Bug 8078 - Smart card authentication fails with Net iD single sign-on
Summary: Smart card authentication fails with Net iD single sign-on
Status: NEW
Alias: None
Product: ThinLinc
Classification: Unclassified
Component: Smart card (show other bugs)
Version: trunk
Hardware: PC Unknown
: P2 Normal
Target Milestone: LowPrio
Assignee: Bugzilla mail exporter
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-01-27 16:06 CET by Pierre Ossman
Modified: 2023-06-07 13:14 CEST (History)
2 users (show)

See Also:
Acceptance Criteria:


Attachments

Description Pierre Ossman cendio 2023-01-27 16:06:34 CET
There is some incompatibility between ThinLinc and Net iD that causes smart card authentication to fail.

The error presented to the user is a dialog with:

> Smart card malfunction. Check your hardware.

The log file has this to say:

> ...
> 2023-01-10T07:45:00: Getting certificate with id 65537
> 2023-01-10T07:45:00: Certificate found
> 2023-01-10T07:45:00: Logging in...
> 2023-01-10T07:45:00: Querying user for passphrase...
> 2023-01-10T07:45:03: Unexpected token login error: 256
> 2023-01-10T07:45:03: Signature operation failed (256)

256 is CKR_USER_ALREADY_LOGGED_IN, which is a bit unexpected.

The same code can be found in Net iD's debug log:

> Pkcs11 - Failed to login
> Pkcs11 - Return CKR_USER_ALREADY_LOGGED_IN

The problem is that the smart card (correctly) reports that the key is protected by a passphrase. tlclient then assumes the card defaults to a locked state, and needs to be unlocked. This assumption is apparently not true with Net iD.

It is not clear if Net iD is violating the PKCS#11 specification by having the token unlocked, or if tlclient is making assumptions that aren't supported by the specification. We need to look closer at it and see what it says.

The customer who reported this claims that disabling Net iD's SingleSignOn and UseCache settings makes the problem go away. They also state that you can work around it by specifying the wrong passphrase first, followed by the correct one.

Note You need to log in before you can comment on or make changes to this bug.