windows integrated virtual smart card

Got a problem with Viscosity or need help? Ask here!

NL_

Posts: 2
Joined: Sun Feb 20, 2022 7:18 am

Post by NL_ » Sun Feb 20, 2022 7:42 am
Hello there,

i was playing around with creating a virtual smart card in windows.
Authentication within windows works fine and it all seems running.

We were using smart cards with viscosity configurated as shown here:

https://www.sparklabs.com/support/kb/ar ... ptoapicert

Somehow the same procedure does not work with an TPM Virtual Smart Card.

I was using these Microsoft articles to create the TPM VSC

https://docs.microsoft.com/en-us/window ... requisites
https://docs.microsoft.com/en-us/window ... mart-cards
https://docs.microsoft.com/en-us/window ... -tpmvscmgr

Does this work for anyone else ?
I would appreciate feedback

NL_

Posts: 2
Joined: Sun Feb 20, 2022 7:18 am

Post by NL_ » Sun Feb 20, 2022 7:57 am
Error starts here:
Feb 19 9:56:53 PM: ERROR:Failed to sign using CryptoAPI.

Eric

User avatar
Posts: 1146
Joined: Sun Jan 03, 2010 3:27 am

Post by Eric » Mon Feb 21, 2022 8:10 am
Hi NL_,

Could you please post a complete copy of your log with the verb raised, this should reveal more information about what is going on - https://sparklabs.com/support/kb/articl ... ed-logging

As this is a public forum, you may wish to email this to us instead - https://sparklabs.com/support#contact

Regards,
Eric
Eric Thorpe
Viscosity Developer

Web: http://www.sparklabs.com
Support: http://www.sparklabs.com/support
Twitter: http://twitter.com/sparklabs

Eric

User avatar
Posts: 1146
Joined: Sun Jan 03, 2010 3:27 am

Post by Eric » Tue Feb 22, 2022 8:07 am
Hi NL_,

Thanks for emailing the log. The log indicates that the TPM has denied access to the request to sign. The signing request is originating from the service in your log.

As a first step, if possible, please move your virtual smart key to the user-scope certificate store so it is only accessible by the local user. This will make Viscosity fall back to signing from the local user which may allow signing access.

If this doesn't work, please check for any permission or security access descriptors for your smart key.

If this doesn't help, it's possible the virtual smart key or TPM does not support a signing format that OpenSSL/OpenVPN requires. The key needs to support signing either ECDSA or PKCS1 with or without PSS padding depending on your certificate.

Regards,
Eric
Eric Thorpe
Viscosity Developer

Web: http://www.sparklabs.com
Support: http://www.sparklabs.com/support
Twitter: http://twitter.com/sparklabs
4 posts Page 1 of 1