none
FIM CM and Virtual Smart Card Problem RRS feed

  • Question

  • Hi

    I’m using FIM CM 2010 R2 v4.1.3646.0 to manage a fleet of .NET (MS Base SC Crypto Provider)  smart cards.

    I’m now looking to manage some virtual smart cards but get an error when testing enrolment using my existing profile template. Enrolment PC is Windows 8.1 x64 Ent running 32bit IE11 and 32bit FIM CM client.

    I’ve provisioned a vsc with default admin password and FIM CM seems to be able to initialise it successfully during enrolment, however the certificate request isn’t attempted with the CA and the FIM console reports the following error…

    Failed to enroll a certificate on the smartcard using template "My Smart Card Logon". The most likely cause is that there is a mismatch between the card type you have and the type of card supported by this template. Please try to enroll using a different template.

    The only difference between the “My Smart Card Logon” certificate template and another template which works when making a manual certificate request via the mmc is the presence of the requirement for an enrolment agent signature as required by FIM.

    Does anyone have any idea what might be causing the problem?

    Thanks


    Douks

    Friday, August 21, 2015 7:36 AM

Answers

  • Eureka!

    I had a suspicion this was user PIN related so tried creating another vsc with the same default user PIN as a .Net card ie 0000. The vsc create request failed with the same error I was seeing during an enrol attempt in FIM CM…

    C:\Windows\system32>tpmvscmgr create /name MyVSC1 /pin prompt /adminkey prompt /generate
    Enter PIN:
    ****
    Confirm PIN:
    ****
    Enter Admin Key:
    ************************************************
    Confirm Admin Key:
    ************************************************
    Creating TPM Smart Card...
    Initializing the Virtual Smart Card component...
    Creating the Virtual Smart Card component...
    Ensure that your PIN/PUK meets the length or complexity requirements of your organization.
            (0x80100004) One or more of the supplied parameters could not be properly interpreted.

    Then it dawned on me that my FIM CM profile template is set to randomise the user PIN during the enrolment because we initiate an unblock request for the user to reset their PIN initially.

    The profile template was configured for a user PIN length of 6 characters. I’ve changed this to 8 and now it’s working as expected!

    I hope this might help someone else if they have similar problems.


    Douks

    • Marked as answer by Douks Friday, August 21, 2015 9:45 AM
    Friday, August 21, 2015 9:44 AM

All replies

  • I’ve made some progress

    When looking at the request history I can see FIM CM reports the card cannot be accessed because the PIN is incorrect. I assume this is actually the admin key. I used the default admin key when creating the vsc which according to Technet should be 10203040506070801020304050607080102030405060708.

    The .NET smart cards have a default admin key of all 0’s (48 digits).

    I created another vsc and specified all 0’s for the admin key and FIM CM can now initialise the card OK but the request still fails after diversifying admin key with the following error…

    One or more of the supplied parameters could not be properly interpreted.

    I’m looking into this error now - any info would be appreciated.

    Thanks


    Douks

    Friday, August 21, 2015 8:31 AM
  • Eureka!

    I had a suspicion this was user PIN related so tried creating another vsc with the same default user PIN as a .Net card ie 0000. The vsc create request failed with the same error I was seeing during an enrol attempt in FIM CM…

    C:\Windows\system32>tpmvscmgr create /name MyVSC1 /pin prompt /adminkey prompt /generate
    Enter PIN:
    ****
    Confirm PIN:
    ****
    Enter Admin Key:
    ************************************************
    Confirm Admin Key:
    ************************************************
    Creating TPM Smart Card...
    Initializing the Virtual Smart Card component...
    Creating the Virtual Smart Card component...
    Ensure that your PIN/PUK meets the length or complexity requirements of your organization.
            (0x80100004) One or more of the supplied parameters could not be properly interpreted.

    Then it dawned on me that my FIM CM profile template is set to randomise the user PIN during the enrolment because we initiate an unblock request for the user to reset their PIN initially.

    The profile template was configured for a user PIN length of 6 characters. I’ve changed this to 8 and now it’s working as expected!

    I hope this might help someone else if they have similar problems.


    Douks

    • Marked as answer by Douks Friday, August 21, 2015 9:45 AM
    Friday, August 21, 2015 9:44 AM