Hello,
I encountered the same problem while trying to enroll a schlumberger smartcard on microsoft certificate services.I infortunately didn't find any solution over the web, But now that I found it lets share it together:
The idea (for the beginers of you,just like me) is that you need to configure and personalize your smart card before enrolling it.
After gaining access to the smartcard using the schlumberger cyberflex access sdk you should:
1.Verify Access Keys:
1
Click the Key Manager button on the Smart Card Toolkit window toolbar,
then select the File System option, or select Tools ¡ú Key Manager ¡ú
File System
from the menu bar. The Key Manager dialog box appears.
2 Click Verify Key. The Verify Key dialog box appears.Open Platform Cyberflex Access card ¡ª The keys you must verify to establish
a secure channel are the AUTH, MAC, and KEK keys. You have ten chances
to verify these keys correctly.Cryptoflex card ¡ª The transport key is verified using the AUT1 identify. By
verifying the transport key, you gain full access rights to the default master file
(MF) on a new card. You have three chances to present the transport key
correctly.Each card has a counter that tracks the number of failed verification
attempts. If you enter the key incorrectly until the counter reaches its
minimum value, the key is blocked. If you enter the key correctly, the
counter value is reset to the maximum value.
If you block the key, you can no longer communicate with the card. You
cannot unblock a blocked card.
Cyberflex Access Software Development Kit User¡¯s Guide
You can use the Verify Key dialog box to prove that you have the transport key
or to verify other keys (see ¡°Verifying Keys¡± on page 91). Follow these steps to
verify the transport key on a new Cryptoflex card:
1
Select AUT1 from the drop-down Identity list, as shown in this example.
The key name you selected sets the Verify Key command to attempt to
satisfy the AUT access condition.
2
To insert a key value in the Key box, click Select Key.
The Select Key dialog box appears, with a list of defined keys that have
been pre-seeded in the Key Manager database.
3
Examine the list of defined keys and select the transport key for your card.
For example, if you are using a Cryptoflex 16K card, select Cryptoflex
16K Transport Key
.
4
Click OK.
The Verify Key dialog box now displays the key whose value will be sent
with the verification command (in this case, the Cryptoflex 16K Transport
Key). The key values appear as asterisks.
NOTE
You also have the option to manually type the hexadecimal value for the
transport key in the Key text box. Because the characters do not display
as you type them (values are replaced by asterisks), be very careful if you
elect this option. You have only three chances to verify the transport key
before the card becomes blocked and unusable.
5 Click Verify.
2.Configure your smart card from ¡°COVE ADMIN¡± tool for the Schlumberger SDK Menu:
Insert your card and enter your PIN, you will be provided with the default PIN:
Customizing the smartcards to contain usernames and passwords:
Display the Personalize tab in COVE and make these changes:
Select the check box next to GINA. Specify the number of GINA users who will be included on the card in the Number of User IDs field. If you want to allow encrypted data, check the box for Encrypt Data on Card. Enter a user PIN and unblock PIN and enter the card¡¯s transport key and click Personalize.
Now go the ¡°GINA¡± tab. Choose how you want the system to behave when the user removes the smart card from the reader: Logout means the user will be logged out but the system will remain available to other users, Lock workstation means the user will be logged out, the workstation will be locked, and a user will have to log in again to regain access, Do nothing means the user will not be logged out and the system will remain available. Choose ¡°Logout¡± since it is more appropriate for our application. If you want to let the user choose another one of these options after login, check the box next to Allow user to reset. If you want the system to be accessible only through a smart card GINA login, check the box to ¡°Require smartcard for login¡±. This prevents the alternative of password logins through ¡°Ctr+Alt+Del¡± if the secure login fails for some reason. This setting takes effect when you reboot the host system. Use the Add User button on the lower part of the GINA tab to specify the user or users who will have GINA logins. When you click the Add User button, the following dialog box appears: Enter the user name and password (twice to confirm) for each user that you plan to include on the card. These entries must conform to Windows NT/2000/XP name and password requirements, and must match the normal login name and password for the user. In the Domain box for each user, choose the domain for the user to log in. The list shows all the domains in the local network that are known to the host system. You can choose a domain that enables the user to log in from any system in the network, you can restrict the user to the domain on the host machine, or you can enter another domain in the editable field.
Now every thing should work fine in the Smart Card Certificate Enrollment Station, just don't forget to select Schlumberger Cryptographic
Service Provider.
Enjoy it
Similar Threads
