Smart card logon and SSL-VPN issue

Posted on 2009-04-29
Medium Priority
Last Modified: 2012-05-06
Dear all

I'm having following weird issue.
When connected to the network, users can log using their smart card and access all resources without problem.
When logging on to a PC, disconnected from the network, with their smart card and using SSL-VPN (with Network Connect), the PC gets authenticated, but the user cannot access any resources.  If the user simply uses UserID and password to connect to that PC, there is no problem.
Smart card used: RSA SID800.
RSA Authenticator Utility is installed on all PCs.

Anyone an idea on how to fix this annoying issue?

Kind regards
Question by:systems_mitsui
  • 3
  • 2
LVL 31

Expert Comment

ID: 24264416
Not sure what you are using specifically, but here is the guide for MS products - does this match up with how things were set up?

What products are you using for this?

Author Comment

ID: 24268508
Hi Paranormastic

The weird thing is: sometimes it does work.  so I can only assume the environment is set up correctly.

Kind regards.
LVL 31

Expert Comment

ID: 24271051
Could you provide a little more background info, please?

- You already provided this: Smart card used: RSA SID800.
RSA Authenticator Utility is installed on all PCs.

- What VPN solution is being used?  Is it a straight VPN or a web VPN (VPN through a browser session)?

- Are VPN users connecting via company issued laptops or from their home desktops?

- Have you been able to determine if there are any commonalities in the working vs. non-working users?  For example, different departments that may have had different GPO assigned, different hardware, different OS (xp vs. vista, etc.).

- Have the users logged into their workstation with the smartcard directly on the LAN instead of VPN prior to using for VPN?  Was this done on the same laptop, etc. or different?

- Are there any environment considerations - by this I mean are the problems happening if they log in from a hotel, internet cafe, etc. but not from home?

- Does the username format matter when you try logging in using password credentials?  Try: domain\username (UNC), username@domain.local (UPN), and username (basic - no domain specified).  These actually get handled differently by windows sometimes - out of habit we usually type in just the basic or UNC format username, but smartcards using certs tend to submit the UPN - this is not a universal statement, so your results may vary, but this is the generality.

- This is a little complex, but try to stick with me here.  Are there multiple GINA DLLs installed?  It is common for the smartcard to have a GINA, and some VPN softwares may also have a GINA - these are usually both just stubs.  Also, products like Citrix and Entrust may have full GINA replacements.  Anyways, check this registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
The primary GINA will entered under GinaDLL string here.  Assuming this is populated, you will need to figure out by the file name/path of the value to determine who owns this value.  From that, in this same area of the registry, you need to extrapolate (guess) what the vendor calls their proprietary string to chain to the next gina dll.  From what I can find, the RSA GINA is bcgina.dll - this should be the value for GinaDLL (including file path).  Typically the vendor will use a similar name for their own Gina child entry, so look for a string called bcgina with another dll for the value.  Normally the smartcard GINA should come first, then VPN, then full GINA like citrix/entrust (default is Microsoft's which will not show up here).  Scan through this whole screen carefully and see what looks like it might be one of these.

- From a quick look, the RSA token you have can be used as a smartcard or number code based rsa token?  Is there a difference if you connect using one way vs. the other (or is the code based method the username/password method you mentioned)?

Author Comment

ID: 24294309
Hi Paranormastic

- Company issued laptops.
- Web based VPN
- Users log on to the laptop when it's not connected to the LAN (using cached credentials).
- When the problem occurs it does not matter where the user is.
- Username format does not matter.
- Smart card is used as logon to PC.  Number code is used for access to the VPN.
- As we use XP clients, the default Windows GINA is used.
LVL 31

Accepted Solution

Paranormastic earned 2000 total points
ID: 24477194
Sorry for the wait getting back.  Hopefully you got something going by now or have a ticket opened with RSA.

The one that confuses me a little bit is the GINA answer - did you double check that in the registry to be sure?  Although the XP Gina is technically all that is needed for cert logon, it is not uncommon for smartcards and vpn software to install a gina stub, although with it being a web vpn that likely takes them out of the picture.  For the smartcards, as long as their middleware is installed you technically should be good, however sometimes if they do have a gina it might introduce issues.

Also, some smartcards will 'cheat' at cert logon and use the cert to authenticate to another container on the card which stores the domain/username/password credentials and use the cert to decrypt that - so essentially you are using a cert to protect your password.  I'm not sure who all does this besides Entrust - but I've seen it occur.  For this type of nonsense a gina is definately required.

This last one is a bit long, but bear with me.
Also, I assume users do not share these laptops much?  Do they have multiple logons (local and domain)?  Are they able to log into their workstation with their card or password (i.e. one or the other, as desired, but either works) when they are connected or disconnected from the domain?

For single user boxes they should be able to use cached credentials indefinitely, but if there are just a few users that share it that can mess things up.  By default, windows caches the last 10 unique logins - typically 10 users.  So even if user A logs in 100 times, user B is still cached.  Anyone that tells you otherwise (like its only good for only 10 logons, not logon methods) is reading some unreasearched article and never tested it personally - I tested the snot out of this issue to determine actual behavior a few years back.

With a shared worksation, however, the number of unique logons can revolve and cause issue.  The same user account has 3 different methods it can log in as (domain\user:pass, user@domain:pass, user:pass:domain) - each of these is considered unique logons as far as caching goes.  Keep in mind if they use a local account too.  So 4 users can have 12 logon methods - the smartcard will be consistant for whatever it uses (probably user@domain, but not necessarily), but the user may use a different type.  Presuming users aren't overly creative in their logon method, 5 users sharing the same laptop is easily enough to mess with it.

This assumes that the default hasn't changed from 10.  If they log in with password and card (i.e. they alternative between one method and the other) and the registry is set to 1 then it will keep cycling the most recently used.  Not a common thing to have changed, but some hardening scripts will do this just to be annoying - not really a huge security benefit in my mind, but whatever.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\Current Version\Winlogon\

   ValueName: CachedLogonsCount
   Data Type: REG_SZ
   Values: 0 - 50

details here:

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Originally, this post was published on Monitis Blog, you can check it here . It goes without saying that technology has transformed society and the very nature of how we live, work, and communicate in ways that would’ve been incomprehensible 5 ye…
This article will show how Aten was able to supply easy management and control for Artear's video walls and wide range display configurations of their newsroom.
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…

587 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question