Технический справочник по смарт-карте Smart Card Technical Reference

Применимо к: Windows 10, Windows Server 2016 Applies To: Windows 10, Windows Server 2016

Технический справочник по смарт-картам описывает инфраструктуру смарт-карт Windows для физических смарт-карт и работу компонентов, связанных с смарт-картами, в Windows. The Smart Card Technical Reference describes the Windows smart card infrastructure for physical smart cards and how smart card-related components work in Windows. В этом документе также содержатся сведения о средствах, которые ИТ-разработчики и администраторы могут использовать для устранения неполадок, отладки и развертывания проверки подлинности на основе смарт-карт на предприятии. This document also contains information about tools that information technology (IT) developers and administrators can use to troubleshoot, debug, and deploy smart card-based strong authentication in the enterprise.

Аудитория Audience

В этом документе объясняется, как работает инфраструктура смарт-карт Windows. This document explains how the Windows smart card infrastructure works. Чтобы понять эту информацию, необходимо иметь базовые знания об инфраструктуре открытых ключей (PKI) и понятиях смарт-карт. To understand this information, you should have basic knowledge of public key infrastructure (PKI) and smart card concepts. Этот документ предназначен для: This document is intended for:

Корпоративные ИТ-разработчики, менеджеры и сотрудники, плановые развертывание или использование смарт-карт в организации. Enterprise IT developers, managers, and staff who are planning to deploy or are using smart cards in their organization.

Поставщики смарт-карт, которые записывают мини-диски смарт-карт или поставщики учетных данных. Smart card vendors who write smart card minidrivers or credential providers.

Что такое смарт-карты? What are smart cards?

Смарт-карты — это устойчивые к взлому переносимые устройства хранения, которые могут повысить безопасность таких задач, как проверка подлинности клиентов, подписание кода, защита электронной почты и вход с помощью учетной записи домена Windows. Smart cards are tamper-resistant portable storage devices that can enhance the security of tasks such as authenticating clients, signing code, securing e-mail, and signing in with a Windows domain account.

Смарт-карты предоставляют: Smart cards provide:

Защищенное от взлома хранилище для защиты закрытых ключей и других форм личной информации. Tamper-resistant storage for protecting private keys and other forms of personal information.

Изоляция критически важных для безопасности вычислений, которые включают проверку подлинности, цифровые подписи и обмен ключами с других частей компьютера. Isolation of security-critical computations that involve authentication, digital signatures, and key exchange from other parts of the computer. Эти вычисления выполняются на смарт-карте. These computations are performed on the smart card.

Переносимость учетных данных и другой частной информации между компьютерами на работе, дома или в пути. Portability of credentials and other private information between computers at work, home, or on the road.

Смарт-карты можно использовать только для входов в учетные записи домена, а не локальные учетные записи. Smart cards can be used to sign in to domain accounts only, not local accounts. При использовании пароля для интерактивного доступа к учетной записи домена Windows использует для проверки подлинности протокол Kerberos версии 5 (v5). When you use a password to sign in interactively to a domain account, Windows uses the Kerberos version 5 (v5) protocol for authentication. Если вы используете смарт-карту, операционная система использует проверку подлинности Kerberos v5 с сертификатами X.509 v3. If you use a smart card, the operating system uses Kerberos v5 authentication with X.509 v3 certificates.

Виртуальные смарт-карты были представлены в Windows Server 2012 и Windows 8, чтобы снизить потребность в физической смарт-карте, устройстве чтения смарт-карт и связанном администрировании этого оборудования. Virtual smart cards were introduced in Windows Server 2012 and Windows 8 to alleviate the need for a physical smart card, the smart card reader, and the associated administration of that hardware. Сведения о технологии виртуальных смарт-карт см. в обзоре виртуальных смарт-карт. For information about virtual smart card technology, see Virtual Smart Card Overview.

В этом техническом справочнике In this technical reference

Эта справка содержит следующие разделы. This reference contains the following topics.

ACS USB Smart Card Reader Drivers v.4.3.1.0 Windows XP / Vista 7 / 8 / 10 32-64 bits

Подробнее о пакете драйверов:

ACS USB Smart Card Reader Drivers. Характеристики драйвера

Драйвер версии 4.3.1.0 для считывателей смарткарт от компании Advanced Card Systems Ltd. Предназначен для установки на Windows XP, Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10 32-64 бита.

Для автоматической установки необходимо распаковать архив и запустит файл — Setup.exe .

• CTM Fw110
• CTM Fw110 Virtual
• CTM64 Fw112
• CTM64 Fw112 Virtual
• ACR122U/T
• ACR122U-SAM
• ACR128 Bus
• ACR128 Icc
• ACR128 Pcc
• ACR128 Sam
• ACR1281U-C1 Bus
• ACR1281U-C1 Icc
• ACR1281U-C1 Pcc
• ACR1281U-C1 Sam
• ACR1281U-C7 Pcc
• ACR1281U-C7 Sam
• qPBOC PICC
• qPBOC Dual Pcc
• qPBOC Dual Icc
• BSI Dual
• BSI Dual Icc
• ACR1281U-C4
• ACR1281 2SAM Bus
• ACR1281 2SAM SamA
• ACR1281 2SAM Pcc
• ACR1281 2SAM SamB
• new qPBOC
• ACR1281U-K PICC Reader
• ACR1281U-K Dual Reader Bus
• ACR1281U-K Dual Reader Icc
• ACR1281U-K Dual Reader Pcc
• ACR1281U-K 1S Bus
• ACR1281U-K 1S Icc
• ACR1281U-K 1S Pcc
• ACR1281U-K 1S Sam
• ACR1281U-K 4S Bus
• ACR1281U-K 4S Icc
• ACR1281U-K 4S Pcc
• ACR1281U-K 4S Sam
• ACR1283L PICC
• ACR1283L 4SAM Bus
• ACR1283L 4SAM Pcc
• ACR1283L 4SAM Sam
• ACR1283L Bootloader
• ACR1222U-C3 Bus
• ACR1222U-C3 Icc
• ACR1222U-C3 Pcc
• ACR1222U-C3 Sam
• ACR1222U-C6 Bus
• ACR1222U-C6 Icc
• ACR1222U-C6 Pcc
• ACR1222U-C1 Bus
• ACR1222U-C1 Pcc
• ACR1222U-C1 Sam
• ACR1222L Bus
• ACR1222L Pcc
• ACR1222L Sam
• ACR1261U-C1 Bus
• ACR1261U-C1 Icc
• ACR1261U-C1 Pcc
• ACR1261U-C1 Sam
• ACR1251U-A1 Pcc
• ACR1251U-A1 Sam
• ACR1251U-A2
• ACR1251U-C PICC
• ACR1251U-C SAM
• ACR1251U-C PICC
• ACR1251U-K PICC
• ACR1251U-K ICC
• ACR1252U-A1 PICC
• ACR1252U-A1 SAM
• ACR1252U-A2
• ACR1252U Bootloader
• ACR123-PICC+3SAM Bus
• ACR123-PICC+3SAM Picc
• ACR123-PICC+3SAM Sam
• ACR123-PICC
• ACR123-Bootloader
• ACR33XX — 4SAM Bus
• ACR33XX — 4SAM Icc
• ACR33XX — 4SAM Sam
• ACR33 — A1 Bus
• ACR33 — A1 Icc
• ACR33 — A1 Sam
• ACR33 — A2 Bus
• ACR33 — A2 Icc
• ACR33 — A2 Sam
• ACR33 — A3 Bus
• ACR33 — A3 Icc
• ACR33 — A3 Sam
• ACR38 FW110
• ACR38USAM
• ACR3801
• ACR100I
• ACR101
• ACR102
• AET62 w/o SAM
• AET62 w SAM
• AET65 w/o SAM
• AET65 w SAM
• ACR83
• APG8201
• ACR39U
• ACR3901
• ACR89 Bus Standard
• ACR89 ICC Standard
• ACR89 SAM Standard
• ACR89 FNC Standard
• ACR89 Bus CL
• ACR89 PICC CL
• ACR89 ICC CL
• ACR89 SAM CL
• ACR89 FNC CL
• ACR89 Bus FPA
• ACR89 ICC FPA
• ACR89 SAM FPA
• ACR89 FNC FPA
• ACR88 PID_2010
• ACR88 PID_2011 Bus
• ACR88 PID_2011 Icc
• ACR88 PID_2011 Sam
• ACR88 PID_2011 Fnc
• ACR30
• AET63
• ACR1256A1
• ACR32-A1
• ACR1251U-C1 Bus
• ACR1251U-C1 Icc
• ACR1251U-C1 Pcc
• ACR1251U-C1 Sam
• CryptoMate (T1)
• CryptoMate (T1) Virtual
• CryptoMate (T2)
• CryptoMate (T2) Virtual
• ACR1255U-J1
• ACR1251U-Z2
• ACR1261U-A
• ACR1311
• Imprivita Pcc
• Imprivita Sam
• ACR39-A3
• ACR1251/ACR1281 Bootloader
• ACR3901 Bootloader
• AMR220-C Bus
• AMR220-C Icc
• AMR220-C Pcc
• APG8201B2
• APG8201B2RO

Внимание! Перед установкой драйвера ACS USB Smart Card Reader Drivers рекомендутся удалить её старую версию. Удаление драйвера особенно необходимо — при замене оборудования или перед установкой новых версий драйверов для видеокарт. Узнать об этом подробнее можно в разделе FAQ.

Скриншот файлов архива

Скриншоты с установкой ACS USB Smart Card Reader Drivers

Файлы для скачивания (информация)

Рейтинг: 4.0/5 ( Проголосовало: 6 чел.)

Smart Card Troubleshooting

Applies To: Windows 10, Windows Server 2016

This article explains tools and services that smart card developers can use to help identify certificate issues with the smart card deployment.

Debugging and tracing smart card issues requires a variety of tools and approaches. The following sections provide guidance about tools and approaches you can use.

Certutil

For a complete description of Certutil including examples that show how to use it, see Certutil [W2012].

List certificates available on the smart card

To list certificates that are available on the smart card, type certutil -scinfo .

Entering a PIN is not required for this operation. You can press ESC if you are prompted for a PIN.

Delete certificates on the smart card

Each certificate is enclosed in a container. When you delete a certificate on the smart card, you’re deleting the container for the certificate.

To find the container value, type certutil -scinfo .

To delete a container, type certutil -delkey -csp «Microsoft Base Smart Card Crypto Provider» » «.

Debugging and tracing using WPP

WPP simplifies tracing the operation of the trace provider. It provides a mechanism for the trace provider to log real-time binary messages. Logged messages can be converted to a human-readable trace of the operation. For more information, see Diagnostics with WPP — The NDIS blog.

Enable the trace

Using WPP, use one of the following commands to enable tracing:

tracelog.exe -kd -rt -start -guid # -f .\ .etl -flags -ft 1

logman start -ets -p <> — -ft 1 -rt -o .\ .etl -mode 0x00080000

You can use the parameters in the following table.

Friendly name	GUID	Flags
scardsvr	13038e47-ffec-425d-bc69-5707708075fe	0xffff
winscard	3fce7c5f-fb3b-4bce-a9d8-55cc0ce1cf01	0xffff
basecsp	133a980d-035d-4e2d-b250-94577ad8fced	0x7
scksp	133a980d-035d-4e2d-b250-94577ad8fced	0x7
msclmd	fb36caf4-582b-4604-8841-9263574c4f2c	0x7
credprov	dba0e0e0-505a-4ab6-aa3f-22f6f743b480	0xffff
certprop	30eae751-411f-414c-988b-a8bfa8913f49	0xffff
scfilter	eed7f3c9-62ba-400e-a001-658869df9a91	0xffff
wudfusbccid	a3c09ba3-2f62-4be5-a50f-8278a646ac9d	0xffff

To enable tracing for the SCardSvr service:

tracelog.exeВ -kdВ -rtВ -startВ scardsvrВ -guidВ #13038e47-ffec-425d-bc69-5707708075feВ -fВ .\scardsvr.etlВ -flagsВ 0xffffВ -ftВ 1

logmanВ startВ scardsvrВ -etsВ -pВ <13038e47-ffec-425d-bc69-5707708075fe>В 0xffffВ -ftВ 1В -rtВ -oВ .\scardsvr.etlВ -modeВ 0x00080000

To enable tracing for scfilter.sys:

• tracelog.exeВ -kdВ -rtВ -startВ scfilterВ -guidВ #eed7f3c9-62ba-400e-a001-658869df9a91В -fВ .\scfilter.etlВ -flagsВ 0xffffВ -ftВ 1

Stop the trace

Using WPP, use one of the following commands to stop the tracing:

tracelog.exe -stop

logman -stop -ets

Examples

To stop a trace:

tracelog.exe -stop scardsvr

logman -stop scardsvr -ets

Kerberos protocol, KDC, and NTLM debugging and tracing

You can use these resources to troubleshoot these protocols and the KDC:

Windows Driver Kit (WDK) and Debugging Tools for Windows (WinDbg).В В You can use the trace log tool in this SDK to debug Kerberos authentication failures.

To begin tracing, you can use Tracelog . Different components use different control GUIDs as explained in these examples. For more information, see Tracelog .

To enable tracing for NTLM authentication, run the following command on the command line:

• tracelog.exe -kd -rt -start ntlm -guid #5BBB6C18-AA45-49b1-A15F-085F7ED0AA90 -f .\ntlm.etl -flags 0x15003 -ft 1

To stop tracing for NTLM authentication, run this command:

• tracelog -stop ntlm

Kerberos authentication

To enable tracing for Kerberos authentication, run this command:

• tracelog.exe -kd -rt -start kerb -guid #6B510852-3583-4e2d-AFFE-A67F9F223438 -f .\kerb.etl -flags 0x43 -ft 1

To stop tracing for Kerberos authentication, run this command:

• tracelog.exe -stop kerb

To enable tracing for the KDC, run the following command on the command line:

• tracelog.exe -kd -rt -start kdc -guid #1BBA8B19-7F31-43c0-9643-6E911F79A06B -f .\kdc.etl -flags 0x803 -ft 1

To stop tracing for the KDC, run the following command on the command line:

• tracelog.exe -stop kdc

To stop tracing from a remote computer, run this command: logman.exe -s .

The default location for logman.exe is %systemroot%system32\. Use the -s option to supply a computer name.

Configure tracing with the registry

You can also configure tracing by editing the Kerberos registry values shown in the following table.

Element	Registry Key Setting
NTLM	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0 Value name: NtLmInfoLevel Value type: DWORD Value data: c0015003
Kerberos	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos Value name: LogToFile Value type: DWORD Value data: 00000001 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters Value name: KerbDebugLevel Value type: DWORD Value data: c0000043 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters Value name: LogToFile Value type: DWORD Value data: 00000001
KDC	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc Value name: KdcDebugLevel Value type: DWORD Value data: c0000803

If you used Tracelog , look for the following log file in your current directory: kerb.etl/kdc.etl/ntlm.etl.

If you used the registry key settings shown in the previous table, look for the trace log files in the following locations:

To decode event trace files, you can use Tracefmt (tracefmt.exe). Tracefmt is a command-line tool that formats and displays trace messages from an event trace log file (.etl) or a real-time trace session. Tracefmt can display the messages in the Command Prompt window or save them in a text file. It is located in the \tools\tracing subdirectory of the Windows Driver Kit (WDK). For more information, see Tracefmt .

Smart Card service

The smart card resource manager service runs in the context of a local service. It’s implemented as a shared service of the services host (svchost) process.

To check if Smart Card service is running

Press CTRL+ALT+DEL, and then select Start Task Manager.

In the Windows Task Manager dialog box, select the Services tab.

Select the Name column to sort the list alphabetically, and then type s.

In the Name column, look for SCardSvr, and then look under the Status column to see if the service is running or stopped.

To restart Smart Card service

Run as administrator at the command prompt.

If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then select Yes.

At the command prompt, type net stop SCardSvr .

At the command prompt, type net start SCardSvr .

You can use the following command at the command prompt to check whether the service is running: sc queryex scardsvr .

The following code sample is an example output from this command:

Smart card readers

As with any device connected to a computer, Device Manager can be used to view properties and begin the debug process.

To check if smart card reader is working

Navigate to Computer.

Right-click Computer, and then select Properties.

Under Tasks, select Device Manager.

In Device Manager, expand Smart card readers, select the name of the smart card reader you want to check, and then select Properties.

If the smart card reader is not listed in Device Manager, in the Action menu, select Scan for hardware changes.

CryptoAPI 2.0 Diagnostics

CryptoAPI 2.0 Diagnostics is available in Windows versions that support CryptoAPI 2.0 and can help you troubleshoot public key infrastructure (PKI) issues.

CryptoAPI 2.0 Diagnostics logs events in the Windows event log. The logs contain detailed information about certificate chain validation, certificate store operations, and signature verification. This information makes it easier to identify the causes of issues and reduces the time required for diagnosis.

For more information about CryptoAPI 2.0 Diagnostics, see Troubleshooting an Enterprise PKI.