Troubleshooting the Windows Registry Smart Card entries

To troubleshoot when a minidriver has been installed, but the smart card is not working, check the registry settings.   

When Windows installs a minidriver, it copies the dll files into the appropriate windows system directories, and sets some specific registry settings so that the cryptographic subsystem can associate the correct dll with the smart card in use.

The relevant registry entries are here:

HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Calais\SmartCards.
 

Open Regedit:

taglio-reg.jpg

Under the SmartCards key is a list of the smart cards that Windows recognizes. Each key generally has the following entries:

 

taglio-reg2.jpg

 

The ATR is the “Answer To Reset” string provided by the smart card. In this context it serves to identify the smart card.  The ATR Mask tells Windows to look only at the significant parts of the ATR. In the example above, all parts are significant.

The Crypto Provider and Smart Card Key Storage Provider entries should be as shown for a minidriver smart card. That is because a minidriver is specifically designed to work with the Microsoft Smart Card providers (that is what makes it a “mini” driver).

The 80000001 value is where the actual minidriver.dll is located. If any of these values is incorrect, the crypto subsystem will not be able to associate the correct dll with the card, and fail to read the certificates from the card or be able to authenticate to it.

To troubleshoot, you must first know the ATR of the specific card you are troubleshooting. Most smart card readers have utilities that enable you to see the ATR. Another easy way is to use the CertUtil utility provided by Microsoft on Windows 7 and later OS versions.  Open a command window and run the following command:

certutil -v -scinfo

Lets look at some possible results:

certutil-scinfo-fail.png

In the above example the smart card resource manager is working fine, but the card ATR is not in the registry, and so the system cannot use it.

Have more questions? Submit a request

0 Comments

Article is closed for comments.
Powered by Zendesk