Fingerprint Reader on Windows 2003 server

[J Dubba]

Has anyone had any luck getting the Microsoft fingerprint reader to
install on W2K3 server? I've extracted the files from the setup msi
file and the hardware/drivers seem to install just fine, but the
DigitalPersona Password Manager softare will not install at all, with
the msi exiting with the fatal error "Windows XP Required". I've
tried opening the msi package with msiexec running in XP compatibility
mode, changing the windows version information in
HKLM/Software/Microsoft/Windows NT/CurrentVersion/, editing the msi
package file with orca, all with no success. Any ideas, suggestions
or other information would be appreciated.

--jw

 

[Mike Brannigan [MSFT]]

The Microsoft fingerprint reader is not supported on the Server platform.
see
http://www.microsoft.com/hardware/mouseandkeyboard/systemrequirements.aspx?pid=036

--

Regards,

Mike
--
Mike Brannigan [Microsoft]

This posting is provided "AS IS" with no warranties, and confers no
rights

Please note I cannot respond to e-mailed questions, please use these
newsgroups

 

[Lee]

Yes, I have had luck getting the Microsoft Fingerprint Reader's
DigitalPersona Password Manager software to install on Windows 2003
Server. I edited the Setup.msi file, stripping out the Windows version
check. I will e-mail you a copy if you like.

, Lee

 

[Lee C.]

FYI: I used InstallShield 10.5 to edit the Setup.msi, and it worked nicely.

 

[Pete X]

This is a question for Mr. Brannigan: why is this msi file setup to
fail the install on Windows Server 2003 when the hardware will
evidently function? If it can be modified as indicated here why the
restriction? Is this a political or technological restriction?

I would like to buy this hardware for my server environments. I am
aware of and comfortable with the recommendation that it is a
"convenience" only.

-px

 

[Mike Brannigan [MSFT]]

This is a question for Mr. Brannigan: why is this msi file setup to
fail the install on Windows Server 2003 when the hardware will
evidently function? If it can be modified as indicated here why the
restriction? Is this a political or technological restriction?

I would like to buy this hardware for my server environments. I am
aware of and comfortable with the recommendation that it is a
"convenience" only.

Pete,

The finger print reader is a consumer focused device to allow for faster
"fast user switching" as well as for easy web site access etc.
If you require strong two part authentication then a smart card solution for
your server environment would be the preferable option.

--

Regards,

Mike
--
Mike Brannigan [Microsoft]

This posting is provided "AS IS" with no warranties, and confers no
rights

Please note I cannot respond to e-mailed questions, please use these
newsgroups

 

[Guest]

Really? I would have thought that biometric devices would be something that
would be considered a part of a strong two factor authentication scheme.
Granted most of that is desktop focused and not server focused, but a growing
number of Enterprises are starting to use devices like a fingerprint reader
as a part of their authentication scheme (ie: enterprise desktop focused
rather than consumer focused).

Or did I misread that and your point is that the requirement to install a
client on the server to support the device is not a desirable situation?

Phil

 

[Mike Brannigan [MSFT]]

Really? I would have thought that biometric devices would be something
that
would be considered a part of a strong two factor authentication scheme.
Granted most of that is desktop focused and not server focused, but a
growing
number of Enterprises are starting to use devices like a fingerprint
reader
as a part of their authentication scheme (ie: enterprise desktop focused
rather than consumer focused).

Or did I misread that and your point is that the requirement to install a
client on the server to support the device is not a desirable situation?

Biometric devices are indeed part of a strong authentication policy.
The current Microsoft Fingerprint reader is presently not supported on our
Server platforms as such a device. A smartcard which represents 2 factor
authentication may well be a better solution at this time. (there are a
number of ways to defeat a fingerprint reader that are not attack surfaces
to the requirement for the smartcard and the pin)

--

Regards,

Mike
--
Mike Brannigan [Microsoft]

This posting is provided "AS IS" with no warranties, and confers no
rights

Please note I cannot respond to e-mailed questions, please use these
newsgroups

 

[Guest]

Biometric devices are indeed part of a strong authentication policy.
The current Microsoft Fingerprint reader is presently not supported on our
Server platforms as such a device. A smartcard which represents 2 factor
authentication may well be a better solution at this time. (there are a
number of ways to defeat a fingerprint reader that are not attack surfaces
to the requirement for the smartcard and the pin)

Interesting. Do you have any points to a document about that? We're looking
at various authentication methods right now and one of them is fingerprint
readers (for desktops, not servers) so I'd definitely be interested in that
information if you know where I can go to read a bit more.

Thanks Mike.

Phil

 

[Mike Brannigan [MSFT]]

Interesting. Do you have any points to a document about that? We're
looking
at various authentication methods right now and one of them is fingerprint
readers (for desktops, not servers) so I'd definitely be interested in
that
information if you know where I can go to read a bit more.

Thanks Mike.

As regards by passing a fingerprint reader then the common trick is sometime
known as the gummy bear approach - where a soft material (such as the
aforementioned "gummy bear") is used to take an imprint of a fingerprint and
then used to replay that to the reader ("gummy bear", "silly putty" "play
doh" etc.) Other approaches are more common scenes of crime techniques
using various powders to lift fingerprints from various surfaces (glasses
table tops etc) an then using those to replay to the reader. some more
advanced readers include a thermal sensor to ensure that a warm object is
presented - again these can be worked around quite simply (a few seconds in
a microwave or a hot cup of coffee for a gummy bear will work in some
instances).
A smart card requires the physical token AND the pin - which potentially may
be harder to acquire both then a fingerprint of an authorized user.
Just look at many secure installations - few that I am aware of would use
just a finger print reader as opposed to a 2 factor method such as
smartcards or a combination of all of them.


--

Regards,

Mike
--
Mike Brannigan [Microsoft]

This posting is provided "AS IS" with no warranties, and confers no
rights

Please note I cannot respond to e-mailed questions, please use these
newsgroups

 

[Guest]

Interesting. I'll make sure to look into some of that in more detail as we're
doing our testing/research. In our case we wouldn't be relying solely on the
Fingerprint readers, we would be using them in conjunction with another form
of authentication as well (securID, password something along those lines).

Thanks for the information.
Phil

 

[jeffrey]

Hi,

I know this is an old post, but recently I have read from Sony, they have
several new types of fingerprint readers that are more secure. One of the
features they have is scanning the fingerprint and having a password
entered. Also the new readers are not optical readers but more electro
conductive, requiring a live finger to use on the reader.

Jeff

 

[pete x]

Lee C.:

Could you email a copy of your install files to me also? It would be a
big help.

I understand the Microsoft concern that Mr. Brannigan brought up,
although I do feel that this hardware would be useful for many 2003
Server customers and that Microsoft should provide a capable
installation procedure for Server 2003 customers with an appropriate
warning in the documentation. It is interesting that this software
will function out-of-the-box with Windows XP Professional. In my
experience, non-IT workers' machines are physically less secure than IT
workers' machines, such as servers. And I would therefore expect
Windows XP Pro machines to be physically less secure than Windows 2003
Server machines. This seems to violate the spirit of the Microsoft
"security tenent" regarding the Microsoft Fingerprint Reader.

I also know that many other Fingerprint Readers have worked fine for
years over USB connections using pre-XP systems of the various flavors
so I would ask any technical Microsoft personnel or anyone for that
matter to detail why this particular reader has extraordinary operating
system software requirements only available with XP.

In any case, the real test here is to see if it can function with
installation file changes on Win2K. I do not have InstallShield to do
this test unfortunately. Again, if anyone tests this device under
pre-XP please post your results here, good or bad. I am not trying to
insinuate what would be a premature opinion on this matter, but it is
worth some objective investigation.

Thanks.


px

 

[Henry Webb]

I know this thread is old and possibly stale, but could you pls tell us what
table in the MSI the OS check is located and which line(s) you removed to
make this work? I'm using the ORCA tool from the Server 2003 SDK to edit the
msi...

Thanks,

--Big Al

 

[news.nwlink.com]

I got the Manager to install on Windows 2003 server... however, I still need
to press CTRL-ALT-DELETE and enter my password to get into the Server. The
only part that works perfect is everything once I'm logged in.

Is there a way to not have to ever type a password with Windows 2003 Server
using the Finger Print Reader? Be it for pay software, etc.

Thanks,
Danny

 

[Big Al]

How did you get the manager to load? I'm fighting with that right now an any
input is appreciated!

--Big Al

 

[nayobe]

Yes, I have had luck getting the Microsoft Fingerprint Reader's
DigitalPersona Password Manager software to install on Windows 2003
Server. I edited the Setup.msi file, stripping out the Windows version
check. I will e-mail you a copy if you like.

, Lee


J Dubba wrote:
> Has anyone had any luck getting the Microsoft fingerprint reader to
> install on W2K3 server? I've extracted the files from the setup msi
> file and the hardware/drivers seem to install just fine, but the
> DigitalPersona Password Manager softare will not install at all, with
> the msi exiting with the fatal error "Windows XP Required". I've
> tried opening the msi package with msiexec running in XP
compatibility
> mode, changing the windows version information in
> HKLM/Software/Microsoft/Windows NT/CurrentVersion/, editing the msi
> package file with orca, all with no success. Any ideas, suggestions
> or other information would be appreciated.
>
> --jw

Hi Lee,

Could you please help me edit my MSI file to eliminate the OS check or send me your MSI file? I tried editing it myself using both InstallShield and Orca, changing all the WindowsNT and VersionNT checks to support version >500 but that didn't seem to help.

I would appreciate your help!

-Boyan

 

[bogosian]

hello everyone,

lee or boyan or whoever is able to - could you send a copy to me too.

thanks in advance, regards bogdan

 

[tabbyjjack]

fingerprint scanner 2003 server

would someone be so kind as to e-mail me a copy of the altered msi file to install the microsoft fingerprint scanner on 2003 server