This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Tom_Heesmans
Contributor
‎2018-07-16 01:31 AM

Smartcard FDE pre-boot authentication

Hi guys,

Does anyone have experience with using a smartcard to unlock the pre-boot of Sandblast FDE?

I've enabled the feature in the end-point console, when entering my smartcard it switches the login screen to enter my PIN. However when I enter the PIN it does not unlock.

The smartcard has a user certificate on it to authenticate on Windows, which is working fine. 

I don't have that much experience with smartcards and CheckPoint so I was wondering if I need a specific certificate (like EFS) or that any of you have any experience using this.

I would also think that the driver is correct because it switches to the PIN and when I use another type of smartcard it does not switch, so cannot read the smartcard.

Any help would be appreciated!

6 Replies
PhoneBoy
Admin
Admin
‎2018-07-16 07:14 AM

In older versions (ones no longer supported), there was a bug with PINs of a certain length.

Not sure that's still relevant.

It's probably a good idea to involve the TAC in this.

0 Kudos
Tom_Heesmans
Contributor
‎2018-07-16 07:18 AM
In response to PhoneBoy

Thanks for the response, this however is not an older version and the pin is only 4 digits in lenght for testing.

We'll probably need TAC but I have some great experiences with this community and was hoping for the small simple remark that will point is in the right direction. My guess is that this is something simple that we are overlooking.

0 Kudos
PhoneBoy
Admin
Admin
‎2018-07-16 08:32 AM
In response to Tom_Heesmans

I'll see if I can get an expert in this area to comment Smiley Happy

0 Kudos
KatiaCruz
Employee
Employee
‎2020-11-10 07:46 PM

@Tom_Heesmans, I just found your post and I'm wondering how you resolved the issue described.

After switching from password to smartcard authentication in the FDE preboot today, I get an "Invalid Logon" message in the client, and a "No Smartcard users configured" in the logs on the management. I did some testing and my scenario matches your description.

I know it has been a while, but I'll appreciate it if you can share anything you remember. 🙂

0 Kudos
Tom_Heesmans
Contributor
‎2020-11-11 12:03 AM
In response to KatiaCruz

For us this eventually came down to an incompatible driver for the smartcard reader. It should have been compatible according to the documentation but after examination from dev-ops this was not the case. Our smartcard readers where from Thales (formaly Gemalto) and CheckPoint collaborated with them to integrate the correct driver. Everything is working as expected now.

0 Kudos
KatiaCruz
Employee
Employee
‎2020-11-11 09:22 AM
In response to Tom_Heesmans

Good to know, @Tom_Heesmans. I will double-check if the smartcard reader driver is the right one in my case. We ended up using a generic one from the list provided during configuration.

Thanks for your response! 

0 Kudos