When trying to remote desktop into a 2012R2 server with a smart card, you may run across one of these messages:
[virtual smartcard]
"The security device could not be used. Additional details may be available in the system event log. Please report this error to your administrator."
[physical card]
"This smart card could not be used. Additional details may be available in the system even log. Please report this error to your administrator."
I ran into this sporadically on a range of machines after a 2012R2 rollout. In the event logs on the systems, a variety of smartcard logon event id 5 messages:
1) An error occurred while retrieving a digital certificate from the inserted smart card. The handle is invalid.
2) An error occurred while decrypting a message: The handle is invalid.
3) An error occurred while retrieving some provider parameter: The handle is invalid.
All having "The handle is invalid" as part of the error. After opening a case with microsoft and doing some low level tracing of the logons, they found a timeout in the smartcard crypto provider. The default for this is 1.5 seconds. After adjusting it to 5 or more seconds, the errors went away.
This is configured at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Base Smart Card Crypto Provider\TransactionTimeoutMilliseconds as a DWORD. A reboot is required for this to take effect. The key can be used on other OS's as well.
I did continue to have problems with at least one machine after this, however the errors were different and quite varied. This system was on a bad network working with highly variable response times and 10% packet loss. On this same type of link, 2008R2 was more reliable for smartcard logons in comparison to 2012R2. So its always good to have some password logon backups to smartcard logons over slow links.
Don't make the stupid mistake I did... The setting didn't exist for me so I created from scratch and didn't see a default value. I was thinking 5 seconds so set the value to 5. Actuality is, 5 milliseconds is 0.005 seconds. If it doesn't work in 1.5 seconds, 5 milliseconds has a snowballs chance in hell. Value should be 5000, or, in my case 10000, just to be sure (10 seconds).
ReplyDelete