[THIN] Re: re - automatically register certificates
- From: "SteveC" <stevec@xxxxxxxxxxx>
- To: <thin@xxxxxxxxxxxxx>
- Date: Wed, 17 Dec 2003 15:11:21 -0500
Can you outline the whole logon process to TS with the smartcard?
I have done a large amount of certificate work, and have seen
implementations fail because the original cert system developer was sloppy
about how (or where) they actually install the cert. There are multiple
cert storage locations on a system, and not all are addressable (or
writeable) by non-Administrators.
My first guess is that the certificate is trying to initially install, or
only install, into the "My" store for the local machine; if the cert is
located in the System "My" (aka "Personal") store, it can be used by other
processes/users on the system. The side-effect is that non-Administrators
get read-only permission to the store. The "My" store typically holds
certificates that are trusted for an entire machine, eg stuff from Verisign,
Microsoft Root Authority,
One thing you can do to verify what is happening is logon to the host as the
local Administrator, run mmc.exe, add the Certificates snap-in for
"Computer" and then again for "My user account". Then drill down through
the treeviews and see if those previously-installed certs are somewhere in
there. You also might try logging on with a boosted-Administrator user you
mentioned and see what is in their cert store.
If you see certs where you should not see certs, then what probably happened
was a (smartcard?) developer was a member of the Administrators local group
on his/her machine when they setup the software. It's easy to get things to
compile when you're an Administrator. ;) Of course that breaks on a TS/MF
system (or even a locked-down desktop) because you don't want everyone to be
an Administrators member.
The certificate stores are *not* simply analogous to Registry keys. If you
actually find the Registry keys/values that deal with certs and change them,
you will probably break something you did not want to break.... The only
way to work with certificates and their stores is through the CryptoAPI.
Your first option with the CryptoAPI is to assign the job of "certificate
administrator" to someone in your organization, and make them responsible
for exporting the certs/keys from the card into files that will import into
the TS box, then have that person logon as Administrator and import them.
Your second option is to create a small app or subsystem that addresses the
CryptoAPI to import the keys properly at logon time, or pre-adds them to the
TS box silently before the user connects. Contact me off-list if you want
to get into developing something automated for your organization.
If this is not what is happening at all, I have another idea or 3, but
you'll have to post what the entire logon procedure looks like.
---orig
From: "Dannhorn, Michael IZ/HZA-ICS" <dannhmch@xxxxxxxxxx>
Hi,
We installed a product which needs to work the users certificate in its
profile. Certificates were hold on SmardCards. Logon via SmartCard works.
The certificate files are located in '%userprofile%\application
data\microsoft\my\...'.
When the user has local administrative rights certificates are registered
(copied)
in the users profile and our application could work.
Without local administrative rights certificates would not be registered and
the
application fails to work. When we 'register certificates' with the
SmartCard Utility
the certificates copied locally and the application could work.
********************************************************
This Week's Sponsor - 99Point9.Com Emergent Online
EOL Universal Printer 4.0 Has arrived!
http://www.99point9.com/public/products/
*********************************************************
Useful Thin Client Computing Links are available at:
http://thethin.net/links.cfm
***********************************************************
For Archives, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link:
http://thethin.net/citrixlist.cfm
Other related posts:
- » [THIN] Re: re - automatically register certificates
