Wednesday, February 21, 2007

Enrolling for Smart Cards with CLM Beta 2

Let me preface this by admitting my "CLM noob" status, and that I am going to make some very dumb mistakes on my learning curve with CLM. Hopefully documenting them here will make somebody else look smart, or reduce the number of goats sacrificed on their way to becoming CLM gurus.

CLM installs with two sample Profile Templates:
  • CLM Sample Profile Template
  • CLM Sample Smart Card Logon Profile Template
In CLM a profile template is analogous to an LDAP object class. Profiles in CLM are instantiated according to the policies of the Profile Template. These policies are easily viewed and configured with the CLM UI.

The CLM Sample Profile Template is a great way to start playing with software certs. It is easy to start with because you don't require any smart cards or smart card readers (which tend to also be writers BTW).

The CLM Sample Smart Card Logon Profile Template is much more entertaining, because it writes certificates onto smart cards (as the name implies, but which I found hard to believe during my troubleshooting). This is especially exciting if you have a USB smart card reader with lights. Nothing makes demos fun like flashing lights and something you can physically show people ;-)

Anyhow, I was trying all night to enroll a test user for a new permanent smart card using the smart card template mentioned above. No matter what I tried I couldn't seem to get the certs written to the card. Each time I tried I got an error message saying something about PKCS#11:
"PKCS#11 smart card self-service control error: PKCS11 Error: Failed to load PKCS11 module"
This made no sense to me because I was trying to use Base CSP. My mistake was to spend hours trying to figure out a CLM Client issue. the CLM Client can be tricky to install, but if you have these three steps done you are not likley to hit CLM Client problems:
1. Install the Base CSP (Windows-KB909520-v1.000-x86-ENU.exe for my XP machine)
2. Install the Mini-drivers (Cardmod_x86.msi)
3. Install the CLM Client (comes on the CLM media)

After running out of ideas I decided to check the Profile Template and right away saw that it was not configured to use Base CSP, so when it was trying to deal with the smart card it didn't use Base CSP, but other drivers that were not on my system, and probably weren't supported by my card. I changed the profile template to use Base CSP and poof, it worked.

If you find yourself spending hours trying to solve a CLM Client problem, don't forget to have a look at the server. If you want to make changes to Profile Templates, I suggest copying the templates instead of modifying the existing ones so you can back out of your troubleshooting changes.

Thanks to Brian Komar for helping me figure this out!


Brad Turner said...

Thanks for posting this Craig! I will also confess to being a CLM noob having done a single "real" PKI project, but without smartcards. I think few people have actually had to deal with the provisioning of smartcards outside of certain government agencies and, of course, Microsoft itself. I found Brian's book on PKI (Microsoft Windows 2003 PKI and Certificate Security) to be the bible and hope to see some additional materials regarding CLM!

priyanka said...

Hello Craig/Brad

I successfully got software certificate on the system using "Sample Profile template" and following the steps mentioned at the link "".

But i fail to get it on smart card.
smart card is detected when i click on"details of smart card" on web portal.

can u please specify what all changes i have to make in steps when i want to get cert on smart card instead of system store.

please tell one more thing.actually error is prompted on the screen after "data collection screen" (while requesting for cert)on which sample data titem is asked for.

Do i need to make some changes there?