Solved

2003 enterprise CA smart card enrolment error

Posted on 2009-05-13
9
1,070 Views
Last Modified: 2012-05-06
Hello,
Trying to enroll smart cards on behalf of another usrers and I am stuck.

Whenever I am trying to issue smartcard on behalf of another user I got error prompt:
1. "please insert the user's smart card" with info below

2. An unexpected error occurred. Error: Please insert the user's smart card.

No errors in event viewer on either workstation not CA, No certificate request reaches CA.
Has anyone had that problem before and could point me in the right direction please?

Using:
 Gemplus gemSAFE Card CSP,
 Microsoft Base Smart Card Crypto Provider installed on client and CA
 Windows 2003 Enterprise Edition
AD integrated Issuing CA function
Cart type: GemPlus v2 smart card (its definitely not v3 by gemlto)
User has rights to read/enroll on certificate templates.
-Card reader drivers installed, can access certificate on smart card using GemSAFE tools, Gemplus SmartDiag v2.0 returns Passed the reader and the card it contains are OK
0
Comment
Question by:Rafal_Mitura
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
9 Comments
 
LVL 31

Expert Comment

by:Paranormastic
ID: 24376932
What OS is running on the enrollment station?  If vista, see if you can do it on XP instead - its less of a headache getting the certsrv page to work in xp or 2003 than vista.

Have you tried with card already inserted and also without the card inserted (insert card when prompted)?  With card already in, you can try leaving it logged out of the card and also after logging into the card via the gemplus utilities.
0
 

Author Comment

by:Rafal_Mitura
ID: 24382906
enrollment agent satiation is XP SP3 with enrollment agent (user not computer)
used to put card when it prompts for it (after selecting smart card user), I also checked it with
yes I tried your suggestions with no luck so far.

0
 
LVL 31

Expert Comment

by:Paranormastic
ID: 24399151
I would suggest reinitializing the card using the vendor software then trying again, or trying another batch of cards if available.

Also, if you have not done a cold boot, I would suggest doing that as well - when powered off, try reseating the reader.

If you have multiple readers, try using only one instead and if that doesn't work try the other.

Otherwise, I would suggest contacting gemalto and seeing if they have product updates that you can get that might help out.  They may also be able to help diagnosing by instructing you how to enable logging for their middleware and assist in reading the logs to determine the specific cause.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 31

Assisted Solution

by:Paranormastic
Paranormastic earned 125 total points
ID: 24399165
If you have another workstation you can use for enrollment station, try using that to help narrow down possibilities.

If you haven't rebooted the CA in awhile, maybe it might be time for that as well.  Can also try cycling cert services and/or IIS w3 services.
0
 
LVL 63

Assisted Solution

by:btan
btan earned 125 total points
ID: 24401963
This seems like the smartcard CSP is not working properly. You may want to look at below:
a) Debugging version for CSP so that it can cough out debug log for their analysis

b) Do you have test harness that can check access to smartcard with PIN authentication, if not can it do window domain login using the gemalto smartcard

c) In device mgr, how many smartcard readers are installed? You may want to disable the rest of the reader leaving one reader for testing - sometimes the CSP do not enumerate properly (assuming card presence event though it is not there hence not going to other reader), especially for those called token (it is reader and card in single h/w)

d) Can try out certreq and cerutil commandline that are handy for testing as well as serving your need. Check out the links below:
- Use certreq.exe with a smartcard enrollment agent: http://blogs.msdn.com/spatdsg/archive/2005/02/12/371595.aspx
- More on Certreq: http://technet.microsoft.com/en-us/library/cc736326(WS.10).aspx
- Certutil comes handy to get input parameters you need for certreq

Hope it helps
0
 

Author Comment

by:Rafal_Mitura
ID: 24409885
thanks for suggestions,
there is just 1 smart card reader in device manager

so far:
1. I restarted workstation/CA after every single change I made
2. tried it on 2 different card readers
3. contacted gemalto and waiting for their respond.

in the meantime will:
-try different PC as enrollment agent (possibly with xp SP2)
-have play with certutil/certreq
-produce csp debug log

regards,
0
 
LVL 31

Expert Comment

by:Paranormastic
ID: 24476752
How are things going on this issue?
0
 

Accepted Solution

by:
Rafal_Mitura earned 0 total points
ID: 24659149
hello,
little update:
I had gemalto involved and our global IT dept. I find out that gemplus smart cards I was trying to use are locked down. Organization who provided them for us this time locked them down so only their CA can write certificates on the cards.
Historical (few years back) we got hold of non locked batch unfortunately very few left and over the time chip is getting corrupted.
Thanks for your help.
0
 
LVL 31

Expert Comment

by:Paranormastic
ID: 24668240
Wow - you should ask for a refund and just get the cards straight from gemalto.  Subvendors of smartcards do too many crazy things too often and you end up with half a product (software or card) if you're lucky.  Who wants a CA specific card for smartcard logon?  Maybe if you had a tool to declare your own CA... even that I would be annoyed by in most cases.
0

Featured Post

Business Impact of IT Communications

What are the business impacts of how well businesses communicate during an IT incident? Targeting, speed, and transparency all matter. Find out more in this infographic.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
IPSec Site to Site VPN Topology 6 92
Resource timeout across a VPN 9 65
Scanning to Computer 26 68
Mac OS X forensic tools - freeware RAM dump tool? 4 41
Like many others, when I created a Windows 2008 RRAS VPN server, I connected via PPTP, and still do, but there are problems that can arise from solely using PPTP.  One particular problem was that the CFO of the company used a Virgin Broadband Wirele…
The foremost challenge encountered by an investigator at the very beginning of a forensics investigation is, accessing a file/data to read/view its contents. Owing to the fact, a platform is necessary for both; opening as well as examining any file.…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question