question

LukasO-2896 avatar image
0 Votes"
LukasO-2896 asked LukasO-2896 commented

Domained computer: LSASS.EXE performs CHV and blocks crypto device with false pin entry

Dear Community,

we are currently troubleshooting an issue where a crypto device (Smartcard containing a digital certificate) is randomly blocked due to wrong PIN entry.
The crypto device is used exclusively to authenticate the user against a website (mutual certificate authentication) and not part in the windows logon process.

The system is Windows 10 LTSC Enterprise 2019, patched to latest and part of a domain.
The issue has been reported to us since inception of 2FA logon in September 2020.

The users claim not to be asked for PIN entry prior to the crypto device being blocked, it happens "suddenly". The Event viewer under subsection:
"Microsoft / Windows / SmartCard-Audit" -> "Authentication":
lists multiple events 101: Cardholder verification by process Edge successful, this is the expected use of the crypto device.
But also 4 events 100: Cardholder verification by process lsass.exe: failed

Those failed events are in 1 second intervals, always fail and exceed the amount of login tries to the crypto device therefore blocking it.

A test system of the same build, but not joined to the domain has never shown that behavior.

Any ideas or hints are greatly appreciated.
We are looking for root cause but primarily for a way to keep OS components from polling or interacting with the crypto device.

Best regards
Lukas

windows-10-security
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

We are currently have the same issue and it appears to have come up recently if you manage to determine what the cause was would be great to know

0 Votes 0 ·

Unfortunately, the RCA was inconclusive until now.
Could you share your setup and type of crypto device? Do you see the same log entries?
Maybe we have similarities that could help us resolve this, or find a way to reproduce the issue.
Regards
Lukas

0 Votes 0 ·
LeilaKong-MSFT avatar image
0 Votes"
LeilaKong-MSFT answered

Hello @LukasO-2896 ,

Are those users joined to the domain? If you log on with a domain account, will the crypto device be blocked?
Did all the domain computers have this problem? Is there any screenshot?

For your reference:
https://docs.microsoft.com/en-us/windows-server/security/windows-authentication/credentials-processes-in-windows-authentication


Best regards,
Leila


If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

LukasO-2896 avatar image
0 Votes"
LukasO-2896 answered

Thanks for your initial analysis.

  • All users are domain users

  • No, a simple login does not block the attached crypto device. It is random.

  • A small amount of computers use crypto devices, one system I know of had the issue twice within 2 months, some never.

What exactly do you ask me to screenshot?

The log looks like this (German language system here)

Prozessimage: C:\Windows\System32\lsass.exe
PID: 800"
Fehler 06.04.2021 06:42:17 Microsoft-Windows-SmartCard-Audit 100 Fehler "Fehler bei der Smartcard-Halterverifizierung (Card Holder Verification, CHV).

Prozessimage: C:\Windows\System32\lsass.exe
PID: 800"
Fehler 06.04.2021 06:42:18 Microsoft-Windows-SmartCard-Audit 100 Fehler "Fehler bei der Smartcard-Halterverifizierung (Card Holder Verification, CHV).

Prozessimage: C:\Windows\System32\lsass.exe
PID: 760"
Fehler 06.04.2021 06:42:18 Microsoft-Windows-SmartCard-Audit 100 Fehler "Fehler bei der Smartcard-Halterverifizierung (Card Holder Verification, CHV).


A normal use of the crypto device is log as follows:

Prozessimage: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID: 3056"
Informationen 24.03.2021 08:04:56 Microsoft-Windows-SmartCard-Audit 101 Erfolg "Erfolgreiche Smartcard-Halterverifizierung (Card Holder Verification, CHV).


The Crypto device is not used for Windows Login at all.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

LeilaKong-MSFT avatar image
0 Votes"
LeilaKong-MSFT answered
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

LukasO-2896 avatar image
0 Votes"
LukasO-2896 answered

Thank you, unfortunatelly the linked resources do not relate to my issue.

The crypto device is not tied to / configured with the Windows system login. Windows logon is username/password with a Domain account. The crypto device is only used with Webbased 2FA with MS Edge Browser. However lsass.exe randomly tries to access the crypto device and perform card holder verification. The user is given no prompt to enter a passphrase and lsass exhausts the unlock attempts of the crypto device.

What could prompt lsass to perform a CHV?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

LeilaKong-MSFT avatar image
0 Votes"
LeilaKong-MSFT answered

Hello @LukasO-2896 ,

Please download Process Monitor to capture logs in the problem computer both when normal logon and reproducing issue for analysis:
https://docs.microsoft.com/en-us/sysinternals/downloads/procmon

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

LukasO-2896 avatar image
0 Votes"
LukasO-2896 answered LeilaKong-MSFT commented

Thank you,

I have nominated a user/system and instructed to run procmon after login as well as save the log to file before end of business. I an now hoping for this iregular event to occur.

Best regards

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @LukasO-2896 ,

Thanks for your effort. Please capture two procmon logs for analysis, normal one and issue one, thanks.

0 Votes 0 ·