Typically, if the reader is recognized by the system, a reader icon will be displayed on the GINA. Logon locally and check the device manager to see if the reader is displayed and is functioning correctly. If the reader is not displayed in the device manager, or is displayed with an inaccurate make or model name, check with the Card manufacturer and obtain the latest drivers for the OS in use.
Verify that the Smart Card services is running on the client by doing the following:. For more information on troubleshooting hardware issues, please see the following:. Is the user prompted for their PIN? If not, try removing and re-inserting the card. If the correct CSP for the card is not installed, the following error message may be displayed: "The card supplied requires drivers that are not present on this system. Please try another card". If this is the case, contact the card vendor for a valid CSP to install on the workstation for that card.
If the correct CSP has been installed and this error message is still displayed, the problem could be resolved by reinstalling the CSP. If you know what CSP should be used for this card, you can check to see if the CSP is installed by running the following command on the client: Certutil -csplist.
Can the user logon to the workstation using a UPN formed username without a smart card? Note: After this certificate is published to the NTAuth store, group policy needs to be applied for the setting to take effect.
Can the issuing CA certificate, i. If the certificate is not trusted because the root certificate is not in the trusted root store, the following will be displayed at the bottom of the output:. If the workstation is unable to connect to the CRL distribution points to perform a revocation check, the following or similar will be displayed in the output the actual error will vary based on condition :. Check the authenticating domain controllers for this certificate by using by running: Certutil -store my.
It will return a list of all the certificates installed in the domain controller's certificate store. The easiest way to check for these conditions: Certutil -verifystore my. When the KDC receives the user's smart card certificate, it will use the CryptoAPI to build a certificate chain from the user's certificate to verify that it can be trusted. To verify that the certificate chain can be built on the DC, perform the following:.I have deployed a pool of Win 7 64 desktops.
The ActivClient 6. When connecting to one of the linked clones and attempting to us a smart card for log in, i receive the following error. What is the protocol that you are using to connect to the remote desktop?
In general, I'm assuming this is a configuration error with your Agent machine; you should be able to look at the Windows event log on the Agent machine to get more info on the failure. Didn't matter which protocol. It appears to be a bug with the connection server. If you reset the base image, take a new snapshot, and then recompose the issue is resolved. Glad to hear that you got it working, but I'm still skeptical that it had anything to do with the View Connection Server.
If you are doing a smart card login into the remote desktop, it doesn't involve the View Connection Server at all. Another way to test it is to directly RDP in and see whether you can log in. I was advised by a VMware pre-sales engineer that it is a bug with the connection server. Whether or not he is correct I don't know for sure. Logging in via RDP produced the same result.
I was reading a lot about this new mechanism of authentication called Strict KDC Authenticationand I was wondering, why it is important, and what is the vulnerability that it mitigates. While smart card authentication has definite advantage over passwords, it should be deployed with a realistic understanding of the actual protections it provides.
Installations should take advantage of the latest configuration and hardening options available. Administrators should continue to audit and work to eliminate outdated protocols like NTLM from their networks, and privileged users should always exercise caution when authentication to low-integrity workstations, even with a smart card.
Kerberos is network authentication protocol that uses Key Server approach in cryptography. The problem with symmetric cryptography is that each party should maintain his key, and all other keys for the parties it needs to communicate with. And there is also the challenge for exchanging those symmetric keys through a secure channel, which is a problem by itself.
Kerberos still uses symmetric cryptography, but in the same time it solves all the problems rising from using it. The basic idea is simple. Suppose that everybody setup a shared secure key with the key server. For example, John setup a key Kj that is known only to him and to the key server. Bob setup a key Kbthat is only known to him and to the key server.
Other entities setup keys in the same fashion. Now suppose that John wants to communicate with Bob. He has no keys he can use to communicate with Bob, but he can communicate securely with the key server.
The key server in return can communicate securely with Bob. John can simply send all the traffic to the key server and let the key server acts as a delivery guy. But this is a bit hard on the key server because it will act as man in the middle, proxying all traffic. This is the simple idea behind Kerberos. Of course, the initial trust between any party and the KDC is created when the machine is joined to the domain, get a secret, and that secret will be used for the secure channel.
Smart card authentication offers many important advantages over passwords. A lost card can be deactivated and, until such time, is useless without the PIN. With proper policy, smart cards can prevent concurrent account usage.
More generally, asymmetric cryptography can help eliminate the need for attackable, locally stored authenticators and server-side password databases. The myth that the use of smart cards prevents the use of NTLM, probably arises from the fact that NTLM protocol is password-based, and smart card users do not enter or may not have a standard password.
You can review my previous blog post about how smart card logon works. Although it is true that the initial Active Directory domain logon with a smart card is guaranteed to use Kerberos, and that asymmetric credentials cannot be used for NTLM, it is not true that users who authenticate with a smart card will never use NTLM to access network resources.
To explain my point, let us state that when a user logged on to a domain joined machine regardless using a password or smart cardthe user will get a Ticket Granting Ticket TGT and a PAC Privilege Attribute Certificate that includes all information needed to generate the user access token like group SIDs that the user is member of, etc.
Most password-based authentication protocols in Windows are not based directly on the password, but on a hash of the password. Active Directory stores a copy of these hashes and uses it to verify standard Kerberos and NTLM authentication traffic.I would like to confirm that did you change any configuration before the issue began? You need to make sure that the Domain Controller certificates are not expired or revoked and the smard card certificates are issued by a trusted CA and not expired.
You may use the Certutil utility to check. For more information about how smart card logon and authentication, for the detailed information about how to troubleshoot the smart card logon and authentication issue, please refer to the following MSDN blog:.
Smart Card Logon and Authentication.SSL, TLS, HTTP, HTTPS Explained
Server Fault is a question and answer site for system and network administrators. It only takes a minute to sign up. Our Active Directory domain recently enforced smart card logons for administrator accounts. Since this change we have been unable to access some servers R2 using Remote Desktop. When attempting to logon we get the following error message:. This problem does not occur on all of our servers.
We can login to some of our physical and some of our virtual servers, so it seems to be a problem with individual server configurations, but I'm unsure where to start looking. ActivClient is installed, so, unless it's misconfigured that's not the problem. Sign up to join this community. The best answers are voted up and rise to the top.
Home Questions Tags Users Unanswered. Asked 6 years, 2 months ago. Active 6 years, 2 months ago. Viewed 4k times.
Smartcard authentication error and trusted domain Kerberos error
When attempting to logon we get the following error message: "The Kerberos protocol encountered an error while validating the KDC certificate during smartcard logon. Status: 0xcd Sub Status: 0xc This problem does not occur on all of our servers. Check if there's no time difference between them. Kerberos by default has 5 minute tolerance. Active Oldest Votes.
Certificate Requirements and Enumeration
Sign up or log in Sign up using Google. Sign up using Facebook. Sign up using Email and Password. Post as a guest Name.Need support for your remote team?
Check out our new promo! IT issues often require a personalized solution. Why EE? Get Access. Log In. Web Dev. NET App Servers. We help IT Professionals succeed at work. BarryBas asked. Medium Priority. Last Modified: We are trying to enable Smart Card Logon. The client has failed to validate the Domain Controller certificate for DC. The following error was returned from the certificate validation process: The certificate is not valid for the requested usage.
The root is in the Trusted Root Certificate store. All the domain controllers have certificates, issued by the above CA's. The smart card certificates are issued by the above CA's. I can't figure out what I'm missing. Why are the clients not trusting the domain controller certificates for the required usage? Start Free Trial. View Solution Only.
Distinguished Expert This award recognizes someone who has achieved high tech and professional accomplishments as an expert in a specific topic. Commented: Referencing the smartcard login, I am suspecting this step to check on the username in AD. This field is a mandatory extension, but the population of this field is optional. There are two predefined types of private keys. Author Commented: Still getting the above errors. In order to resolve that we can add a name mapping to a user.
And this is the second drawback. Right-click the root and choose manage AD containers to view the store. A second important fact regarding the NTauth store. Whilst you might see the require CA certificate in the store in AD, your clients and servers will only download the content of the AD NTauth store IF they have auto-enrollment configured!
Verify the spelling and capitalization of all host and domain names. Verify that the Kerberos realm names are in upper case. Use the fully qualified domain name FQDN for all settings. Verify that the proper domain name and DNS suffixes are used in the network configuration. If it is, remove it from the server and restart the HP device.
During distributed file system DFS name resolution issues, a screen prompts for the user's credentials user name and password. If this occurs, check the file sharing permissions to verify that the user has rights to the folder share. Do not use additional file naming options for initial configuration and testing. If the path information does not auto-fill when sending to the home folder, verify that the home directory LDAP attribute is correctly set.
Troubleshooting general error messages The Smartcard Authentication update was installed on the printer without the correct firmware. Follow these steps to enable the printer to boot to the Ready state:. After all 3 LEDs are a solid color, release the 9 key and then press and release the 3 key. Press and release the Start key. The printer should then proceed to display the Ready state. Performing a Secure Storage Erase or Disk Init erases information that is critical for the Smartcard authentication to work.
The entire Smartcard installation and configuration must be completed again. This includes reinstalling the Smartcard authentication update and performing all of the necessary EWS configuration steps. Clients and servers must be synced to within 5 minutes of each other. Hostnames must be used for all Kerberos and SSL servers. Check the Kerberos configuration in the EWS and verify that all Realm names specified are listed in upper case.
Contact the system administrator to ensure that the card is valid and configured correctly.