Hyper-V with Smart Card not working
-
First, a disclosure. This is a school lab, but it is not homework. I'm helping the instructor re-write part of the lab to help get a certain part working for future classes. Also, we've already reached out to Microsoft as the class has a bunch of hookups with Microsoft since they are teaching a lot of their technology. Also checked on technet/msdn. I will also attach the lab. If you needed a Smart Card walk through anyway, this one has a ton of hours sunk into the writing and is quite literally a cook book that can be done in about 20 minutes. But, the attachment is more so you can see the screen shot of the error (at the very bottom). There is also a resolution just above it, regarding re-issuing the cert. You can also see in another screen shot further up that the cert is issued to the client, as well as present on the Smart Card.
Here's a couple things that work in VMware (flawlessly), but not in Hyper-V...
-
Being able to discover the smart card from within devmgmt
- In Hyper-V, I just went ahead and did this manually, with a generic driver.
-
Log into a VM remotely, with a Smart Card.
- This I could not get to work with Hyper-V at all. If you aren't in an enhanced session, it won't see the card at all (but that should be obvious). If you are in an enhanced session, there are certificate issues. However, the cert has been reissued to the DC (which then gets issued to the client manually within Personal/Certificates > Request new certificate. All tabs within the certificate have been configured correctly as this works fine on a physical workstation. To verify, you can log into the workstation without the Smart Card, open the management utility, and see the certificate on the card.
The first point is just a janky work around, so it'd be nice to figure that out if possible. But the second point has gone unresolved, so that's more of the focus here.
Edit: Here is my attempt at making this copy-paste look okay. All in all, it's not going to look as good as written on a document. But there's nothing I can do about that, since this is not a file hosting site, and providing a link to any file hosting site could be malicious. This is going to take me some time to format for easier reading, so please be patient.
Smart Card Implementation Server 2012
User Logon only - No Exchange
This lab requires a Domain Controller with Active Directory and Certificate Services installed and an Online responder configured. In addition, two Windows 10 Generation 2 domain workstations are required. They cannot be differencing disks. Also, they need to be added to the domain. If you have more servers it is not a problem.
Lab overview: We are going to configure one of the Win10 workstations as an enrollment station and a user name Emily as the enrollment agent. Users must see Emily to get a smartcard and certificate. After that, users will be able to login to their own workstations using their smart card.
Smart card overview - First we install the reader and the driver associated with the reader. Next, we have to install the middleware provider by the smartcard manufacturer. In class, we are using the ACS ACOS5 cards. The middleware includes the CSP (Cryptography Service Provider) ACS which is needed to create a certificate that can be written to this specific smart card. Next, we need to force the default driver for the smart card (the manufacturer does not provide one). And finally, Emily will request a smart card logon certificate on behalf of our users.
- Create the enrollment user and the Enrollment Agent Template.
- Create a user named Emily.
- Create a global group name Enrollment Agents. Make Emily a member of the global group.
- On DC01, duplicate the certificate template Enrollment Agent. This certificate is not going to be written to Emily's smart card. It is just going to be installed on the enrollment workstation.
1. General Tab:- Name it INTCXX Enrollment Agent.
- Place check mark next to Publish in AD
2. Request Handling Tab: 1. Purpose - signature 2. Check mark on "Allow private key to be exported" 3. Verify enroll subject without requiring any user input 3. Subject Name Tab: (verify) 1. Verify Build from AD 2. Subject name format: Fully Distinguished Name 3. Include this information: UPN 4. Issuance Requirements tab - do not select anything. In the workplace you most likely want a manager or admin's approval for any enrollment agents. We are not going to do this today. 5. Security tab - Add enrollment agents and allow them read and enroll 6. Extensions tab - Click Application Policies and verify that Certificate Request Agent is listed in the bottom pane 7. Superseded Template - Add Enrollment Agent 8. OK- Issue the certificate template in your CA.
- App deploy
- Create a share on DC01 named appdeploy - assign users the NTFS read and execute permission.
- Copy the ACOS5 SDK folder from studentfiles to appdeploy on your DC.
- Configure the enrollment workstation - do this as the domain admin
- Install the ACOS5 middleware and the ACR38 reader driver on both of the Windows 10 workstations.
1. On both WIN10 workstations, access \DC01\appdeploy\ACOS5 SDK and execute the autorun file.
2. Click on Install ACR38 Reader Driver and select the defaults in the install.
3. Click on Install SDK Components- Next in the welcome window
- Next in the destination folder
- In the product features - you do not need to install the sample codes or the reference material but you need everything else. It will not hurt anything if you just install everything, it just takes longer.
- Reboot when asked to
4. Plug in the reader and verify that windows detected it. Check device manager and verify that the reader is listed as CCID USB Smart Reader (should be under "Smart card readers"). If you cannot get your virtual to connect to the USB device (in VMware), check VM on the menu bar and removable devices. Verify that the Advanced Card Reader has a check mark next to it. In Hyper-V, I could not get it to show up automatically.- Insert a smart card into the reader. Windows does not find the driver for the smart card automatically. We have to force the default generic driver.
1. Open devices manager in your VM.
2. Right click WIN10 and select add legacy hardware, next in the welcome window
3. Select Install the hardware that I manually select from a list
4. From the list select smart cards
5. Select the Identity Device (Microsoft Generic Profile), next, next, finish
6. You should now have both a smart card and a reader listed in Device Manager - Add Emily to the local groups: administrators and cryptographic operators. Note: I am not sure that Emily needs to be in the administrators group. I did not test this lab without her being a member of administrators. This is something you would want to test in a real implementation.
- Repeat step a and b above to configure the second Windows 10 workstation. When finished, attach the reader to the Win10 enrollment station so you can complete the following steps.
- As Emily, request an enrollment agent certificate:
- Login to the workstation as Emily. Make sure you use an enhanced session.
- Remove the smart card from the reader - we do not want the enrollment agents certificate to be written to the card. We want it installed on the workstation.
- Use the certificates snap-in (user account) to request the enrollment agent certificate
1. Run an MMC console and add the certificates snap-in. Verify my user account is selected.
2. Expand certificates, right click personal and select All tasks, request new certificate
3. Before you begin windows - next
4. Cert Enrollment policy - Verify AD enrollment policy - next
5. Place a check mark next to INTCXX Enrollment Agent - enroll
6. Finish
7. Verify there is a certificate for Emily listed under personal/certificates. - On your CA, configure the smart card logon certificate:
- Duplicate the template Smartcard Logon - Be sure to accept the default of Windows Server 2003 -
1. General Tab:- Name it INTCXX Smartcard Logon
- Place check mark next to Publish in AD
2. Request Handling Tab: 1. Purpose - signature and smartcard logon 2. Check mark on "Allow private key to be exported" 3. Verify that prompt the user during enrollment 3. Cryptography tab: 1. - Verify that "Requests can use any provider available on the subject's computer" is selected. This is important, during the certificate enrollment we have to choose the ACS CSP or the certificate cannot be written to the card. In an ideal situation we would be able to add the ACS CSP to the window in the template but Certificate Services does not allow us to add CSPs. 4. Subject Name Tab: 1. Verify Build from AD 2. Subject name format: Fully Distinguished Name 3. Include this information: UPN 5. Issuance Requirements tab 1. Place a check mark next to This number of authorized signatures - Type 1 in the box 2. In the Application Policy drop down select "Certificate Request Agent" 3. Change the Require for reenrollment to "Valid existing certificate" (this allows users to reenroll without having to go to the enrollment agent - this would be an organizational decision) 6. Security tab - 1. Add enrollment agents and allow them read and enroll 2. Add the students and instructors groups and allow them read and enroll 7. Superseded Template tab - Add Smartcard Logon and Smartcard User 8. OK- Issue the certificate template in your CA
- As Emily, initialize the card and request a certificate for your users:
- On the Win10 workstation, login as Emily
- Open the ACOS5 Initialization Tool from Programs
1. Insert the smart card for your first user
2. Important - Do NOT clear the enable clear card after initialization option. This makes the card only useable for this user. Each card costs $12 and I do not want to have to purchase more. Click Start in the Initialization Tool window, click Yes and OK
3. Notice that the SO Pin and User Pin were set to '12345678'. This is the default for this card manufacturer
4. Repeat this process for your other cards - Open an MMC console with the certificates snap-in (user account)
1. Insert the smart card you are going to write to
2. Right click personal, all tasks, advanced operations, enroll on behalf of- Before you begin window - next
- Cert Enrollment policy - Verify AD enrollment policy - next
- Signing certificate - browse and select Emily's certificate - next
- Select INTCXX Smartcard logon and click details
- Click properties
- Click the down arrow next to Cryptography Service Provider
- Clear the check mark next to Microsoft
- Place a check mark next to Advanced Card Systems CSP (You will not see ACS listed if there is not a smart card in the reader)
- Ok, next
- User name - browse to find the active directory object for the user you are enrolling for. You will need to change the location to your domain. Verify that INTCXX\username is listed in the field before you click enroll
- Enroll
- Insert one of your smart cards
- Enter the user pin - 12345678 - It takes a few minutes to write the certificate to the card.
- Click next user and repeat the process for 2 more users.
- When you are finished close the mmc console and logout
- Logon as a user using their smart card and change your pin. I could not get this to work for the second user.
- Press Ctrl+Alt+Ins to login to the windows workstation
- Click switch user and insert the smart card of one of your users
c.The login window should reflect the correct user and prompt you to enter the pin associated with the card. Enter the pin 12345678 and click the
4. After you login, Open the ACS Admin Tool from Programs
1. The admin tool will find the reader and the card.
2. Click Log-in and provide the default pin.
3. The certificate should be listed on the left hand side. Take a screen shot.
1.
1.
1. Click Change Pin and enter a unique pin - write it on the smart card
2. Group Policy and Smart Cards - It is possible to configure group policy so that a smart card is required for logon for a specific group of users or for a specific group of computers.
3. Bottom line: Smart card logon works the way we expected it to work. However, you have to install the CSP (Cryptography Service Provider) on every workstation you want the cards to work with. Also, you have to select the CSP when requesting the certificates that you want stored on the cards. The reading I did in preparation for this lab indicates that this process is going to get better. It is expected that smart card manufactures will make the drivers more readily available and not require their own CSP. That will make it much smoother for us administrators.
4. Lab Challenge – Change the Exchange User Certificate that you created in Lab 13 and add the cryptography requirements. Request an Exchange Certificate and store it on your smart card. Use the certificate to digitally sign messages.
5. When you are finished with today's lab:- Login to the enrollment station as Emily and use the ACOS5 clear card tool to put the cards back to the factory state.
1. Click connect to card
2. Click clear card - Give the reader and the cards back to the instructor
- If you get the following message complete the steps to solve the problem:
- "The system could not log you on. You cannot use a smart card to log on because smart card logon is not supported for your user account. Contact your system administrator to ensure that smart card logon is configured for your organization."
- Re-issue the Domain Controller Authentication cert by following these steps:
1. On DC01, open an mmc.
2. Add the certificates snap-in directed at the computer account
3. Expand Certificates, right-click Personal, click All Tasks, and then click Request New Certificate.
4. Cert Enrollment policy - Verify AD enrollment policy - next
5. Request Certificates page select Domain Controller Authentication
6. Next, finish
Take a screen shot of the Windows 10 login window using a smart card as the login method.
Take a screen shot of CA Showing both templates:
-
-
@BBigford said in Hyper-V with Smart Card not working:
Edit: I can't upload the lab until I figure out the upload error "Error: You do not have enough privileges for this action."
You cannot upload anything if you do not have a category selected.
-
Selected IT Discussion after receiving the error, still wouldn't upload...
-
@BBigford said in Hyper-V with Smart Card not working:
Selected IT Discussion after receiving the error, still wouldn't upload...
Then @Minion-Queen had her minions disable attachments most likely.
-
Ah, ok. I also had submitted without an attachment, went back to add it (thinking maybe something was "stuck" with the error being persistent). Also tried just a moment ago. Title also shows as being in IT Discussion.
Wonder if it's disabled because something is under maintenance.
-
@JaredBusch said in Hyper-V with Smart Card not working:
@BBigford said in Hyper-V with Smart Card not working:
Selected IT Discussion after receiving the error, still wouldn't upload...
Then @Minion-Queen had her minions disable attachments most likely.
Yup, only images are allowed.
-
@scottalanmiller said in Free lab/cook book attached - Smart Card with Hyper-V not working:
@JaredBusch said in Hyper-V with Smart Card not working:
@BBigford said in Hyper-V with Smart Card not working:
Selected IT Discussion after receiving the error, still wouldn't upload...
Then @Minion-Queen had her minions disable attachments most likely.
Yup, only images are allowed.
How come? Posting documents might be helpful to others.
Also, here's the link to material for the time being @JaredBusch, saves from pasting a lengthy document, plus a few images.
https://www.dropbox.com/sh/v1frhsv29f3776z/AAChj72r2iBYg0hl-zb6268ua?dl=0
-
@BBigford said in Hyper-V with Smart Card not working:
@scottalanmiller said in Free lab/cook book attached - Smart Card with Hyper-V not working:
@JaredBusch said in Hyper-V with Smart Card not working:
@BBigford said in Hyper-V with Smart Card not working:
Selected IT Discussion after receiving the error, still wouldn't upload...
Then @Minion-Queen had her minions disable attachments most likely.
Yup, only images are allowed.
How come? Posting documents might be helpful to others.
Because it's not a file hosting service, which is what it will become. Documents are rarely appropriate for a discussion thread. If there is information to present, it should be in the post. You can put text or images into the post. What is in the document that might be useful that isn't text or images? You can always link to files hosted somewhere or put videos inline with a link to the hosting resource.
It's not good practice. It encourages a huge hosting cost increase, makes malware way too much of a problem and breaks the value of the site by making it a host to external data rather than having the discussion and information remain in threads. People reading threads don't want to have to download files, get applications to read them, etc. just to read a thread.
-
@BBigford said in Hyper-V with Smart Card not working:
https://www.dropbox.com/sh/v1frhsv29f3776z/AAChj72r2iBYg0hl-zb6268ua?dl=0
This is an example of what we want to protect against. Random Word documents are a malware vector and should not be used in a situation like this. No one in IT should be willing to open that file, it's too dangerous. You don't open random Word docs from the Internet.
-
@BBigford said in Hyper-V with Smart Card not working:
saves from pasting a lengthy document, plus a few images.
Posting images is fast and easy. And what takes five seconds for you to do, saves each reader of the page many seconds for forever.
-
@scottalanmiller said in Hyper-V with Smart Card not working:
@BBigford said in Hyper-V with Smart Card not working:
saves from pasting a lengthy document, plus a few images.
Posting images is fast and easy. And what takes five seconds for you to do, saves each reader of the page many seconds for forever.
The re-formatting of 5 pages into copy-paste took longer than just attaching the document. I did a straight copy-paste in the OC.. haha it was real bad.
-
@BBigford said in Hyper-V with Smart Card not working:
@scottalanmiller said in Hyper-V with Smart Card not working:
@BBigford said in Hyper-V with Smart Card not working:
saves from pasting a lengthy document, plus a few images.
Posting images is fast and easy. And what takes five seconds for you to do, saves each reader of the page many seconds for forever.
The re-formatting of 5 pages into copy-paste took longer than just attaching the document. I did a straight copy-paste in the OC.. haha it was real bad.
I know it takes a bit if you are coming from a huge rich Word doc. But it is what it is, Word docs are definitely not something we are comfortable hosting. That puts ML on the hook for malware hosting. It's a huge deal. The whole site could get blocked in a split second because one newbie doesn't scan a document that they upload.
If it were only PDFs, it could be considered. But there are so many ways to host and link those things today that I'm not sure that it is a big deal. You can link it when really necessary and, whenever possible, it's best to get text and/or images instead.
-
@scottalanmiller said in Hyper-V with Smart Card not working:
@BBigford said in Hyper-V with Smart Card not working:
@scottalanmiller said in Hyper-V with Smart Card not working:
@BBigford said in Hyper-V with Smart Card not working:
saves from pasting a lengthy document, plus a few images.
Posting images is fast and easy. And what takes five seconds for you to do, saves each reader of the page many seconds for forever.
The re-formatting of 5 pages into copy-paste took longer than just attaching the document. I did a straight copy-paste in the OC.. haha it was real bad.
I know it takes a bit if you are coming from a huge rich Word doc. But it is what it is, Word docs are definitely not something we are comfortable hosting. That puts ML on the hook for malware hosting. It's a huge deal. The whole site could get blocked in a split second because one newbie doesn't scan a document that they upload.
If it were only PDFs, it could be considered. But there are so many ways to host and link those things today that I'm not sure that it is a big deal. You can link it when really necessary and, whenever possible, it's best to get text and/or images instead.
It is what it is. I added stuff to the OC and will spend some time formatting the copy-paste. There's some good stuff in there for readers, and can explain what is going on and what I'm seeing... I thought it would be helpful.
-
@BBigford said in Hyper-V with Smart Card not working:
@scottalanmiller said in Hyper-V with Smart Card not working:
@BBigford said in Hyper-V with Smart Card not working:
@scottalanmiller said in Hyper-V with Smart Card not working:
@BBigford said in Hyper-V with Smart Card not working:
saves from pasting a lengthy document, plus a few images.
Posting images is fast and easy. And what takes five seconds for you to do, saves each reader of the page many seconds for forever.
The re-formatting of 5 pages into copy-paste took longer than just attaching the document. I did a straight copy-paste in the OC.. haha it was real bad.
I know it takes a bit if you are coming from a huge rich Word doc. But it is what it is, Word docs are definitely not something we are comfortable hosting. That puts ML on the hook for malware hosting. It's a huge deal. The whole site could get blocked in a split second because one newbie doesn't scan a document that they upload.
If it were only PDFs, it could be considered. But there are so many ways to host and link those things today that I'm not sure that it is a big deal. You can link it when really necessary and, whenever possible, it's best to get text and/or images instead.
It is what it is. I added stuff to the OC and will spend some time formatting the copy-paste. There's some good stuff in there for readers, and can explain what is going on and what I'm seeing... I thought it would be helpful.
If you output to text from Word, does that help?
-
@scottalanmiller said in Hyper-V with Smart Card not working:
@BBigford said in Hyper-V with Smart Card not working:
@scottalanmiller said in Hyper-V with Smart Card not working:
@BBigford said in Hyper-V with Smart Card not working:
@scottalanmiller said in Hyper-V with Smart Card not working:
@BBigford said in Hyper-V with Smart Card not working:
saves from pasting a lengthy document, plus a few images.
Posting images is fast and easy. And what takes five seconds for you to do, saves each reader of the page many seconds for forever.
The re-formatting of 5 pages into copy-paste took longer than just attaching the document. I did a straight copy-paste in the OC.. haha it was real bad.
I know it takes a bit if you are coming from a huge rich Word doc. But it is what it is, Word docs are definitely not something we are comfortable hosting. That puts ML on the hook for malware hosting. It's a huge deal. The whole site could get blocked in a split second because one newbie doesn't scan a document that they upload.
If it were only PDFs, it could be considered. But there are so many ways to host and link those things today that I'm not sure that it is a big deal. You can link it when really necessary and, whenever possible, it's best to get text and/or images instead.
It is what it is. I added stuff to the OC and will spend some time formatting the copy-paste. There's some good stuff in there for readers, and can explain what is going on and what I'm seeing... I thought it would be helpful.
If you output to text from Word, does that help?
I'm doing this from a Chromebook now and just did it within Google Docs. Doesn't have the ability to export our mess with output since it's a pretty basic tool. I'll have to try that a bit later when I jump on my laptop. I added the images.
-
@BBigford said in Hyper-V with Smart Card not working:
@scottalanmiller said in Hyper-V with Smart Card not working:
@BBigford said in Hyper-V with Smart Card not working:
@scottalanmiller said in Hyper-V with Smart Card not working:
@BBigford said in Hyper-V with Smart Card not working:
@scottalanmiller said in Hyper-V with Smart Card not working:
@BBigford said in Hyper-V with Smart Card not working:
saves from pasting a lengthy document, plus a few images.
Posting images is fast and easy. And what takes five seconds for you to do, saves each reader of the page many seconds for forever.
The re-formatting of 5 pages into copy-paste took longer than just attaching the document. I did a straight copy-paste in the OC.. haha it was real bad.
I know it takes a bit if you are coming from a huge rich Word doc. But it is what it is, Word docs are definitely not something we are comfortable hosting. That puts ML on the hook for malware hosting. It's a huge deal. The whole site could get blocked in a split second because one newbie doesn't scan a document that they upload.
If it were only PDFs, it could be considered. But there are so many ways to host and link those things today that I'm not sure that it is a big deal. You can link it when really necessary and, whenever possible, it's best to get text and/or images instead.
It is what it is. I added stuff to the OC and will spend some time formatting the copy-paste. There's some good stuff in there for readers, and can explain what is going on and what I'm seeing... I thought it would be helpful.
If you output to text from Word, does that help?
I'm doing this from a Chromebook now and just did it within Google Docs. Doesn't have the ability to export our mess with output since it's a pretty basic tool. I'll have to try that a bit later when I jump on my laptop. I added the images.
Check out this tool:
-
@scottalanmiller said in Hyper-V with Smart Card not working:
@BBigford said in Hyper-V with Smart Card not working:
@scottalanmiller said in Hyper-V with Smart Card not working:
@BBigford said in Hyper-V with Smart Card not working:
@scottalanmiller said in Hyper-V with Smart Card not working:
@BBigford said in Hyper-V with Smart Card not working:
@scottalanmiller said in Hyper-V with Smart Card not working:
@BBigford said in Hyper-V with Smart Card not working:
saves from pasting a lengthy document, plus a few images.
Posting images is fast and easy. And what takes five seconds for you to do, saves each reader of the page many seconds for forever.
The re-formatting of 5 pages into copy-paste took longer than just attaching the document. I did a straight copy-paste in the OC.. haha it was real bad.
I know it takes a bit if you are coming from a huge rich Word doc. But it is what it is, Word docs are definitely not something we are comfortable hosting. That puts ML on the hook for malware hosting. It's a huge deal. The whole site could get blocked in a split second because one newbie doesn't scan a document that they upload.
If it were only PDFs, it could be considered. But there are so many ways to host and link those things today that I'm not sure that it is a big deal. You can link it when really necessary and, whenever possible, it's best to get text and/or images instead.
It is what it is. I added stuff to the OC and will spend some time formatting the copy-paste. There's some good stuff in there for readers, and can explain what is going on and what I'm seeing... I thought it would be helpful.
If you output to text from Word, does that help?
I'm doing this from a Chromebook now and just did it within Google Docs. Doesn't have the ability to export our mess with output since it's a pretty basic tool. I'll have to try that a bit later when I jump on my laptop. I added the images.
Check out this tool:
Completely locks up on a Chromebook trying to paste. Switched to a Windows 10 workstation with some more horsepower, all rendering/copy/paste goes through quickly. Copy to Clipboard appears to not work at all. Formatting looks terrible. But I'm done spending more time on that.
-
@BBigford said in Hyper-V with Smart Card not working:
@scottalanmiller said in Hyper-V with Smart Card not working:
@BBigford said in Hyper-V with Smart Card not working:
@scottalanmiller said in Hyper-V with Smart Card not working:
@BBigford said in Hyper-V with Smart Card not working:
@scottalanmiller said in Hyper-V with Smart Card not working:
@BBigford said in Hyper-V with Smart Card not working:
@scottalanmiller said in Hyper-V with Smart Card not working:
@BBigford said in Hyper-V with Smart Card not working:
saves from pasting a lengthy document, plus a few images.
Posting images is fast and easy. And what takes five seconds for you to do, saves each reader of the page many seconds for forever.
The re-formatting of 5 pages into copy-paste took longer than just attaching the document. I did a straight copy-paste in the OC.. haha it was real bad.
I know it takes a bit if you are coming from a huge rich Word doc. But it is what it is, Word docs are definitely not something we are comfortable hosting. That puts ML on the hook for malware hosting. It's a huge deal. The whole site could get blocked in a split second because one newbie doesn't scan a document that they upload.
If it were only PDFs, it could be considered. But there are so many ways to host and link those things today that I'm not sure that it is a big deal. You can link it when really necessary and, whenever possible, it's best to get text and/or images instead.
It is what it is. I added stuff to the OC and will spend some time formatting the copy-paste. There's some good stuff in there for readers, and can explain what is going on and what I'm seeing... I thought it would be helpful.
If you output to text from Word, does that help?
I'm doing this from a Chromebook now and just did it within Google Docs. Doesn't have the ability to export our mess with output since it's a pretty basic tool. I'll have to try that a bit later when I jump on my laptop. I added the images.
Check out this tool:
Completely locks up on a Chromebook trying to paste. Switched to a Windows 10 workstation with some more horsepower, all rendering/copy/paste goes through quickly. Copy to Clipboard appears to not work at all. Formatting looks terrible. But I'm done spending more time on that.
Well that sucks, it looked interesting.
