I'm accessing a smart card from c# through the Windows Certificate Store. This works well on many systems. On one system however, it doesn't. The smart card certificate is not added to the Personal Certificates.
We need it to be in the certificate store in order to access it from C#, like this:
X509Store store = new X509Store(StoreName.My,
StoreLocation.CurrentUser);
store.Open(OpenFlags.ReadOnly);
X509Certificate2Collection certs =
store.Certificates.Find(X509FindType.FindByIssuerName,
issuerName, false);
Details of the system:
OS: Windows Server 2003 R2 x64 SP2
The used CSP is SafeSign Identity Client v3.0.11.
The system is accessed through a Citrix ICA connection, Citrix Presentation Server 4.5.
What works:
Accessing the card through a diagnostic tool provided by the smart card reader (an OMNIKEY 3121)
Viewing the personal certificates in Internet Explorer 7 (Tools > Internet options > Content > Certificates
Basically everything else we tried with the card, except for...
What doesn't work:
The personal certificates are not copied to the Personal Certificate Store (which can be checked with certmgr.msc)
My guess is that forwarding the smart card through Citrix works ok, because we can access it in almost all ways, but the CSP doesn't do its work correctly. Getting support for the CSP is not easy however, hence this question. And what I find strange is that the certificate is accessible through IE7, which shows that they are available in some kind of Windows store.
Any ideas on where to look further are welcome. Is there maybe a different way to access the smart card certificates like IE does?
The cause for this issue turned out to be an incompatibility of the SafeSign Identity Client with 64-bit Windows. Official support will be added in a later version, I've been told fall 2009.
Related
I'm testing WebAuthn (https://webauthn.me) with the intent to implement it in a web portal. However, I need Windows users to be able to use Fingerprint sign in, not just USB Security Key.
When testing from Windows 10/Chrome (latest) I only get the option to use USB Security Key, even though the laptop has a built-in fingerprint reader that is connected to Windows Hello (I can sign into Windows with the fingerprint reader). Also PIN and Password are enabled in Windows hello.
I do not have a USB Security Key device, and have never had one setup with this computer.
However, when I test WebAuthn.me and click the Register button, I am prompted with the options "External security key or built-in sensor" and "Add a new Android phone". When I select the option "External security key or built-in sensor", Windows pops up a modal box asking me to set up my security key:
However, there is no option to use a fingerprint, PIN, or password instead.
Since the fingerprint reader and PIN/Password are integrated into Windows Hello, and actively working, why won't it let me choose any of those options instead of the physical USB Security Key? Is there a parameter in the WebAuthn request that I'm missing or possibly a registry change that needs to be made?
Note that WebAuthn.me works as expected on Android Chrome (option to use Lock Screen as the login method allows fingerprint, code, etc, to be used).
Thanks for any explanation of why Windows would hide the Fingerprint/PIN/Password options and only allow USB Security Key when Windows Hello already knows about the fingerprint reader, PIN and Password as legitimate ways to authenticate the user.
Windows Hello requires RS256 (alg: -257) to be added to the pubKeyCredParams array. Try using https://webauthn.me/debugger which enables this by default.
I have installed webdav for Domino and made the required changes in the webdavconfig.nsf.
If I give designer rights to anonymous users, I can access and update the word documuments in the database through Internet Explorer and MS Word, but if I change them back to no rights, i cant. Of course I want to edit them with my own credentials.
What am I doing wrong?
OS windows 10
URL which works anonymous (????? are hidden)
webdavs://dev.?????.nl/webdav/domino/eod.docx
https://dev.?????.nl/development/webdab.nsf
https://dev.?????.nl/webdav/domino/
Any help would be appreciated!
I wrote that application.
You are in the tricky land of authentication. Domino supports: Basic, FormBased, Cookie based (LTPA) SPENEGO and SAML. The later 3 need configuration work.
What happens when you use WebDAV is that no longer your browser, but a local library (belonging to Explorer or Office) talks to Domino.
You can "manually" try that using File - Open and paste the URL to the document (the one with https://, not webdavs://).
The only thing that happens with a webdavs:// url: a little helper checks, based on extension in the registry, what app is needed (Word, Excel, OpenOffice) and then calls that app with the https:// url as parameter. Like starting e.g. Excel from the command line:
excel.exe https://someserver/path/spreadshit.xls
By default Windows now uses NTLM or Kerberos authentication, neither of them supported by Domino (There used to be a proxy translating NTML to LTPA by a 3rd party). So no credential reaches Domino. Hence you need anonymous access rights.
For older versions of Windows I described what you need to do to get Basic Auth going.
Never came around to check what setting you would need on Windows 8 or 10 to allow basic auth there. Also, in theory, SAML or SPENEGO SSO might do the trick.
If you got Mac or Linux, you could check them first.
So the challenge isn't with the webDAV plugin as such, but in finding a common authentication ground between the OS and Domino. Hope that clarifies it a little.
Let us know how it goes!
I am developing Firefox OS 1.4 app. It is just a basic app. All it does is fetch file from SD card.
But the problem is only certified app can have this authority. And I am planing to make more such type of apps in future. So the problem is every time my app will not run because it is not a certified app.
Now I googled a lot to find how to certify Firefox OS 1.4 app. While searching on this site I found only one question similar to my question.
According to first answer I have mainfest.webapp including "type": "certified". And then I zipped all files (not folder). I have following files:
mainfest.webapp
index.html
MyJavaScript.js
But I do not know what is webapps.json file and how to add "appstatus": 3 to it.
I have ordered real Firefox OS 1.4 phone from flipkart (it is not yet come) and I want to run my apps on my real Firefox OS 1.4 phone. All I want to do is certify my app so that it can be authorized to do secure tasks. Please help me and tell me the way I can certify my Firefox OS 1.4 apps.
Certified app is generally an internal app and it comes along with the device. Third party developers cannot create or distribute such apps. I think you are trying to develop a privileged app. Privileged app can access the sdcard upon user prompt. Mention the app type as privileged in manifest file and submit the app to the Firefox OS marketplace for code review if you wish to distribute it through marketplace.
I am working with a c#.net application right now where I have smartcard authentication working properly, by allowing users to pick their digital certificate and enter their pin. However I want to do away with allowing the user to pick their certificate and have one of their certificates picked for them automatically(every user has the same certificates). This would make it so that when a user tries to enter the site, they are simply presented with a pin prompt. Any ideas on how to go about doing this? All the users I work with use Internet Explorer 7 and have workstations with ActivIdentity and Tumbleweed.
Write a Java applet to do the job at client side using PKCS#11 wrapper or, if you can restrict your users to use IE, create and use an ActiveX. I have already done both. For ActiveX you have to have it digitally signed to declare it as a safe ActiveX.
It is not straight forward task but I found Java applet easier to implement. The downside is that JRE (Java Runtime Environment) should already be installed at client side and plays nice with the browser. User also has to grant permission to the applet to connect to his smart card at first run.
hi
i have a problem at my production site, client reported that he is not seeing data in lists of sharepoint, as well drop downs which have years in pages of site appear empty with one user A on machin X having with windows 7. but data and comes up and drop downs are now populated when accessed from machine Y with same user A.
i dont knw wht really the problem is. As to development site this issue is not produced,
plz help,
thnks in advance
From your question, I gather the data does exist and the same user can see the information from one computer but not another.
A couple things spring to mind. (I am presuming usage of Internet Explorer since SharePoint 2007 has some rather weird rendering issues with other browsers. Correct me if this is an incorrect assumption.)
First, Windows 7 has later versions of IE which can refuse to send network credentials to a server it doesn't think is part of the intranet (corporate network). What makes this especially frustrating is that IE will prompt for network credentials (a result of the challenge from the website) but will not transmit those credentials. Examine the IIS logs to see if this is the case. The requests will be void of credentials using IE but will be present using Firefox (and presumably any other web browser). The fix for this is usually as simple as adding the domain into the Local Intranet zone in Internet Options.
If this is not the case, can you confirm the user is using the same credentials? Is this integrated authentication using Active Directory or forms authentication?
Are there any differences between the two computers with regards to how they reach the SharePoint site? (Such as one is VPN, the other is directly connected)? Or are they essentially equal but with different browser/OS configurations?
Are the lists standard out-of-the-box lists or have they been customized with SharePoint Designer or any other means? Are you injecting JavaScript via a Content Editor Web Part which might not be executing correctly?
It would be very helpful to know browser versions used, OS versions used, differences in connectivity to the resource from each machine, type of authentication used, and any other thing you can think to list.
I wish you luck in tracking this down!
Windows 7 or xp has nothing to do over here probably it has to do with the browser which he is using to browse the site ask him to chk the internet explorer settings and verify that he has enabled execution of javascript and other related things