I
Igor Jovanovski
We have a cascading GINA that supports a proprietery SmartCard logon
for XP and 2003. Now it needs also to support this SmartCard logon on
Terminal Services and Citrix.
The problem I am having and don't fully understand is that the
SmartCard removal on a re-connected session is not recognized. First
let me explain what I know and observed so far:
Environment:
Windows 2003 32 bit (SRV) where our GINA is installed
XP Pro SP3 32 bit (XP1)
XP Pro SP3 32 bit (XP2)
(the follwoing described scenarios are similar for TS and Citrix)
- XP1:
start mstsc.exe (NOT mstsc.exe /admin) and connect to SRV via our
proprietery SC logon.
New Session "A" is created.
Remove the card and the Workstation locks.
- XP2:
start mstsc.exe (NOT mstsc.exe /admin) and the temporary session "B"
is created.
Authenticate again via the proprietery SC logon.
Somewhere at this point WlxDisconnectNotify is called on session "A",
session "B" ends, and session "A" Winlogon calls WlxReconnectNotify.
so far, so good. Now when I remove the card on XP2 the workstation
does not locks because Session "A" does not know that it should
monitor the card because session "B" that performed that SmartCard
logon did not "tell" it the SC reader name to monitor (our GINA has
its own thread for SC removal monitoring).
I know that there is the function WlxGetConsoleSwitchCredentials but
it never gets called (neither on session "A" nor on session "B").
Is this function only for console-sessions (the ones started by
mstsc.exe /admin and the ones towards XP)? I tried a RDP console
session to the 2003 server but it still does not gets called. Could it
be that it is only used when doing a remote desktop to an XP system
because there the switch between the console and the non-console
session occurs?
I have read that WlxQueryConsoleSwitchCredentials should be called
from WlxLoggedOutSAS when WLX_SAS_TYPE_AUTHENTICATED gets sent, but I
am not getting that SAS type at all (both sessions).
How can I tell session "A" from session "B" that it is now accessed
from another workstation and there is a new SC reader to monitor for
removal? I was hopeing for the
WLX_CONSOLESWITCH_CREDENTIALS_INFO_V1_0's PrivateData member but as
already mentioned I am not sure under what circumstances is this
available.
Any light on this issue would be highly appriciated.
I.J.
for XP and 2003. Now it needs also to support this SmartCard logon on
Terminal Services and Citrix.
The problem I am having and don't fully understand is that the
SmartCard removal on a re-connected session is not recognized. First
let me explain what I know and observed so far:
Environment:
Windows 2003 32 bit (SRV) where our GINA is installed
XP Pro SP3 32 bit (XP1)
XP Pro SP3 32 bit (XP2)
(the follwoing described scenarios are similar for TS and Citrix)
- XP1:
start mstsc.exe (NOT mstsc.exe /admin) and connect to SRV via our
proprietery SC logon.
New Session "A" is created.
Remove the card and the Workstation locks.
- XP2:
start mstsc.exe (NOT mstsc.exe /admin) and the temporary session "B"
is created.
Authenticate again via the proprietery SC logon.
Somewhere at this point WlxDisconnectNotify is called on session "A",
session "B" ends, and session "A" Winlogon calls WlxReconnectNotify.
so far, so good. Now when I remove the card on XP2 the workstation
does not locks because Session "A" does not know that it should
monitor the card because session "B" that performed that SmartCard
logon did not "tell" it the SC reader name to monitor (our GINA has
its own thread for SC removal monitoring).
I know that there is the function WlxGetConsoleSwitchCredentials but
it never gets called (neither on session "A" nor on session "B").
Is this function only for console-sessions (the ones started by
mstsc.exe /admin and the ones towards XP)? I tried a RDP console
session to the 2003 server but it still does not gets called. Could it
be that it is only used when doing a remote desktop to an XP system
because there the switch between the console and the non-console
session occurs?
I have read that WlxQueryConsoleSwitchCredentials should be called
from WlxLoggedOutSAS when WLX_SAS_TYPE_AUTHENTICATED gets sent, but I
am not getting that SAS type at all (both sessions).
How can I tell session "A" from session "B" that it is now accessed
from another workstation and there is a new SC reader to monitor for
removal? I was hopeing for the
WLX_CONSOLESWITCH_CREDENTIALS_INFO_V1_0's PrivateData member but as
already mentioned I am not sure under what circumstances is this
available.
Any light on this issue would be highly appriciated.
I.J.
