Link to home
Start Free TrialLog in
Avatar of systems_mitsui
systems_mitsui

asked on

Smart card logon and SSL-VPN issue

Dear all

I'm having following weird issue.
When connected to the network, users can log using their smart card and access all resources without problem.
When logging on to a PC, disconnected from the network, with their smart card and using SSL-VPN (with Network Connect), the PC gets authenticated, but the user cannot access any resources.  If the user simply uses UserID and password to connect to that PC, there is no problem.
Smart card used: RSA SID800.
RSA Authenticator Utility is installed on all PCs.

Anyone an idea on how to fix this annoying issue?

Kind regards
Avatar of Paranormastic
Paranormastic
Flag of United States of America image

Not sure what you are using specifically, but here is the guide for MS products - does this match up with how things were set up?
http://technet.microsoft.com/en-us/library/cc875840.aspx

What products are you using for this?
Avatar of systems_mitsui
systems_mitsui

ASKER

Hi Paranormastic

The weird thing is: sometimes it does work.  so I can only assume the environment is set up correctly.



Kind regards.
Could you provide a little more background info, please?

- You already provided this: Smart card used: RSA SID800.
RSA Authenticator Utility is installed on all PCs.

- What VPN solution is being used?  Is it a straight VPN or a web VPN (VPN through a browser session)?

- Are VPN users connecting via company issued laptops or from their home desktops?

- Have you been able to determine if there are any commonalities in the working vs. non-working users?  For example, different departments that may have had different GPO assigned, different hardware, different OS (xp vs. vista, etc.).

- Have the users logged into their workstation with the smartcard directly on the LAN instead of VPN prior to using for VPN?  Was this done on the same laptop, etc. or different?

- Are there any environment considerations - by this I mean are the problems happening if they log in from a hotel, internet cafe, etc. but not from home?

- Does the username format matter when you try logging in using password credentials?  Try: domain\username (UNC), username@domain.local (UPN), and username (basic - no domain specified).  These actually get handled differently by windows sometimes - out of habit we usually type in just the basic or UNC format username, but smartcards using certs tend to submit the UPN - this is not a universal statement, so your results may vary, but this is the generality.

- This is a little complex, but try to stick with me here.  Are there multiple GINA DLLs installed?  It is common for the smartcard to have a GINA, and some VPN softwares may also have a GINA - these are usually both just stubs.  Also, products like Citrix and Entrust may have full GINA replacements.  Anyways, check this registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
The primary GINA will entered under GinaDLL string here.  Assuming this is populated, you will need to figure out by the file name/path of the value to determine who owns this value.  From that, in this same area of the registry, you need to extrapolate (guess) what the vendor calls their proprietary string to chain to the next gina dll.  From what I can find, the RSA GINA is bcgina.dll - this should be the value for GinaDLL (including file path).  Typically the vendor will use a similar name for their own Gina child entry, so look for a string called bcgina with another dll for the value.  Normally the smartcard GINA should come first, then VPN, then full GINA like citrix/entrust (default is Microsoft's which will not show up here).  Scan through this whole screen carefully and see what looks like it might be one of these.

- From a quick look, the RSA token you have can be used as a smartcard or number code based rsa token?  Is there a difference if you connect using one way vs. the other (or is the code based method the username/password method you mentioned)?
Hi Paranormastic

- Company issued laptops.
- Web based VPN
- Users log on to the laptop when it's not connected to the LAN (using cached credentials).
- When the problem occurs it does not matter where the user is.
- Username format does not matter.
- Smart card is used as logon to PC.  Number code is used for access to the VPN.
- As we use XP clients, the default Windows GINA is used.
ASKER CERTIFIED SOLUTION
Avatar of Paranormastic
Paranormastic
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial