Authorization in ESIA on the terminal server with EDS according to GOST-2012
Good afternoon, Habrovchane.
Colleagues working in the field of state. purchases have already experienced the mandatory requirement of the government regarding the use of carriers with an electronic digital signature GOST R 34.10-2012. The use of EDS according to the new State Standard is mandatory from January 1, 2019, and it is no longer possible to release EDS according to GOST 2001 for work on the portals zakupki.gov and gosuslugi.ru, and after January 1, 2020, support for EDS according to the old GOST will be completely stopped.
How often is the state. the site by January 1, 2018 was ready but not completely.
To work with EDS in accordance with GOST 2012, you need to install a “plugin for work
with the portal of public services ”version 3.0.3.0 or 3.0.6.0, but unlike the version of the plug-in 2.0.6.0, the new versions do not support working with UNC in ways (we found out in the process of numerous unhealthy experiments with different versions of plug-ins), and if you like and we use roaming profiles, then authorization on the site will not work for you; and it will not work in any browser: IE, Google Chrome, Mozilla Firefox and even Crypto Fox.
Long correspondence with the support of state. services, crypto pro and contour.extern unfortunately did not help, the technical support specialists for the site of public services turned out to be extremely incompetent.
Actually enough words let's do business.
To work with the site of state. Services in accordance with GOST 2012 with portable profiles essentially need to do 3 actions.
We do not forget that in order to perform the following actions with IFCPlugin, the user must be given local machine administrator rights.
Remove the plugin in any way possible: through the installation, uninstall programs.
Through the launch of the msi of the version that you have installed (the version can be viewed in
IE add-ins or user profile folder.
Example:
Using wmic. CMD → wmic → product get name → product where name = ”name of program” call uninstall → Y
Delete the entire “Rostelecom” folder from the portable profile. Example:
In the registry, remove all balances that include “IFCPlugin” from the “HKCU” branch.
It is also advisable to clear the cache of Internet Exprorer. Open IE, press Ctrl + Shift + Del, confirm.
After installation, you must copy the folder from the portable user profile locally to the server, for example from:
AT
Now the most interesting thing is to find all values in the registry that include
You should have 6 to 9 replacements.
All is ready!
Colleagues, congratulations to all, the plugin for working on websites with authorization through ESIA now works.
Testing, torment, and implementation:
PS Yes, this is a crutch, and terrible, I am against this, but at the time of this writing, neither my colleagues nor I could find any other solution. support also did not offer anything.
PPS I know about the availability of the version of the administrative version of the plug-in that is installed for all users, but it didn’t work from the floor, more precisely we managed to start the user with the administrative 64-bit plug-in, but we could not achieve stable work and predictable behavior, and sabotage the work of all users on Terminal Server venture is bad, better by manual labor one by one. If you have already installed the administrative version of the plugin, then you will need to clean and other registry branches.
Colleagues working in the field of state. purchases have already experienced the mandatory requirement of the government regarding the use of carriers with an electronic digital signature GOST R 34.10-2012. The use of EDS according to the new State Standard is mandatory from January 1, 2019, and it is no longer possible to release EDS according to GOST 2001 for work on the portals zakupki.gov and gosuslugi.ru, and after January 1, 2020, support for EDS according to the old GOST will be completely stopped.
How often is the state. the site by January 1, 2018 was ready but not completely.
To work with EDS in accordance with GOST 2012, you need to install a “plugin for work
with the portal of public services ”version 3.0.3.0 or 3.0.6.0, but unlike the version of the plug-in 2.0.6.0, the new versions do not support working with UNC in ways (we found out in the process of numerous unhealthy experiments with different versions of plug-ins), and if you like and we use roaming profiles, then authorization on the site will not work for you; and it will not work in any browser: IE, Google Chrome, Mozilla Firefox and even Crypto Fox.
Long correspondence with the support of state. services, crypto pro and contour.extern unfortunately did not help, the technical support specialists for the site of public services turned out to be extremely incompetent.
Actually enough words let's do business.
To work with the site of state. Services in accordance with GOST 2012 with portable profiles essentially need to do 3 actions.
- Completely remove the plugin of the old version and clean out the remnants in the system.
- Install the plug-in version 3.0.6.0 for 32-bit systems, even if you are using a 64-bit OS, copying the folder with the plugin from appdata locally.
- Manually edit the registry.
We do not forget that in order to perform the following actions with IFCPlugin, the user must be given local machine administrator rights.
- Remove the plugin.
Remove the plugin in any way possible: through the installation, uninstall programs.
Through the launch of the msi of the version that you have installed (the version can be viewed in
IE add-ins or user profile folder.
Example:
contoso.com\dfs\Profiles\AppData\Roaming\Rostelecom\IFCPlugin\3.0.6.0)Using wmic. CMD → wmic → product get name → product where name = ”name of program” call uninstall → Y
Delete the entire “Rostelecom” folder from the portable profile. Example:
\\contoso.com\dfs\Profiles\%UserName%\AppData\Roaming\RostelecomIn the registry, remove all balances that include “IFCPlugin” from the “HKCU” branch.
It is also advisable to clear the cache of Internet Exprorer. Open IE, press Ctrl + Shift + Del, confirm.
- Download and install 32-bit IFCPlugin.msi plugin version 3.0.6.0.
After installation, you must copy the folder from the portable user profile locally to the server, for example from:
\\contoso.com\dfs\Profiles\%UserName%\AppData\Roaming\RostelecomAT
C:\Users\%UserName%\AppData\Roaming\Rostelecom- Editing the registry.
Now the most interesting thing is to find all values in the registry that include
\\contoso.com\dfs\Profiles\%UserName%\AppData\Roaming\Rostelecom and change them to C:\Users\%UserName%\AppData\Roaming\RostelecomYou should have 6 to 9 replacements.
All is ready!
Colleagues, congratulations to all, the plugin for working on websites with authorization through ESIA now works.
- The author of this idea is an engineer with 10 years experience in telecommunications Miroshkin Andrey.
Testing, torment, and implementation:
- The author of this article is Karin Elijah, a system administrator who has not yet seen such deviations in the IT world.
- And Lobkov Kirill, system administrator, with the broadest outlook and experience from the installer of the SCS to the Enterprise system administrator.
PS Yes, this is a crutch, and terrible, I am against this, but at the time of this writing, neither my colleagues nor I could find any other solution. support also did not offer anything.
PPS I know about the availability of the version of the administrative version of the plug-in that is installed for all users, but it didn’t work from the floor, more precisely we managed to start the user with the administrative 64-bit plug-in, but we could not achieve stable work and predictable behavior, and sabotage the work of all users on Terminal Server venture is bad, better by manual labor one by one. If you have already installed the administrative version of the plugin, then you will need to clean and other registry branches.
Source: https://habr.com/ru/post/437958/