Fingerprint Reader on Windows 2003 server

Archived from groups: microsoft.public.hardware,microsoft.public.mshardware.product,microsoft.public.windows.server.general,microsoft.public.windowsxp.hardware (More info?)

Has anyone had any luck getting the Microsoft fingerprint reader to
install on W2K3 server? I've extracted the files from the setup msi
file and the hardware/drivers seem to install just fine, but the
DigitalPersona Password Manager softare will not install at all, with
the msi exiting with the fatal error "Windows XP Required". I've
tried opening the msi package with msiexec running in XP compatibility
mode, changing the windows version information in
HKLM/Software/Microsoft/Windows NT/CurrentVersion/, editing the msi
package file with orca, all with no success. Any ideas, suggestions
or other information would be appreciated.

--jw

Archived from groups: microsoft.public.hardware,microsoft.public.mshardware.product,microsoft.public.windows.server.general,microsoft.public.windowsxp.hardware (More info?)

The Microsoft fingerprint reader is not supported on the Server platform.
see
http://www.microsoft.com/hardware/ [...] px?pid=036

--

Regards,

Mike
--
Mike Brannigan [Microsoft]

This posting is provided "AS IS" with no warranties, and confers no
rights

Please note I cannot respond to e-mailed questions, please use these
newsgroups

"J Dubba" <jnw317@hotmail.com> wrote in message
news:cc015bdd.0412011430.906dd3b@posting.google.com...
> Has anyone had any luck getting the Microsoft fingerprint reader to
> install on W2K3 server? I've extracted the files from the setup msi
> file and the hardware/drivers seem to install just fine, but the
> DigitalPersona Password Manager softare will not install at all, with
> the msi exiting with the fatal error "Windows XP Required". I've
> tried opening the msi package with msiexec running in XP compatibility
> mode, changing the windows version information in
> HKLM/Software/Microsoft/Windows NT/CurrentVersion/, editing the msi
> package file with orca, all with no success. Any ideas, suggestions
> or other information would be appreciated.
>
> --jw

Archived from groups: microsoft.public.hardware,microsoft.public.mshardware.product,microsoft.public.windows.server.general,microsoft.public.windowsxp.hardware (More info?)

"Pete X" <cybermatic@operamail.com> wrote in message
news:1104396307.472253.224510@z14g2000cwz.googlegroups.com...
> This is a question for Mr. Brannigan: why is this msi file setup to
> fail the install on Windows Server 2003 when the hardware will
> evidently function? If it can be modified as indicated here why the
> restriction? Is this a political or technological restriction?
>
> I would like to buy this hardware for my server environments. I am
> aware of and comfortable with the recommendation that it is a
> "convenience" only.

Pete,

The finger print reader is a consumer focused device to allow for faster
"fast user switching" as well as for easy web site access etc.
If you require strong two part authentication then a smart card solution for
your server environment would be the preferable option.

--

Regards,

Mike
--
Mike Brannigan [Microsoft]

This posting is provided "AS IS" with no warranties, and confers no
rights

Please note I cannot respond to e-mailed questions, please use these
newsgroups

"Pete X" <cybermatic@operamail.com> wrote in message
news:1104396307.472253.224510@z14g2000cwz.googlegroups.com...
> This is a question for Mr. Brannigan: why is this msi file setup to
> fail the install on Windows Server 2003 when the hardware will
> evidently function? If it can be modified as indicated here why the
> restriction? Is this a political or technological restriction?
>
> I would like to buy this hardware for my server environments. I am
> aware of and comfortable with the recommendation that it is a
> "convenience" only.
>
> -px
>
>
>
>
> Lee wrote:
>> Yes, I have had luck getting the Microsoft Fingerprint Reader's
>> DigitalPersona Password Manager software to install on Windows 2003
>> Server. I edited the Setup.msi file, stripping out the Windows
> version
>> check. I will e-mail you a copy if you like.
>>
>> , Lee
>>
>>
>> J Dubba wrote:
>> > Has anyone had any luck getting the Microsoft fingerprint reader to
>> > install on W2K3 server? I've extracted the files from the setup
> msi
>> > file and the hardware/drivers seem to install just fine, but the
>> > DigitalPersona Password Manager softare will not install at all,
> with
>> > the msi exiting with the fatal error "Windows XP Required". I've
>> > tried opening the msi package with msiexec running in XP
>> compatibility
>> > mode, changing the windows version information in
>> > HKLM/Software/Microsoft/Windows NT/CurrentVersion/, editing the msi
>> > package file with orca, all with no success. Any ideas,
> suggestions
>> > or other information would be appreciated.
>> >
>> > --jw
>

Archived from groups: microsoft.public.mshardware.product,microsoft.public.windowsxp.hardware,microsoft.public.windows.server.general (More info?)

"Phillip Renouf" <PhillipRenouf@discussions.microsoft.com> wrote in message
news:102639E2-2547-4653-932E-A7593B8C6724@microsoft.com...
> Really? I would have thought that biometric devices would be something
> that
> would be considered a part of a strong two factor authentication scheme.
> Granted most of that is desktop focused and not server focused, but a
> growing
> number of Enterprises are starting to use devices like a fingerprint
> reader
> as a part of their authentication scheme (ie: enterprise desktop focused
> rather than consumer focused).
>
> Or did I misread that and your point is that the requirement to install a
> client on the server to support the device is not a desirable situation?
>

Biometric devices are indeed part of a strong authentication policy.
The current Microsoft Fingerprint reader is presently not supported on our
Server platforms as such a device. A smartcard which represents 2 factor
authentication may well be a better solution at this time. (there are a
number of ways to defeat a fingerprint reader that are not attack surfaces
to the requirement for the smartcard and the pin)

--

Regards,

Mike
--
Mike Brannigan [Microsoft]

This posting is provided "AS IS" with no warranties, and confers no
rights

Please note I cannot respond to e-mailed questions, please use these
newsgroups

"Phillip Renouf" <PhillipRenouf@discussions.microsoft.com> wrote in message
news:102639E2-2547-4653-932E-A7593B8C6724@microsoft.com...
> Really? I would have thought that biometric devices would be something
> that
> would be considered a part of a strong two factor authentication scheme.
> Granted most of that is desktop focused and not server focused, but a
> growing
> number of Enterprises are starting to use devices like a fingerprint
> reader
> as a part of their authentication scheme (ie: enterprise desktop focused
> rather than consumer focused).
>
> Or did I misread that and your point is that the requirement to install a
> client on the server to support the device is not a desirable situation?
>
> Phil
>
>
> "Mike Brannigan [MSFT]" wrote:
>> Pete,
>>
>> The finger print reader is a consumer focused device to allow for faster
>> "fast user switching" as well as for easy web site access etc.
>> If you require strong two part authentication then a smart card solution
>> for
>> your server environment would be the preferable option.
>>
>> --
>>
>> Regards,
>>
>> Mike
>> --
>> Mike Brannigan [Microsoft]
>>
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights
>>

Archived from groups: microsoft.public.mshardware.product,microsoft.public.windowsxp.hardware,microsoft.public.windows.server.general (More info?)

"Phillip Renouf" <PhillipRenouf@discussions.microsoft.com> wrote in message
news:488DE817-9D25-4463-AD37-476449821FEB@microsoft.com...
> "Mike Brannigan [MSFT]" wrote:
>
>> Biometric devices are indeed part of a strong authentication policy.
>> The current Microsoft Fingerprint reader is presently not supported on
>> our
>> Server platforms as such a device. A smartcard which represents 2 factor
>> authentication may well be a better solution at this time. (there are a
>> number of ways to defeat a fingerprint reader that are not attack
>> surfaces
>> to the requirement for the smartcard and the pin)
>
> Interesting. Do you have any points to a document about that? We're
> looking
> at various authentication methods right now and one of them is fingerprint
> readers (for desktops, not servers) so I'd definitely be interested in
> that
> information if you know where I can go to read a bit more.
>
> Thanks Mike.

As regards by passing a fingerprint reader then the common trick is sometime
known as the gummy bear approach - where a soft material (such as the
aforementioned "gummy bear" ) is used to take an imprint of a fingerprint and
then used to replay that to the reader ("gummy bear", "silly putty" "play
doh" etc.) Other approaches are more common scenes of crime techniques
using various powders to lift fingerprints from various surfaces (glasses
table tops etc) an then using those to replay to the reader. some more
advanced readers include a thermal sensor to ensure that a warm object is
presented - again these can be worked around quite simply (a few seconds in
a microwave or a hot cup of coffee for a gummy bear will work in some
instances).
A smart card requires the physical token AND the pin - which potentially may
be harder to acquire both then a fingerprint of an authorized user.
Just look at many secure installations - few that I am aware of would use
just a finger print reader as opposed to a 2 factor method such as
smartcards or a combination of all of them.


--

Regards,

Mike
--
Mike Brannigan [Microsoft]

This posting is provided "AS IS" with no warranties, and confers no
rights

Please note I cannot respond to e-mailed questions, please use these
newsgroups

"Phillip Renouf" <PhillipRenouf@discussions.microsoft.com> wrote in message
news:488DE817-9D25-4463-AD37-476449821FEB@microsoft.com...
> "Mike Brannigan [MSFT]" wrote:
>
>> Biometric devices are indeed part of a strong authentication policy.
>> The current Microsoft Fingerprint reader is presently not supported on
>> our
>> Server platforms as such a device. A smartcard which represents 2 factor
>> authentication may well be a better solution at this time. (there are a
>> number of ways to defeat a fingerprint reader that are not attack
>> surfaces
>> to the requirement for the smartcard and the pin)
>
> Interesting. Do you have any points to a document about that? We're
> looking
> at various authentication methods right now and one of them is fingerprint
> readers (for desktops, not servers) so I'd definitely be interested in
> that
> information if you know where I can go to read a bit more.
>
> Thanks Mike.
>
> Phil

Archived from groups: microsoft.public.hardware,microsoft.public.mshardware.product,microsoft.public.windows.server.general,microsoft.public.windowsxp.hardware (More info?)

Lee C.:

Could you email a copy of your install files to me also? It would be a
big help.

I understand the Microsoft concern that Mr. Brannigan brought up,
although I do feel that this hardware would be useful for many 2003
Server customers and that Microsoft should provide a capable
installation procedure for Server 2003 customers with an appropriate
warning in the documentation. It is interesting that this software
will function out-of-the-box with Windows XP Professional. In my
experience, non-IT workers' machines are physically less secure than IT
workers' machines, such as servers. And I would therefore expect
Windows XP Pro machines to be physically less secure than Windows 2003
Server machines. This seems to violate the spirit of the Microsoft
"security tenent" regarding the Microsoft Fingerprint Reader.

I also know that many other Fingerprint Readers have worked fine for
years over USB connections using pre-XP systems of the various flavors
so I would ask any technical Microsoft personnel or anyone for that
matter to detail why this particular reader has extraordinary operating
system software requirements only available with XP.

In any case, the real test here is to see if it can function with
installation file changes on Win2K. I do not have InstallShield to do
this test unfortunately. Again, if anyone tests this device under
pre-XP please post your results here, good or bad. I am not trying to
insinuate what would be a premature opinion on this matter, but it is
worth some objective investigation.

Thanks.


px

Lee C. wrote:
> FYI: I used InstallShield 10.5 to edit the Setup.msi, and it worked
nicely.
>
>
> "J Dubba" <jnw317@hotmail.com> wrote in message
> news:cc015bdd.0412011430.906dd3b@posting.google.com...
> > Has anyone had any luck getting the Microsoft fingerprint reader to
> > install on W2K3 server? I've extracted the files from the setup
msi
> > file and the hardware/drivers seem to install just fine, but the
> > DigitalPersona Password Manager softare will not install at all,
with
> > the msi exiting with the fatal error "Windows XP Required". I've
> > tried opening the msi package with msiexec running in XP
compatibility
> > mode, changing the windows version information in
> > HKLM/Software/Microsoft/Windows NT/CurrentVersion/, editing the msi
> > package file with orca, all with no success. Any ideas,
suggestions
> > or other information would be appreciated.
> >
> > --jw

Archived from groups: microsoft.public.hardware,microsoft.public.mshardware.product,microsoft.public.windows.server.general,microsoft.public.windowsxp.hardware (More info?)

I got the Manager to install on Windows 2003 server... however, I still need
to press CTRL-ALT-DELETE and enter my password to get into the Server. The
only part that works perfect is everything once I'm logged in.

Is there a way to not have to ever type a password with Windows 2003 Server
using the Finger Print Reader? Be it for pay software, etc.

Thanks,
Danny


"Mike Brannigan [MSFT]" <mikebran@online.microsoft.com> wrote in message
newsx$69Hm8EHA.3828@TK2MSFTNGP09.phx.gbl...
> "Pete X" <cybermatic@operamail.com> wrote in message
> news:1104396307.472253.224510@z14g2000cwz.googlegroups.com...
>> This is a question for Mr. Brannigan: why is this msi file setup to
>> fail the install on Windows Server 2003 when the hardware will
>> evidently function? If it can be modified as indicated here why the
>> restriction? Is this a political or technological restriction?
>>
>> I would like to buy this hardware for my server environments. I am
>> aware of and comfortable with the recommendation that it is a
>> "convenience" only.
>
> Pete,
>
> The finger print reader is a consumer focused device to allow for faster
> "fast user switching" as well as for easy web site access etc.
> If you require strong two part authentication then a smart card solution
> for your server environment would be the preferable option.
>
> --
>
> Regards,
>
> Mike
> --
> Mike Brannigan [Microsoft]
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights
>
> Please note I cannot respond to e-mailed questions, please use these
> newsgroups
>
> "Pete X" <cybermatic@operamail.com> wrote in message
> news:1104396307.472253.224510@z14g2000cwz.googlegroups.com...
>> This is a question for Mr. Brannigan: why is this msi file setup to
>> fail the install on Windows Server 2003 when the hardware will
>> evidently function? If it can be modified as indicated here why the
>> restriction? Is this a political or technological restriction?
>>
>> I would like to buy this hardware for my server environments. I am
>> aware of and comfortable with the recommendation that it is a
>> "convenience" only.
>>
>> -px
>>
>>
>>
>>
>> Lee wrote:
>>> Yes, I have had luck getting the Microsoft Fingerprint Reader's
>>> DigitalPersona Password Manager software to install on Windows 2003
>>> Server. I edited the Setup.msi file, stripping out the Windows
>> version
>>> check. I will e-mail you a copy if you like.
>>>
>>> , Lee
>>>
>>>
>>> J Dubba wrote:
>>> > Has anyone had any luck getting the Microsoft fingerprint reader to
>>> > install on W2K3 server? I've extracted the files from the setup
>> msi
>>> > file and the hardware/drivers seem to install just fine, but the
>>> > DigitalPersona Password Manager softare will not install at all,
>> with
>>> > the msi exiting with the fatal error "Windows XP Required". I've
>>> > tried opening the msi package with msiexec running in XP
>>> compatibility
>>> > mode, changing the windows version information in
>>> > HKLM/Software/Microsoft/Windows NT/CurrentVersion/, editing the msi
>>> > package file with orca, all with no success. Any ideas,
>> suggestions
>>> > or other information would be appreciated.
>>> >
>>> > --jw
>>
>
>

Lee, I would very much appreciate a copy of the modified msi as well. I was about to purchase Digital Persona 4.0 upgrade but the problem is I own 2.0 from MS which won't install, so I fear the upgrade won't work and hate to pay for it if I can't use it. I would just be happy using v.2.0 on my W2K3 Server.

Thanks, waltparrish@comcast.net