NetSign CAC 5.5.128 (SP1) Advisory: Potential Incompatibility with Windows 2000 Smart Card Logon and the NetSign CAC PIN Always Policy
NetSign CAC 5.5.128 (SP1)
Problem:
During the course of routine testing of NetSign CAC, an issue was discovered in the Saflink Technical Support Lab where using the PIN Always policy feature appears to cause Windows 2000 Smart Card Logon to hang. As of the writing of this KB article, attempts to duplicate this problem outside of the Technical Support Lab have been unsuccessful.
Note: This issue has not been observed under Windows XP regardless of PIN Cache setting.
Summary:
During recent testing to assist DoD customers in preparation of upgrading NetSign CAC from version 4.2x to 5.5 SP1 as well as for support of smart card / cryptographic card login, a problem arose in our lab that showed if the PIN Policy was set to PIN Always, a user would fail to login with their CAC card on a Windows 2000 SP4 (fully patched as of the writing of this KB article). Findings included that the login would hang for approximately 2-5 minutes until the system timed out. Removing the CAC card and attempting to login manually (assuming that GPO will allow logging in without a CAC) would also hang. Attempts to duplicate this issue in a separate lab have not resulted in any problems with Windows 2000 Logon. This suggests that the set of conditions for this issue to occur include more than just OS and PIN policy setting.
Cause:
The complete cause is unknown. However, it is clear that both OS (Windows 2000) and PIN Cache Setting (PIN Always) play a role in this defect.
Workaround:
Several work-arounds are available at this time:
a) Change your PIN Policy to not use PIN Always for Windows 2000 systems. We would recommend using PIN Cache and setting the timeout for 1 minute in those cases.
b) If PIN Always was enabled on a Windows 2000 system use the NetSign Group Policy Administrative Template (netsign.adm), change the Group Policy remotely to PIN Cache.
c) If PIN Always was enabled on a Windows 2000 system that has presented the symptom of not logging in with a smart card then you will need to restart the system. After restarting the system you will need to login as a System or Local Administrator to change the PIN Policy to Pin Cache.
d) Upgrade from Windows 2000 to Windows XP.
Keywords: Auto-Decrypt, NetSign CAC, Windows 2000, Smart Card Logon, CCL