Hi,
I am currently working on a PKI system which should allow users to logon to a domain using smart cards. I have implemented a CSP which communicates with my smart card. I am able to generate a RSA key pair on the smart card, request a user certificate from the
CA and put the resulting certificate on the smart card. The problem comes in when I try to logon using the certificate on the smart card.
Windows is able to successfully extract the certificate from the smart card during the logon process, requests the user's pin and sends the authentication request to the domain controller. After a while the logon process fails with the message "The system
could not log you on. Your credentials could not be verified." and the message in the event logs on the server says "An error occurred while verifying a signed message using the inserted smart card: Invalid Signature" with event ID = 8.
The messages posted by Windows is self explanatory and I understand them, so I tried verifying whether my smart card is producing the correct signatures. I used openssl to calculate the SHA1 digest of the logon certificate, on a PC, and instructed my smart
card to sign the digest. I then used openssl to verify the signature using the public key in the certificate and it says that the verification was successful. So I am assuming the signature is correct.
Any ideas what might be causing the problem? Could it be the padding type?
I am running Windows 7 Professional (32-bit) on the client PC and Windows Server 2008 R2 Enterprise (64-bit) on the server. The client PC is using a checked build version of Windows which allows me to run a kernel debugger which enables Windows to use my CSP, otherwise, as far as I understand, Microsoft needs to sign the CSP before Windows accepts it.