FIM CM and Virtual Smart Card Problem

Hi

Im using FIM CM 2010 R2 v4.1.3646.0 to manage a fleet of .NET (MS Base SC Crypto Provider)  smart cards.

Im now looking to manage some virtual smart cards but get an error when testing enrolment using my existing profile template. Enrolment PC is Windows 8.1 x64 Ent running 32bit IE11 and 32bit FIM CM client.

Ive provisioned a vsc with default admin password and FIM CM seems to be able to initialise it successfully during enrolment, however the certificate request isnt attempted with the CA and the FIM console reports the following error

Failed to enroll a certificate on the smartcard using template "My Smart Card Logon". The most likely cause is that there is a mismatch between the card type you have and the type of card supported by this template. Please try to enroll using a different template.

The only difference between the My Smart Card Logon certificate template and another template which works when making a manual certificate request via the mmc is the presence of the requirement for an enrolment agent signature as required by FIM.

Does anyone have any idea what might be causing the problem?

August 21st, 2015 3:42am

Ive made some progress

When looking at the request history I can see FIM CM reports the card cannot be accessed because the PIN is incorrect. I assume this is actually the admin key. I used the default admin key when creating the vsc which according to Technet should be 10203040506070801020304050607080102030405060708.

The .NET smart cards have a default admin key of all 0s (48 digits).

I created another vsc and specified all 0s for the admin key and FIM CM can now initialise the card OK but the request still fails after diversifying admin key with the following error

One or more of the supplied parameters could not be properly interpreted.

Im looking into this error now - any info would be appreciated.

Thanks

Free Windows Admin Tool Kit Click here and download it now
August 21st, 2015 4:37am

Eureka!

I had a suspicion this was user PIN related so tried creating another vsc with the same default user PIN as a .Net card ie 0000. The vsc create request failed with the same error I was seeing during an enrol attempt in FIM CM

C:\Windows\system32>tpmvscmgr create /name MyVSC1 /pin prompt /adminkey prompt /generate
Enter PIN:
****
Confirm PIN:
****
Enter Admin Key:
************************************************
Confirm Admin Key:
************************************************
Creating TPM Smart Card...
Initializing the Virtual Smart Card component...
Creating the Virtual Smart Card component...
Ensure that your PIN/PUK meets the length or complexity requirements of your organization.
        (0x80100004) One or more of the supplied parameters could not be properly interpreted.

Then it dawned on me that my FIM CM profile template is set to randomise the user PIN during the enrolment because we initiate an unblock request for the user to reset their PIN initially.

The profile template was configured for a user PIN length of 6 characters. Ive changed this to 8 and now its working as expected!

I hope this might help someone else if they have similar problems.

August 21st, 2015 5:50am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics