WIN XP Client Registers only one certificate after previous success in Windows NT Domain
Description:
This article explains a workaround for an issue with XP users in an NT domain
Product:
NetSign CAC
Version:
4.x
Operating Systems:
Windows XP
Issue / Problem:
Certain NetSign CAC customers and support helpdesks have reported problems when running NetSign CAC on the Windows XP operating system. After successful initial installation and use of the product, a problem arises and only one of the three CAC Certificates is listed in the Internet Explorer Certificate Store. In addition, CAC functionality is reduced. It has been noted that these problems only occur on XP Clients in an NT Domain after the users logon password has been changed.
Microsoft has confirmed this situation as a known issue and classified the problem in the Microsoft Knowledge Base Article: "User Cannot Gain Access to Certificate Functionality After Password Change or When Using a Roaming Profile" Microsoft Knowledge Base Article - 331333 (article was previously published under Q331333) http://support.microsoft.com/default.aspx?scid=kb;en-us;331333.
This article indicates that the source of the problem exists within the Microsoft Operating Systems (XP client and NT server domain) and is not an issue with NetSign CAC.
We recommended using the link provided or searching Microsoft's website directly to view the entire article if you want more information concerning this issue. Excerpts from the article appear below:
Solution:
Excerpted from:
Microsoft Knowledge Base Article - 331333
http://support.microsoft.com/default.aspx?scid=kb;en-us;331333
PROBLEM
When a user tries to use certificate functionality after they change their password or when they use a roaming profile, they may lose access to this certificate functionality. Certificate functionality that may not work as before includes the following:
* Accessing files that are encrypted with Encrypting File System (EFS)
* Accessing a secure Web page that requires certificate authentication
* Signing e-mail with Secure/Multipurpose Internet Mail Extensions (S/MIME)
CAUSE
"This problem occurs only if the client user account is in a Microsoft Windows NT 4.0 domain and if they are logged on to a Microsoft Windows XP Professional workstation. The Windows XP version of the Data Protection API (DPAPI) function helps to protect EFS private keys and other data that you want to keep secure. The recovery functionality of DPAPI is not supported for users who are members of domains that are running Microsoft Windows NT 4.0 and earlier."
RESOLUTION
"To maintain client access to certificate functionality after users change their passwords or when they use roaming profiles, upgrade the domain to Active Directory directory service. Active Directory domains provide a mechanism that helps to protect the DPAPI master key with a public/private key pair. (The DPAPI master key is used to help protect EFS private keys and other certificate-based functions.)
In a Windows NT 4.0 domain, the ability to restore access to the certificate keys and data is located on the workstation. This is not the case in a Microsoft Windows 2000 domain. Because the recovery mechanism is not located on the workstation, Windows 2000 domains provide a significant additional level of protection for certificates if the workstation is physically compromised.
Although you only have to upgrade a single domain controller to take advantage of the DPAPI domain recovery mechanism, consider upgrading at least two domain controllers for fault-tolerance purposes.
It is highly recommended that you plan your Active Directory before you implement it. For more information about Active Directory design, visit the following Microsoft Web site:"
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/ad/windows2000/plan/bpaddsgn.asp
WORKAROUND
To work around this problem, install Windows XP Service Pack 1 (SP1) or later on the client workstation, and then create the following registry entry to emulate Windows 2000 behavior.
Warning: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.
Follow these steps, and then quit Registry Editor:
1. Click Start, click Run, type regedit, and then click OK.
2. Locate and then click the following key in the registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Protect\Providers\df9d8cd0-1501-11d1-8c7a-00c04fc297eb
3. On the Edit menu, point to New, and then click DWORD value.
4. Type MasterKeyLegacyNt4Domain, and then press ENTER.
5. On the Edit menu, click Modify.
6. Type 1, and then click OK.
After you create this entry, the client will determine if the user is a member of a Windows NT 4.0 domain. If they are a member, the Windows XP client will emulate the Windows 2000 behavior, and DPAPI will give users with changed passwords access to their keys.
Important Security Implications:
Using this registry entry substantially decreases the security of a physically compromised computer. An attacker with physical access to the computer could access some or all EFS-encrypted files and any Certificate private keys on it.
Recover the Files After a Password Change:
To regain access to the certificate functionality on an individual workstation after a password change, change the password back to the password that was used when the files were last encrypted.
Note These steps only change the password that you use to log on to your computer. They do not change your domain password.
1. Log on to the computer as the user with the current password.
2. Click Start, and then click Control Panel.
3. Double-click User Accounts.
4. Click to select your user name.
5. Click Reset password.
6. Type your original password in the New password text box, and then type the password in the Confirm new password text box. Click OK.
7. Restart your computer.
For your convenience, SSP-Litronic has prepared a registry file that will make the change to your registry to correct the issue as outlined in the work around by Microsoft.
1. Download the registry entry
2. Unzip the files into a temporary directory.
3. Rename XPPasswordFix._reg to XPPasswordFix.reg
4. Double click XPPasswordFix.reg
If you have further questions regarding NetSign CAC please contact SSP-Litronic directly.
Keywords: NT Domain Q331333 Windows XP Professional KB331333 USAREUR Q331333 NetSign Does Not Register All 3 Digital Certificates NetSign CAC Schannel Event: 36870
Description:
This article explains a workaround for an issue with XP users in an NT domain
Product:
NetSign CAC
Version:
4.x
Operating Systems:
Windows XP
Issue / Problem:
Certain NetSign CAC customers and support helpdesks have reported problems when running NetSign CAC on the Windows XP operating system. After successful initial installation and use of the product, a problem arises and only one of the three CAC Certificates is listed in the Internet Explorer Certificate Store. In addition, CAC functionality is reduced. It has been noted that these problems only occur on XP Clients in an NT Domain after the users logon password has been changed.
Microsoft has confirmed this situation as a known issue and classified the problem in the Microsoft Knowledge Base Article: "User Cannot Gain Access to Certificate Functionality After Password Change or When Using a Roaming Profile" Microsoft Knowledge Base Article - 331333 (article was previously published under Q331333) http://support.microsoft.com/default.aspx?scid=kb;en-us;331333.
This article indicates that the source of the problem exists within the Microsoft Operating Systems (XP client and NT server domain) and is not an issue with NetSign CAC.
We recommended using the link provided or searching Microsoft's website directly to view the entire article if you want more information concerning this issue. Excerpts from the article appear below:
Solution:
Excerpted from:
Microsoft Knowledge Base Article - 331333
http://support.microsoft.com/default.aspx?scid=kb;en-us;331333
PROBLEM
When a user tries to use certificate functionality after they change their password or when they use a roaming profile, they may lose access to this certificate functionality. Certificate functionality that may not work as before includes the following:
* Accessing files that are encrypted with Encrypting File System (EFS)
* Accessing a secure Web page that requires certificate authentication
* Signing e-mail with Secure/Multipurpose Internet Mail Extensions (S/MIME)
CAUSE
"This problem occurs only if the client user account is in a Microsoft Windows NT 4.0 domain and if they are logged on to a Microsoft Windows XP Professional workstation. The Windows XP version of the Data Protection API (DPAPI) function helps to protect EFS private keys and other data that you want to keep secure. The recovery functionality of DPAPI is not supported for users who are members of domains that are running Microsoft Windows NT 4.0 and earlier."
RESOLUTION
"To maintain client access to certificate functionality after users change their passwords or when they use roaming profiles, upgrade the domain to Active Directory directory service. Active Directory domains provide a mechanism that helps to protect the DPAPI master key with a public/private key pair. (The DPAPI master key is used to help protect EFS private keys and other certificate-based functions.)
In a Windows NT 4.0 domain, the ability to restore access to the certificate keys and data is located on the workstation. This is not the case in a Microsoft Windows 2000 domain. Because the recovery mechanism is not located on the workstation, Windows 2000 domains provide a significant additional level of protection for certificates if the workstation is physically compromised.
Although you only have to upgrade a single domain controller to take advantage of the DPAPI domain recovery mechanism, consider upgrading at least two domain controllers for fault-tolerance purposes.
It is highly recommended that you plan your Active Directory before you implement it. For more information about Active Directory design, visit the following Microsoft Web site:"
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/ad/windows2000/plan/bpaddsgn.asp
WORKAROUND
To work around this problem, install Windows XP Service Pack 1 (SP1) or later on the client workstation, and then create the following registry entry to emulate Windows 2000 behavior.
Warning: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.
Follow these steps, and then quit Registry Editor:
1. Click Start, click Run, type regedit, and then click OK.
2. Locate and then click the following key in the registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Protect\Providers\df9d8cd0-1501-11d1-8c7a-00c04fc297eb
3. On the Edit menu, point to New, and then click DWORD value.
4. Type MasterKeyLegacyNt4Domain, and then press ENTER.
5. On the Edit menu, click Modify.
6. Type 1, and then click OK.
After you create this entry, the client will determine if the user is a member of a Windows NT 4.0 domain. If they are a member, the Windows XP client will emulate the Windows 2000 behavior, and DPAPI will give users with changed passwords access to their keys.
Important Security Implications:
Using this registry entry substantially decreases the security of a physically compromised computer. An attacker with physical access to the computer could access some or all EFS-encrypted files and any Certificate private keys on it.
Recover the Files After a Password Change:
To regain access to the certificate functionality on an individual workstation after a password change, change the password back to the password that was used when the files were last encrypted.
Note These steps only change the password that you use to log on to your computer. They do not change your domain password.
1. Log on to the computer as the user with the current password.
2. Click Start, and then click Control Panel.
3. Double-click User Accounts.
4. Click to select your user name.
5. Click Reset password.
6. Type your original password in the New password text box, and then type the password in the Confirm new password text box. Click OK.
7. Restart your computer.
For your convenience, SSP-Litronic has prepared a registry file that will make the change to your registry to correct the issue as outlined in the work around by Microsoft.
1. Download the registry entry
2. Unzip the files into a temporary directory.
3. Rename XPPasswordFix._reg to XPPasswordFix.reg
4. Double click XPPasswordFix.reg
If you have further questions regarding NetSign CAC please contact SSP-Litronic directly.
Keywords: NT Domain Q331333 Windows XP Professional KB331333 USAREUR Q331333 NetSign Does Not Register All 3 Digital Certificates NetSign CAC Schannel Event: 36870