Share via

Domained computer: LSASS.EXE performs CHV and blocks crypto device with false pin entry

Lukas_O 1 Reputation point
2021-04-22T08:38:43.81+00:00

Dear Community,

we are currently troubleshooting an issue where a crypto device (Smartcard containing a digital certificate) is randomly blocked due to wrong PIN entry.
The crypto device is used exclusively to authenticate the user against a website (mutual certificate authentication) and not part in the windows logon process.

The system is Windows 10 LTSC Enterprise 2019, patched to latest and part of a domain.
The issue has been reported to us since inception of 2FA logon in September 2020.

The users claim not to be asked for PIN entry prior to the crypto device being blocked, it happens "suddenly". The Event viewer under subsection:
"Microsoft / Windows / SmartCard-Audit" -> "Authentication":
lists multiple events 101: Cardholder verification by process Edge successful, this is the expected use of the crypto device.
But also 4 events 100: Cardholder verification by process lsass.exe: failed

Those failed events are in 1 second intervals, always fail and exceed the amount of login tries to the crypto device therefore blocking it.

A test system of the same build, but not joined to the domain has never shown that behavior.

Any ideas or hints are greatly appreciated.
We are looking for root cause but primarily for a way to keep OS components from polling or interacting with the crypto device.

Best regards
Lukas

Windows for business Windows Client for IT Pros Devices and deployment Configure application groups

6 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Leila Kong 3,706 Reputation points
    2021-04-23T08:38:53.09+00:00

    Hello @Lukas_O ,

    Are those users joined to the domain? If you log on with a domain account, will the crypto device be blocked?
    Did all the domain computers have this problem? Is there any screenshot?

    For your reference:
    https://learn.microsoft.com/en-us/windows-server/security/windows-authentication/credentials-processes-in-windows-authentication

    Best regards,
    Leila

    ----------

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments
  2. Lukas_O 1 Reputation point
    2021-04-23T09:21:23.327+00:00

    Thanks for your initial analysis.

    • All users are domain users
    • No, a simple login does not block the attached crypto device. It is random.
    • A small amount of computers use crypto devices, one system I know of had the issue twice within 2 months, some never.

    What exactly do you ask me to screenshot?

    The log looks like this (German language system here)

    Prozessimage: C:\Windows\System32\lsass.exe
    PID: 800"
    Fehler 06.04.2021 06:42:17 Microsoft-Windows-SmartCard-Audit 100 Fehler "Fehler bei der Smartcard-Halterverifizierung (Card Holder Verification, CHV).

    Prozessimage: C:\Windows\System32\lsass.exe
    PID: 800"
    Fehler 06.04.2021 06:42:18 Microsoft-Windows-SmartCard-Audit 100 Fehler "Fehler bei der Smartcard-Halterverifizierung (Card Holder Verification, CHV).

    Prozessimage: C:\Windows\System32\lsass.exe
    PID: 760"
    Fehler 06.04.2021 06:42:18 Microsoft-Windows-SmartCard-Audit 100 Fehler "Fehler bei der Smartcard-Halterverifizierung (Card Holder Verification, CHV).

    A normal use of the crypto device is log as follows:

    Prozessimage: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    PID: 3056"
    Informationen 24.03.2021 08:04:56 Microsoft-Windows-SmartCard-Audit 101 Erfolg "Erfolgreiche Smartcard-Halterverifizierung (Card Holder Verification, CHV).

    The Crypto device is not used for Windows Login at all.

    0 comments
  3. Leila Kong 3,706 Reputation points
    2021-04-27T09:14:15.723+00:00
    0 comments
  4. Lukas_O 1 Reputation point
    2021-04-27T10:44:12.66+00:00

    Thank you, unfortunatelly the linked resources do not relate to my issue.

    The crypto device is not tied to / configured with the Windows system login. Windows logon is username/password with a Domain account. The crypto device is only used with Webbased 2FA with MS Edge Browser. However lsass.exe randomly tries to access the crypto device and perform card holder verification. The user is given no prompt to enter a passphrase and lsass exhausts the unlock attempts of the crypto device.

    What could prompt lsass to perform a CHV?

    0 comments
  5. Leila Kong 3,706 Reputation points
    2021-04-29T09:10:14.357+00:00

    Hello @Lukas_O ,

    Please download Process Monitor to capture logs in the problem computer both when normal logon and reproducing issue for analysis:
    https://learn.microsoft.com/en-us/sysinternals/downloads/procmon

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.