Smartcard based authentication with CardSpace

Hot Topic

Z-Index
DVDR-DL fails on write from data, but not from image
assigment of Fault property in ThrowActivity
Statemachine and others
Problem with maximized MDI child window
Xml Persistence
Asp.net State Machine workflow with child work flows
Multi Application Data folders will make Vista crashed
Custom sequence activity: Collapsed by default?
Vista - Services - Sesion 0 - Interactivity

Windows Vista

Interface inheritance and property Binding DialogBox: Bug?
Labs\Lab01\Resources
Reasoning behind CardSpace's secure desktop
changing directshow capture dimension
Internationalization
Rules Editor
Workflow Queue Item not being processed
WF Designer - How to display Activity Full Name
The 64-bit Intel version of App Verifier 3.3 fails to install on our 64-bit Intel machine
Request for Sample

Smartcard based authentication with CardSpace

When choosing to use Smartcard based authentication with CardSpace, how does the transmission from the certificate between the smartcard reader and the STS takes place

The Information Card specifies the thumbprint of the certificate to look for, but what is the exact technical background; does it just searches your computer's Certificates store and all smartcard drives for that certificate, and then sends it towards the STS

Would like to know more about it, since nothing specifically seems to be documented about this feature

Answer this question

Smartcard based authentication with CardSpace

  • Bowen294671

    I think I understand your problem a little better now and can see what you are trying to do.

    The bad news is, and hopefully I'm wrong here, is that this feature of the Cardspace UI reading certificates off of a smartcard is not currently implemented. I am told it is something everyone is aksing for (myself included) and should be in a future release.

    -fs
    http://www.FrancisShanahan.com


  • Saravanan.Chinnusamy

    Hello Francis.

    I'm not sure I understand what you mean by "Cardspace UI reading certificates off of a smartcard ".

    CardSpace is happily able to make use of private keys contained in a smartcard. It makes a very good authentication second factor to be used for backing managed cards: once you select the corresponding card, the CardSpace UI will prompt you for inserting the card in the readers and it will then fire any CSP codified operations (including PIN entering). Once unlocked the private key in the smartcard, it will use it for securing the Request for Security Token to the STS. Workes like a charm :-)

    HTH,

    Vittorio

  • Thomas Tomiczek

    Veugelenw: if the "smartcard middleware" has the UI in a CSP, then CardSpace will show it accordingly. I've done demoes in which managed cards backed by smartcards prompted me for the PIN with the user experience provided by the CSP itself. That is exactly the same UI that I get when I use the smartcard without having cardspace in the picture.

    On the STS being remote: that should not make any difference in term of certificate usage. The STS does not need to read your certificate from your store, but rather it needs to check that you show off ownership of the corresponding private key by securing your RST message for the STS. In other words you insert the smartcard in the reader and you enter the PIN for unlocking the private key, then you use that private key for securing the message; THEN you send the message. The certificate won't leave your machine regardless of the STS location. This is all transparent, CardSpace (and WCF) takes care of the details. That said: the STS needs to make sense of your message, or in other words it needs to authenticate you: this makes possible thst it will need to know that a certain certificate is yours, and that may imply that the STS will need your certificate in its store. That is compeltely unrelated to the smartcard access, sinc ethe smartcard is usually the placw where you keep the PRIVATE key while the certificate can be public (hence it can still be on the smartcard but does not need to).

    HTH,

    V.

  • Njofra

    I have reconfigured everything from scratch: Same issue

    I get the popup from the smartcard UI to enter my PIN and afer a little progressing of cardspace i get the "internal error".

    Is there a way i can go deeper into debugging THIS, since it seems like the error is due to cardspace


  • qrli

    When interpreting the code it looks to me hez following code is responsible for the smartcard part of the SimpleSTS. So it is using a "customBinding" "X509Binding" . Have been looking in the msdn help for more info, but couldn't find anything about it...

    <service behaviorConfiguration="SampleSecurityTokenServiceBehavior"

    name="Microsoft.ServiceModel.Samples.SecurityTokenService.CertificateAuthSTS">

    <endpoint address="sts"

    binding="customBinding"

    bindingConfiguration="X509Binding"

    contract="Microsoft.ServiceModel.Samples.SecurityTokenService.IWSTrustContract">

    </endpoint>

    </service>

    <customBinding>

    <binding name='X509Binding'>

    <security authenticationMode="MutualCertificate"/>

    <httpTransport />

    </binding>

  • Handra

    I started from the SimpleSTS RC1 sample ...  Here is what is defined in the app.Config.  .  The bindings configuration are all still default as the sample was provided.

    Where do I find the wsdl I don't know what this is, so if I am using it, it is still the same as in the SimpleSTS sample...

     

    < xml version="1.0" encoding="utf-8" >

    <configuration>

    <appSettings>

    <!-- The Identity Provider -->

    <add key="issuer" value=www.testserver.com />

    <!-- The Thumbprint of the certificate to sign the RSTR-->

    <add key="certificateThumbprint" value="6247277bce536617a00f813d137c3cda9208f872" />

    <!-- The Base address of the WS-Trust endpoint -->

    <add key="baseAddress" value="http://www.testserver.com:7000/sample/trust" />

    <!-- The Base address of the MEX endpoint -->

    <add key="baseMexAddress" value="https://www.testserver.com:7001/sample/trust" />

    </appSettings>

    <system.serviceModel>

    <services>

    <service behaviorConfiguration="SampleSecurityTokenServiceBehavior"

    name="Microsoft.ServiceModel.Samples.SecurityTokenService.CertificateAuthSTS">

    <endpoint address="sts"

    binding="customBinding"

    bindingConfiguration="X509Binding"

    contract="Microsoft.ServiceModel.Samples.SecurityTokenService.IWSTrustContract">

    </endpoint>

    </service>

    <service behaviorConfiguration="SampleSecurityTokenServiceBehavior"

    name="Microsoft.ServiceModel.Samples.SecurityTokenService.SelfIssuedSamlAuthSTS">

    <endpoint address="sts"

    binding="wsFederationHttpBinding"

    bindingConfiguration="SelfIssuedSamlBinding"

    contract="Microsoft.ServiceModel.Samples.SecurityTokenService.IWSTrustContract">

    </endpoint>

    </service>

    <service behaviorConfiguration="SampleSecurityTokenServiceBehavior"

    name="Microsoft.ServiceModel.Samples.SecurityTokenService.UserNameAuthSTS">

    <endpoint address="sts"

    binding="customBinding"

    bindingConfiguration="UserNameBinding"

    contract="Microsoft.ServiceModel.Samples.SecurityTokenService.IWSTrustContract">

    </endpoint>

    </service>

    </services>

    <bindings>

    <customBinding>

    <binding name='X509Binding'>

    <security authenticationMode="MutualCertificate"/>

    <httpTransport />

    </binding>

    <binding name='UserNameBinding'>

    <security authenticationMode='UserNameForCertificate' keyEntropyMode='ServerEntropy'/>

    <httpTransport />

    </binding>

    </customBinding>

    <wsFederationHttpBinding>

    <binding name='SelfIssuedSamlBinding' >

    <security mode='Message'>

    <message algorithmSuite='Basic192' issuedKeyType='AsymmetricKey'>

    <issuer address='http://schemas.xmlsoap.org/ws/2005/05/identity/issuer/self' />

    <claimTypeRequirements>

    <clear />

    <add claimType='http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier' />

    </claimTypeRequirements>

    </message>

    </security>

    </binding>

    </wsFederationHttpBinding>

    </bindings>

    <behaviors>

    <serviceBehaviors>

    <behavior name="SampleSecurityTokenServiceBehavior">

    <serviceMetadata />

    <serviceCredentials>

    <!-- This paragraph was commented -->

    <serviceCertificate findValue="www.testserver.com"

    storeLocation="LocalMachine"

    storeName="My"

    x509FindType="FindBySubjectName" />

    <issuedTokenAuthentication allowUntrustedRsaIssuers="true"/>

    </serviceCredentials>

    </behavior>

    </serviceBehaviors>

    </behaviors>

    </system.serviceModel>

    </configuration>

  • j.Mcguire

    Vittorio and Shanahan, thanks alot for your input!

    Shanahan : You are right, the smartcard certificates are copied locally when inserting the card.  However, when I want to make use of them, the smartcard middleware software that is installed will prompt to enter a PIN code... Since the CardSpace GUI does not allow other GUI interaction I don't think I am able to use this option. 

    Your second remark is also correct: the cryptographic service provider installed with the smartcard software plugs into the CAPICOM framework.  When I try to read the smartcard certificates when running my STS service locally (on the same computer as the one where I insert the smartcard), everything is OK.

    However, I want to run a 3rd party STS service.  So the STS has to read the smartcard certificates from a remote cryptograpic service provider.



  • customization

    Hey Francis,

    I see from where you're coming from. You are right, in V1 the cards can only be in the local user store and cannot be read from external storage. For the certificates is another matter: CardSpace relies on the associate CSP, so as long as the CPS takes care of retreiving it and supply it correctly the crytpographic material can reside wherever.

    About an example of using a token: just any managed card based example will do, what you have to make sure is that you generate a managed card associated with your smartcard. Try the steps in this post. Remember that you should use a smartcard thay you already used succesfully on the system (ie the CSOP is correctly installed, etc etc).

    HTH,

    Vittorio

  • EwenTweedie

    I still get exactly the same error after upgrading to the full version of .net framework 3.0

    - I select the managed card that refers to the smartcard certificate

    - I get the dialogbox to enter the PIN code of the smartcard

    - i get a dialog box "Cardspace internal error".

    Anyone has some advice


  • lukef01

    I've done some work with Smart card readers and USB tokens from GemPlus also known as GemAlto. So here's my take on this:

    The manufacturer of the smartcard reader typically provides their own CSP or crytpgraphic service provider which "plugs into" the CAPICOM framework on the machine.

    In the Gemplus case, when you insert a smartcard into the smartcard reader, the certificates from the card are temporarily installed on the machine in the users' personal store. In some cases the certs are automatically uninstalled when the card is removed.

    In CAPICOM there's also a SMARTCARD store which resides on the card. So you can read from either the machine or smartcard stores.

    The same goes for USB tokens. I presume the Cardspace selector just uses the CAPICOM infrastructure and whatever CSPs are on the machine.

    I hope this info helps.

    -Francis Shanahan
    http://www.FrancisShanahan.com





  • basmala

    Hey Vittorio.

    Thanks alot for all your input.   Following your guidance, I created managed cards and ran the Simple STS sample.  I managed to get the popup dialog to enter a PIN code of my smartcard in CardSpace. 

    After entering the correct PIN, I get an "internal error" message in cardspace though.

    The eventlog dumps this error:

    An error occurred when communicating with the Windows CardSpace service. Exception of type 'Microsoft.InfoCards.CommunicationException' was thrown.

    Inner Exception: Not implemented

     Additional Information:

    Microsoft.InfoCards.CommunicationException: Exception of type 'Microsoft.InfoCards.CommunicationException' was thrown. ---> System.ComponentModel.Win32Exception: Not implemented

    at Microsoft.InfoCards.NativeMcppMethods.RpcCryptoDispatchRequest(IntPtr hIdl, String contextKey, String requestName, Byte[] buffer, Int32 index, Int32 length)

    at Microsoft.InfoCards.RpcCryptoRequest.Process()

    --- End of inner exception stack trace ---

    Any idea what could be the of the cause of this problem Should I change something to the Simple STS code to get it working


  • Ananda Ganesh

    Can you provide a few more details:

    • What is the binding configuration you are using If possible, can you send the wsdl for the sts
    • Can you make sure that the cardspace binaries are not mismatched The 2 binaries to check are "%windir%\system32\icardagt.exe" and "%windir%\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe"

    Thanks,

    Rakesh

  • theycallhimtom

    Hello Veugelenw.

    A good rule of thumb for understanding CardSpace interactions is to keep in mind that pretty much everything is based on open standards.

    Hence, the certificate is not sent directly to the STS: rather, it is used as described in WS-Trust. That is to say, its corresponding private key is used for securing a RST (request for security token) message. For the gory details on the subject check out http://channel9.msdn.com/ShowPost.aspx PostID=241455

    HTH

    Vittorio

  • Escape

    Hey Vittorio you understood me correctly and I'm glad to hear this is supported.

    I've gone back and re-read some emails and I think I'm getting confused between Certificates residing on a USB token being read by the CardSpace UI and actual Cardspace CARDS residing on the USB token.

    Do you have any samples of a certificate private key being read from a token


  • Smartcard based authentication with CardSpace
Answer this question