VPN, Smart Card, Kerberos

My corporate VPN requires a Smart Card (USB security token) for remote
access. This works fine. The problem is that this card is only intended for
VPN, and doesn't work for Windows Logon or domain authentication.

If I leave the Smart Card inserted after the VPN starts, the first access to
each remote share takes ~30 seconds, while Windows tries unsuccessfully to
use the card. Eventually it gives up and prompts for a user/password.

If I remove the Smart Card and try to access a share, I get an error 1264:
"The kerberos protocol encountered an error while attempting to utilize the
smartcard subsystem.". The Application event log also gets several "An error
occurred while signing a message using the inserted smart card: Provider
could not perform the action since the context was acquired as silent."
entries.

Is there any way to stop Windows from trying to use the Smart Card to
authenticate network access?

Note: I'm running Windows XP SP3 on a standalone (non-domain member)
system. Any fix needs to be totally on the client. I have no control over
the Smart Card, the VPN server, or the remote server shares.

"John McNamee" wrote in message
...
My corporate VPN requires a Smart Card (USB security token) for remote
access. This works fine. The problem is that this card is only intended
for
VPN, and doesn't work for Windows Logon or domain authentication.

If I leave the Smart Card inserted after the VPN starts, the first access
to
each remote share takes ~30 seconds, while Windows tries unsuccessfully to
use the card. Eventually it gives up and prompts for a user/password.

If I remove the Smart Card and try to access a share, I get an error 1264:
"The kerberos protocol encountered an error while attempting to utilize
the
smartcard subsystem.". The Application event log also gets several "An
error
occurred while signing a message using the inserted smart card: Provider
could not perform the action since the context was acquired as silent."
entries.

Is there any way to stop Windows from trying to use the Smart Card to
authenticate network access?

Note: I'm running Windows XP SP3 on a standalone (non-domain member)
system. Any fix needs to be totally on the client. I have no control
over
the Smart Card, the VPN server, or the remote server shares.
You probably need to be an administrator of the remote servers to resolve
this problem.

--
Allan

Try connecting using a commandline, for example:

net use x: \\servername\sharename /user:username {password}

This may bypass the smartcard susbsystem.

Note that if you make this into a batchfile it is inadvisable to include the
password, for obvious reasons.



"John McNamee" wrote:

My corporate VPN requires a Smart Card (USB security token) for remote
access. This works fine. The problem is that this card is only intended for
VPN, and doesn't work for Windows Logon or domain authentication.

If I leave the Smart Card inserted after the VPN starts, the first access to
each remote share takes ~30 seconds, while Windows tries unsuccessfully to
use the card. Eventually it gives up and prompts for a user/password.

If I remove the Smart Card and try to access a share, I get an error 1264:
"The kerberos protocol encountered an error while attempting to utilize the
smartcard subsystem.". The Application event log also gets several "An error
occurred while signing a message using the inserted smart card: Provider
could not perform the action since the context was acquired as silent."
entries.

Is there any way to stop Windows from trying to use the Smart Card to
authenticate network access?

Note: I'm running Windows XP SP3 on a standalone (non-domain member)
system. Any fix needs to be totally on the client. I have no control over
the Smart Card, the VPN server, or the remote server shares.

Thank you for the reply.

This is actually what I've been doing (using IPC$ rather than a specific
share). It's not a bad solution for servers that I use often (those can go
in the batch file), but it's less than ideal for ad-hoc server connections.
I was really hoping there was some way to stop XP from using the Smart Card.


"Anteaus" wrote:

Try connecting using a commandline, for example:

net use x: \\servername\sharename /user:username {password}

This may bypass the smartcard susbsystem.

Note that if you make this into a batchfile it is inadvisable to include the
password, for obvious reasons.

While I don't control most of the servers I need to connect to, I am an admin
on some of them. A partial solution is better than no solution :-) What can
be done on the server side to fix this?


"Allan" wrote:

You probably need to be an administrator of the remote servers to resolve
this problem.

From: "John McNamee"

| Thank you for the reply.

| This is actually what I've been doing (using IPC$ rather than a specific
| share). It's not a bad solution for servers that I use often (those can go
| in the batch file), but it's less than ideal for ad-hoc server connections.
| I was really hoping there was some way to stop XP from using the Smart Card.


I don't have the answer but my guess is LSA and Kerberos authentication and a possible
modification.

The below may be of assistance.

http://technet.microsoft.com/en-us/l.../cc738673.aspx


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

"John McNamee" wrote in message
news
While I don't control most of the servers I need to connect to, I am an
admin
on some of them. A partial solution is better than no solution :-) What
can
be done on the server side to fix this?
Sorry, I could not tell you how to fix this from the server side. I would
think that the best solution for users would be an integrated and
standardised approach. I would start at the MSDN smart card reference web
page.
http://msdn.microsoft.com/en-us/libr...42(VS.85).aspx

--
Allan