Smart Card Tools and debugging
CertUtil is a tool available on Windows Vista and Windows 2003 Server Admin Pack
CertUtil (tool available on Vista and W2K3 Admin pack)
Listing Certificates available on the card:
Command to list Certificates available on the Smart Card: certutil –scinfo
Entering PIN is not required for this operation. Hitting Escape at each PIN dialog will work as the objective is to read the public certificates on the card.
Deleting Certificates on the card:
To delete a certificate on the card, you are actually deleting a container corresponding to that certificate. Each certificate is enclosed in a container. The following command is used to delete container:
Certutil –delkey –csp “Microsoft Base Smart Card Crypto Provider” “38f813f2-ec3b-4e96-ba19-38b830923be9”
Kerberos debugging and trace
The Kerberos Authentication in Windows portal (https://www.microsoft.com/kerberos) is a good place to start. There are two troubleshooting docs:
- Troubleshooting Kerberos Errors (https://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerberr.mspx)
- Troubleshooting Kerberos Delegation (https://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerbdel.mspx)
Smart Card Service (SCardSvr.exe – XP and SVCHost - Vista)
To restart “SCardSvr” services, the following commands from a Windows Command window will help.
C:\> net stop SCardSvr
C:\> net start SCardSvr
To findout if Smart Card Service is running (Note: the state field tells if the service is running or stopped):
C:\>sc queryex scardsvr
SERVICE_NAME: scardsvr
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PID : 1320
FLAGS :
C:\>
CAPI2 Diagnostics
CAPI2 Diagnostics is a feature in Microsoft® Windows® Vista and Microsoft® Windows® Server code name “Longhorn” which helps administrators with troubleshooting PKI problems. CAPI2 Diagnostics logs events in the Windows Event Log containing detailed information about certificate chain validation, certificate store operations and signature verification. This makes it easier to identify the root cause of problems and reduces the time required for diagnosis.
For more information on CAPI2 Diagnostics, refer to this whitepaper on "Trouble Shooting PKI problems on Windows Vista"