Discussion:
CLM Offline unblock
(too old to reply)
Tim Humphrey
2008-10-29 19:24:24 UTC
Permalink
We are setting up a pilot CLM 2007 FP1 environment. We have obtained a
Microsoft Base CSP compliant Smart Card. We have successfully configured a
Smart Card profile with the appropriate CA template. We have defined all of
the CLM roles with the appropriate accounts/groups. We have deployed the
Microsoft Base CSP, Smartcard mini-driver, and the CLM client to an XP and
Vista SP1 workstation. We have configured an Unblock and Offline Unblock
policy on our Smart Card profile.

All that to say we can login with a CLM issues smart card successfully on
XP. We are unable to perform an offline unblock on XP. We are having
problems getting Vista to write to the smart card. It keeps indicating that
"Not a valid Base CSP smart card when we try to deploy a certificate to the
card through CLM. If we take the Smart Card we deployed to the XP machine
and stick in in the reader on the Vista machine it says there are no
certificates found on the smart card.

What should happen when a blocked card gets put into a system for logon at
the Ctrl+ Alt + Del prompt? Is there anything other than configuring the
Offline Unblock policy on the CLM profile we are using for the smart card
that needs to be done? Should the UI on client machine pop up a dialog box
for the Challenge response?

We are using the limited information Microsoft TechNet Library for CLM
(Configuring Profile Templates and Installing and Configuring Certificate
Lifecycle Manager 2007 Client ). There just doesn't seem to be any
information out there on how to configure this and verify that it is
working.

I appreciate any help anyone can provide to directing me to answers of these
questions.

Tim
Paul Adare
2008-10-29 21:33:16 UTC
Permalink
Post by Tim Humphrey
We are setting up a pilot CLM 2007 FP1 environment. We have obtained a
Microsoft Base CSP compliant Smart Card. We have successfully configured a
Smart Card profile with the appropriate CA template. We have defined all of
the CLM roles with the appropriate accounts/groups. We have deployed the
Microsoft Base CSP, Smartcard mini-driver, and the CLM client to an XP and
Vista SP1 workstation. We have configured an Unblock and Offline Unblock
policy on our Smart Card profile.
All that to say we can login with a CLM issues smart card successfully on
XP. We are unable to perform an offline unblock on XP.
Offline unblock is only supported on Vista and above. If you need offline
unblock on XP you're going to have to write your own GINA extension.
Post by Tim Humphrey
We are having
problems getting Vista to write to the smart card. It keeps indicating that
"Not a valid Base CSP smart card when we try to deploy a certificate to the
card through CLM. If we take the Smart Card we deployed to the XP machine
and stick in in the reader on the Vista machine it says there are no
certificates found on the smart card.
What card, what reader? What happens if you run certutil -scinfo at a
command prompt on the Vista box with the card in the reader?
Post by Tim Humphrey
What should happen when a blocked card gets put into a system for logon at
the Ctrl+ Alt + Del prompt? Is there anything other than configuring the
Offline Unblock policy on the CLM profile we are using for the smart card
that needs to be done? Should the UI on client machine pop up a dialog box
for the Challenge response?
As above, nothing is going to happen on an XP system. For Vista, there are
two group policy settings, one you must enable, the second is optional. The
mandatory one is:

Computer Configuration\Administrative Templates\Windows Components\Smart
Card\Allow Integrated Unblock screen to be displayed at the time of logon

The optional one is:

Computer Configuration\Administrative Templates\Windows Components\Smart
Card\Display string when smart card is blocked.
--
Paul Adare
MVP - Identity Lifecycle Manager
http://www.identit.ca
Jorge de Almeida Pinto [MVP - DS]
2008-10-29 22:43:17 UTC
Permalink
Windows XP does not contain an option at the logon screen to offline unblock
as Vista does. In Vista that option needs to be enable first in a GPO
setting.
For Windows XP however, there is a way to offline unblock, but it is for
sure not as pretty as in Vista. For XP you could do the following:
Logon as a LOCAL account on the XP machine which has been locked down all
over the place. The only thing that locked down account should be able to do
is executing a tool called PINTOOL (included in the Base CSP) With that tool
you are able to do the challenge/response thing and enter a new PIN

Like I said, not as pretty as in Vista!
--
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
Post by Tim Humphrey
We are setting up a pilot CLM 2007 FP1 environment. We have obtained a
Microsoft Base CSP compliant Smart Card. We have successfully configured
a Smart Card profile with the appropriate CA template. We have defined
all of the CLM roles with the appropriate accounts/groups. We have
deployed the Microsoft Base CSP, Smartcard mini-driver, and the CLM client
to an XP and Vista SP1 workstation. We have configured an Unblock and
Offline Unblock policy on our Smart Card profile.
All that to say we can login with a CLM issues smart card successfully on
XP. We are unable to perform an offline unblock on XP. We are having
problems getting Vista to write to the smart card. It keeps indicating
that "Not a valid Base CSP smart card when we try to deploy a certificate
to the card through CLM. If we take the Smart Card we deployed to the XP
machine and stick in in the reader on the Vista machine it says there are
no certificates found on the smart card.
What should happen when a blocked card gets put into a system for logon at
the Ctrl+ Alt + Del prompt? Is there anything other than configuring the
Offline Unblock policy on the CLM profile we are using for the smart card
that needs to be done? Should the UI on client machine pop up a dialog
box for the Challenge response?
We are using the limited information Microsoft TechNet Library for CLM
(Configuring Profile Templates and Installing and Configuring Certificate
Lifecycle Manager 2007 Client ). There just doesn't seem to be any
information out there on how to configure this and verify that it is
working.
I appreciate any help anyone can provide to directing me to answers of
these questions.
Tim
Loading...