize the smartcard subsystem.". The Application event log also gets several "An error occurred while signing a message using the inserted smart card: Provider could not perform the action since the context was acquired as silent." entries. Is there any way to stop Windows from trying to use the Smart Card to authenticate network access? Note: I'm running Windows XP SP3 on a standalone (non-domain member) system. Any fix needs to be totally on the client. I have no control over the Smart Card, the VPN server, or the remote server shares. You probably need to be an administrator of the remote servers to resolve this problem. -- Allan |
#3
|
|||
|
|||
VPN, Smart Card, Kerberos
Try connecting using a commandline, for example: net use x: \\servername\sharename /user:username {password} This may bypass the smartcard susbsystem. Note that if you make this into a batchfile it is inadvisable to include the password, for obvious reasons. "John McNamee" wrote: My corporate VPN requires a Smart Card (USB security token) for remote access. This works fine. The problem is that this card is only intended for VPN, and doesn't work for Windows Logon or domain authentication. If I leave the Smart Card inserted after the VPN starts, the first access to each remote share takes ~30 seconds, while Windows tries unsuccessfully to use the card. Eventually it gives up and prompts for a user/password. If I remove the Smart Card and try to access a share, I get an error 1264: "The kerberos protocol encountered an error while attempting to utilize the smartcard subsystem.". The Application event log also gets several "An error occurred while signing a message using the inserted smart card: Provider could not perform the action since the context was acquired as silent." entries. Is there any way to stop Windows from trying to use the Smart Card to authenticate network access? Note: I'm running Windows XP SP3 on a standalone (non-domain member) system. Any fix needs to be totally on the client. I have no control over the Smart Card, the VPN server, or the remote server shares. |
#4
|
|||
|
|||
VPN, Smart Card, Kerberos
Thank you for the reply.
This is actually what I've been doing (using IPC$ rather than a specific share). It's not a bad solution for servers that I use often (those can go in the batch file), but it's less than ideal for ad-hoc server connections. I was really hoping there was some way to stop XP from using the Smart Card. "Anteaus" wrote: Try connecting using a commandline, for example: net use x: \\servername\sharename /user:username {password} This may bypass the smartcard susbsystem. Note that if you make this into a batchfile it is inadvisable to include the password, for obvious reasons. |
#5
|
|||
|
|||
VPN, Smart Card, Kerberos
While I don't control most of the servers I need to connect to, I am an admin
on some of them. A partial solution is better than no solution :-) What can be done on the server side to fix this? "Allan" wrote: You probably need to be an administrator of the remote servers to resolve this problem. |
#6
|
|||
|
|||
VPN, Smart Card, Kerberos
From: "John McNamee"
| Thank you for the reply. | This is actually what I've been doing (using IPC$ rather than a specific | share). It's not a bad solution for servers that I use often (those can go | in the batch file), but it's less than ideal for ad-hoc server connections. | I was really hoping there was some way to stop XP from using the Smart Card. I don't have the answer but my guess is LSA and Kerberos authentication and a possible modification. The below may be of assistance. http://technet.microsoft.com/en-us/l.../cc738673.aspx -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp |
#7
|
|||
|
|||
VPN, Smart Card, Kerberos
"John McNamee" wrote in message news While I don't control most of the servers I need to connect to, I am an admin on some of them. A partial solution is better than no solution :-) What can be done on the server side to fix this? Sorry, I could not tell you how to fix this from the server side. I would think that the best solution for users would be an integrated and standardised approach. I would start at the MSDN smart card reference web page. http://msdn.microsoft.com/en-us/libr...42(VS.85).aspx -- Allan |
Thread Tools | |
Display Modes | |
|
|