8 Replies Latest reply on Oct 12, 2009 2:36 AM by andry42

    Smartcard SSO to Windows XP

      Hello,

      I'm wondering how i can do a smartcard sso to Windows XP. I checked the option in AD "User has to logon with smartcard" but Windows doesnt show up with the PIN-Logon Window but only with a User+Pwd Logon Window. ( Also i tried to remove and insert the smartcard so windows would present the PIN-Window but this did not work too).

      I read in the Documentation that i had to edit the [Smartcard] Section in the sbgina.ini to make a Smartcard SSO work. I tried a lot of options but nothing worked. Currently im using the following options:

      [Smartcard]

      Enabled=On
      Force=Pin

      (All other Settings default)

      In the EE Manager i have the following options checked:

      Attempt automatic Windows Logon
      Must match Windows User Name

      Can someone help me out with the correct settings ? Thx
        • 1. RE: Smartcard SSO to Windows XP
          What card are you using, and does your machine accept it for login without EEPC installed?
          • 2. RE: Smartcard SSO to Windows XP
            Hello, I have temporarily disabled Boot Protection on the Machine and i can Login with a Smartcard. (Windows doesnt show the PIN-Window directly only after Re-Inserting the Token). But Yes with "Windows Only" it works.

            The Smartcard has an "Legic-Advant" Chip and is managed by the Aet SafeSign Middleware.

            I tested another smartcard and without EEPC it works too. With EEPC i just cant get the PIN-Window from the Windows-Logon Mask.
            It seems like EE is blocking that in someway or its a bug from windows??
            • 3. RE: Smartcard SSO to Windows XP
              Are you using this AET card for pre-boot login as well?
              • 4. RE: Smartcard SSO to Windows XP
                Yes of Course, using different cards would not make much sense i think. What i found out now is that i can cancel the Windows Logon and then its on the "Press CTRL-ALT-DEL" Screen and if i insert the Smartcard now, Windows Presents the PIN-Box and i can Login.

                But SSO doesnt work. EE cannot store these Credentials. Now im to set the "CTRL-ALT-DEL" Policy in Active Directory to "enabled" maybe this is the clue.

                Ok the above setting makes things even worse now i cant press the "Cancel" Button on the Windows Logon (its grey now)
                • 5. RE: Smartcard SSO to Windows XP
                  Try turning on all the Windows Logon options
                  • 6. RE: Smartcard SSO to Windows XP
                    Ok i turned on all the windows Logon options but it doesntwork. Windows always shows up with the normal Username+Password Logon Screen, and the Username is automatically filled in the user box.
                    I always have to use the "Cancel" Button and i have to Reinsert the token, then i can enter the pin and the computer logs in. But EE doesnt store this for SSO.
                    • 7. RE: Smartcard SSO to Windows XP
                      Hello again i tried it with another Notebook to eliminate smartcard reader and driver issues. But it didnt work either. Are there any other suggestions ? Someone surely has Smartcard SSO working in his business......
                      • 8. RE: Smartcard SSO to Windows XP
                        Well finally Smartcard SSO is working now. BUT it only works if i enter the SSO Credentials manually (PIN). But this is no option as we dont want to enter every User PIN manually and we dont want to have to know the PIN of the USERS.


                        I also tried to enter the Credentials manually first then delete them and then put in the PIN manually at Windows Logon to look if EE would store these credentials but it cant.

                        Are there any further Requirements or Settings to solve this problem ?

                        The Configuration i use:

                        [Smartcard]

                        Enabled=On
                        Force=Pin
                        EnableSso=Yes

                        In EE Manager i use all the Windows Logon options.