Smart card logon and SSL-VPN issue

Posted on 2009-04-29
Last Modified: 2012-05-06
Dear all

I'm having following weird issue.
When connected to the network, users can log using their smart card and access all resources without problem.
When logging on to a PC, disconnected from the network, with their smart card and using SSL-VPN (with Network Connect), the PC gets authenticated, but the user cannot access any resources.  If the user simply uses UserID and password to connect to that PC, there is no problem.
Smart card used: RSA SID800.
RSA Authenticator Utility is installed on all PCs.

Anyone an idea on how to fix this annoying issue?

Kind regards
Question by:systems_mitsui
    LVL 31

    Expert Comment

    Not sure what you are using specifically, but here is the guide for MS products - does this match up with how things were set up?

    What products are you using for this?

    Author Comment

    Hi Paranormastic

    The weird thing is: sometimes it does work.  so I can only assume the environment is set up correctly.

    Kind regards.
    LVL 31

    Expert Comment

    Could you provide a little more background info, please?

    - You already provided this: Smart card used: RSA SID800.
    RSA Authenticator Utility is installed on all PCs.

    - What VPN solution is being used?  Is it a straight VPN or a web VPN (VPN through a browser session)?

    - Are VPN users connecting via company issued laptops or from their home desktops?

    - Have you been able to determine if there are any commonalities in the working vs. non-working users?  For example, different departments that may have had different GPO assigned, different hardware, different OS (xp vs. vista, etc.).

    - Have the users logged into their workstation with the smartcard directly on the LAN instead of VPN prior to using for VPN?  Was this done on the same laptop, etc. or different?

    - Are there any environment considerations - by this I mean are the problems happening if they log in from a hotel, internet cafe, etc. but not from home?

    - Does the username format matter when you try logging in using password credentials?  Try: domain\username (UNC), username@domain.local (UPN), and username (basic - no domain specified).  These actually get handled differently by windows sometimes - out of habit we usually type in just the basic or UNC format username, but smartcards using certs tend to submit the UPN - this is not a universal statement, so your results may vary, but this is the generality.

    - This is a little complex, but try to stick with me here.  Are there multiple GINA DLLs installed?  It is common for the smartcard to have a GINA, and some VPN softwares may also have a GINA - these are usually both just stubs.  Also, products like Citrix and Entrust may have full GINA replacements.  Anyways, check this registry key:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
    The primary GINA will entered under GinaDLL string here.  Assuming this is populated, you will need to figure out by the file name/path of the value to determine who owns this value.  From that, in this same area of the registry, you need to extrapolate (guess) what the vendor calls their proprietary string to chain to the next gina dll.  From what I can find, the RSA GINA is bcgina.dll - this should be the value for GinaDLL (including file path).  Typically the vendor will use a similar name for their own Gina child entry, so look for a string called bcgina with another dll for the value.  Normally the smartcard GINA should come first, then VPN, then full GINA like citrix/entrust (default is Microsoft's which will not show up here).  Scan through this whole screen carefully and see what looks like it might be one of these.

    - From a quick look, the RSA token you have can be used as a smartcard or number code based rsa token?  Is there a difference if you connect using one way vs. the other (or is the code based method the username/password method you mentioned)?

    Author Comment

    Hi Paranormastic

    - Company issued laptops.
    - Web based VPN
    - Users log on to the laptop when it's not connected to the LAN (using cached credentials).
    - When the problem occurs it does not matter where the user is.
    - Username format does not matter.
    - Smart card is used as logon to PC.  Number code is used for access to the VPN.
    - As we use XP clients, the default Windows GINA is used.
    LVL 31

    Accepted Solution

    Sorry for the wait getting back.  Hopefully you got something going by now or have a ticket opened with RSA.

    The one that confuses me a little bit is the GINA answer - did you double check that in the registry to be sure?  Although the XP Gina is technically all that is needed for cert logon, it is not uncommon for smartcards and vpn software to install a gina stub, although with it being a web vpn that likely takes them out of the picture.  For the smartcards, as long as their middleware is installed you technically should be good, however sometimes if they do have a gina it might introduce issues.

    Also, some smartcards will 'cheat' at cert logon and use the cert to authenticate to another container on the card which stores the domain/username/password credentials and use the cert to decrypt that - so essentially you are using a cert to protect your password.  I'm not sure who all does this besides Entrust - but I've seen it occur.  For this type of nonsense a gina is definately required.

    This last one is a bit long, but bear with me.
    Also, I assume users do not share these laptops much?  Do they have multiple logons (local and domain)?  Are they able to log into their workstation with their card or password (i.e. one or the other, as desired, but either works) when they are connected or disconnected from the domain?

    For single user boxes they should be able to use cached credentials indefinitely, but if there are just a few users that share it that can mess things up.  By default, windows caches the last 10 unique logins - typically 10 users.  So even if user A logs in 100 times, user B is still cached.  Anyone that tells you otherwise (like its only good for only 10 logons, not logon methods) is reading some unreasearched article and never tested it personally - I tested the snot out of this issue to determine actual behavior a few years back.

    With a shared worksation, however, the number of unique logons can revolve and cause issue.  The same user account has 3 different methods it can log in as (domain\user:pass, user@domain:pass, user:pass:domain) - each of these is considered unique logons as far as caching goes.  Keep in mind if they use a local account too.  So 4 users can have 12 logon methods - the smartcard will be consistant for whatever it uses (probably user@domain, but not necessarily), but the user may use a different type.  Presuming users aren't overly creative in their logon method, 5 users sharing the same laptop is easily enough to mess with it.

    This assumes that the default hasn't changed from 10.  If they log in with password and card (i.e. they alternative between one method and the other) and the registry is set to 1 then it will keep cycling the most recently used.  Not a common thing to have changed, but some hardening scripts will do this just to be annoying - not really a huge security benefit in my mind, but whatever.

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\Current Version\Winlogon\

       ValueName: CachedLogonsCount
       Data Type: REG_SZ
       Values: 0 - 50

    details here:

    Featured Post

    Maximize Your Threat Intelligence Reporting

    Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

    Join & Write a Comment

    If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
    Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
    This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…
    In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

    734 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    22 Experts available now in Live!

    Get 1:1 Help Now