Authenticate to the Domain using a Smart Card

Similar Messages

• KDC Event ID 29 - The KDC cannot find a suitable certificate to use for smart card logons...

  I am getting the event (below) every day on a new 2008 domain controller that I brought up recently. The DC has a domain controller certificate, that was automatically issued by an online enterprise CA. This CA is located in another domain (child domain) within the same forest. The 2008 DC is in the top-lvel domain.  None of the other domain controllers , which are 2003, are reporting this message. I ran certutil.exe, and it successfully verifies all domain controller certificates, including the certificate on my new 2008 DC. Any ideas why these messages continue to appear?
  The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate.

  Hi,
  I have checked the file. Here is my findings:
  1.    The computer name of the domain controllers are different in this dcinfo.txt file. There is no Swampoak. I would like to confirm which one is Windows Server 2008 domain controller.
  2.    The domain controller Buckeye and Madrone both have 2 KDC certificates, one is expired and the other one is valid:
  *** Testing DC[0]: MADRONE
  ** KDC Certificates for DC MADRONE
  Certificate 0:  -à Valid
  Serial Number: 116bbdd90000000000b6
  Issuer: ***
  NotBefore: 12/15/2008 2:28 AM
  NotAfter: 12/15/2009 2:28 AM
  Subject: CN=madrone.****
  Certificate Template Name (Certificate Type): DomainController
  Non-root Certificate
  Template: DomainController, Domain Controller
  Certificate 1:   --à Expired
  Serial Number: 15c2f00b000000000028
  Issuer: ****
  NotBefore: 3/9/2007 3:05 PM
  NotAfter: 3/8/2008 3:05 PM
  Subject: EMPTY (DNS Name=madrone.****)
  Non-root Certificate
  Template: DomainControllerAuthentication, Domain Controller Authentication
  *** Testing DC[1]: BUCKEYE
  ** KDC Certificates for DC BUCKEYE
  Certificate 0:  -à Expired
  Serial Number: 15c4ddc2000000000029
  Issuer: *****
  NotBefore: 3/9/2007 3:07 PM
  NotAfter: 3/8/2008 3:07 PM
  Subject: EMPTY (DNS Name=buckeye.****)
  Non-root Certificate
  Template: DomainControllerAuthentication, Domain Controller Authentication
  Certificate 1: -à Valid
  Serial Number: 115f34ec0000000000b4
  Issuer: ****
  NotBefore: 12/15/2008 2:15 AM
  NotAfter: 12/15/2009 2:15 AM
  Subject: CN=buckeye.****
  Certificate Template Name (Certificate Type): DomainController
  Non-root Certificate
  Template: DomainController, Domain Controller
  Suggestion:
  1.    Please delete the expired certificate and then reboot the domain controller and test the issue again.
  2.    If the issue persists, please request a new Domain Controller Authentication certificate on the domian controller and check the result.

• The use only smart cards for several hundred users

  How can I assign soon as possible,
  use only the smart card for
  a few hundred users? I also have
  a group of people who would like to allow the use of
  a login and password, and smart card.
  Using GPO to the computer,
  will be applied to the station, and I would just like
  to the user. I know that
  the card user can select
  to use a smart card, but
  how to do it automatically for a group of people
  (several hunderd)?

  I would use LDAP query via GUI tools (like AD Administrative Console) or console tools (Active Directory PowerShell module) get target users by using some filter and enable smart card checkboxes. GPO cannot be used to make changes in AD.
  My weblog: en-us.sysadmins.lv
  PowerShell PKI Module: pspki.codeplex.com
  PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
  Check out new: SSL Certificate Verifier
  Check out new:
  PowerShell FCIV tool.

• Why being prompted for login/password when using OVDC, smart card,token/vdi

  Hello,
  I'm using VDI 3.2.1, OVDC, smart card and i assigned a smart card token to a desktop pool.
  Inserting the smart card triggers a new VDI desktop selector which prompts for the login and password.
  Is there any reason why VDI is prompting for the login/password in the VDI selector when using a smart card especially that the smart card token has been assigned to a desktop pool ?
  Thanks
  Thierry.

  You still have to authenticate to get a desktop. If you assigned a token to a pool, the ability to be assigned a desktop is based on the token not the user ID. That means that any user will be assigned a desktop if they use that card.

• Need advice for an application that restricts access to other applications using a smart card

  Hello everybody,
  I am developing a system that uses a smart card reader attached to a USB port of a PC.
  What the system should provide is:
  When computer boots up and shows the users login screen, a user, previously registered, can use his smart card to access the system, instead of entering his password
  Once the user is logged in, when he tries to launch an application, which has previously marked as "secured", a dialog box is shown indicating that the user has to present his smart card. If the smart card has access to the application, the application
  is launched, otherwise an error message is shown to the user and the application is not executed.
  I develop in C++ and C#. I have already created a library (in Visual C++) that manages the smart card reader and provides the card presented to it.
  Now I am developing the applicastion (in C#) that will configure the security (assigning cards to users and applications).
  Concerning this, I have 2 questions regarding each point above:
  Is it possible to create the centralized application that lists all users and allows to assign cards to them? Then, when the users login screen is shown, the system must access that data before logging in, so that it can check which card was presented and
  what user it corresponds to. I have seen in laptops, that have embedded fingerprint readers, a user must login to his account first and then he can register his fingerprints. In fact, what I need to do is something similar but with smart card reader instead
  of fingerprint reader. So, perhaps, user must login into his account first and then he will be able to add his card and store that information somewhere (in windows registry maybe).
  How can I launch my application when other application is executed but before its interface is actually shown? this is similar to what antivirus programs do, because they check the executable before it is actually ran. What is the best method to address
  the application? by executable file name? process name? or other? if the best is by process name, how can I know the process name without actually running the application?
  Well, that is all what I need to do. Please advice regarding this subject.
  I look forward to hearing from you,
  Best regards,
  Jaime
  Powered by C++

  > what was the guidance?
  1. Research other software that does similar things (not just exactly the same) as you need. If you like something in their solutions, copy it :)
  The only software I know that does that is an antivirus, but I am unlucky to find some code in c++ that allows to intercept the program execution before actually executing it.
  2. If a kernel driver would fit in your solution, go for it (google for what is available for free, or find a consultant to write it for you).
  There are a lot of information about kernel drivers, but the question is, is that really the solution?
  Otherwise, you can just hide the application from user's reach and substitute the executable in shortcuts, etc. to run your program instead.
  Definetly this is not the way to go
  What is the best method to address the application? by executable file name? process name? or other?
  By executable file name, like in the Windows Applocker, I think. Processes do not have names (they are artifact of Task manager and debugging tools, to represent the processes for user somehow). Or, only by the filename part of the full path.
  I agree with that
  if the best is by process name, how can I know the process name without actually running the application?
  When the user runs the application, the driver will detect this and do its magic.
  I have found this page: http://stackoverflow.com/questions/3556048/how-to-detect-win32-process-creation-termination-in-c. They mention WMI, but I will study it tommorow... it is so late for today :-)
  Regards,
  -- pa
  Regards
  Jaime
  Powered by C++

• Help needed in learning the basics of Java Smart Card and implementation?

  Hello every body,
  I am trying to develop the applications on java contactless smart cards technology.
  Can any body give me the details like how to start?
  What are the required softwares and installation procedure and path settings and etc.?
  I am the beginner in java smart card application development.
  plz help me out

  Dear Friend,
  I would advice to divide learning into two main parts: JavaCard technology and contactless RFID cards. For JavaCard technology you can find useful articles on Sun web-site (developers.sun.com/mobility/javacard/articles/javacard1/). For contactless RFID you can find few useful books at Amazon. Regarding software you need JC development kit. How to install it there is an instrunction in JCDK user guide.
  If it is not a secret what a javacard contactless card you are going to use in your work?
  Yours
  Dmitri

• We get error messages when trying to download in-app purchases on the iPad using an iTunes card.This worked on other ipads.  Just not this particular one.

  We get an error message when trying to download in-app purchases on the iPad using an iTunes card. This worked on other ipads.  Just not this particular one.
  We have tried deleting and re-installing the apps and attempting the in-app purchase again.  Still get error messages. Any suggestions?

  hello Mac.INXS, please [[Clear the cache - Delete temporary Internet files to fix common website issues|clear the cache]] & [[Delete cookies to remove the information websites have stored on your computer|cookies from mozilla.org]] and then try logging into AMO again.

• HT201322 I downladed a game then i bought some gold on the game using a credit card. Now when I try to retrieve the gold it says I have to verify then download it. It will not let me. Any suggestions?

  I downladed a game then i bought some gold on the game using a credit card. Now when I try to retrieve the gold it says I have to verify then download it. It will not let me. Any suggestions?

  I was receiving the same error message yesterday, which said There was a problem downloading "The Song Name / Album / Artist". The file seems to be corrupted. To redownload the file, choose "Check for Available Downloads" from the Store menu. The file tries to download five times before this error message appears.
  I too, tried to find the file and delete it, but it was no where to be found.
  So I gave up for that moment and tried again today and I was able to successfully download the file. Amazing how that works!!!

• Joining a computer to the domain using the netbios name VS the FQDN

  Where I work we must join computers to the domain using the netbios name (ex: mycomp) vs the FQDN mycompany.tx.com or else problems occur and the computer must be rejoined to the domain again with the netbios name- it can be joined to the domain initially, but after about 15 - 30 mins we'll get an error message when trying to logon.
  The error message I believe is:
  "The system cannot log you on to this domain because the system's computer account in its primary domain is missing or the password on the account is incorrect."
  I haven't seen it happen in a while, but if I remember correctly this is the error message we get -I could be wrong though.
  It may also have just been a "domain is not available" message.
  Some additional info:
  The netbios domain name is diffent then the DNS name ie: "mycompany.tx.com" was not made "mycompany" for netbios, but "mycomp" instead.
  Our DFL is mixed mode with some 2000 and some 2003 servers
  We used to use WINS, but now we do not.
  And lastly we usually add a WINS address along with the dns address in each workstation via "advanced TCP/IP settings" (why I do not know) and occationally I will not be able to join a computer to the domain until I add this WINS address. I know what your thinking, and I will say that I am not 100% all of our WINS server were deactivated. 
  Any info on how to figure this out or troubleshoot this would be greatly apprieciated. Thanks a lot. 

  Well this happened again.
  As a test before I deployed a PC to one of our branches I joined it to the domain via the FQDN: mycompany.tx.com instead of the netbios name: mycomp prior to shipping. It spent a few days in transit and when it arrived a user plugged it in and tried to logon, but recieved this message:
  "The system cannot log you on to this domain because the system's computer account in its primary domain is missing or the password on that account is incorrect"
  I realize this error message maybe unrelated, but if I recall correctly this is what happened last time.
  I pretty sure I was thorough in removing the computer account from the nessesary DCs (it failed and needed to be replaced) before I joined the replacement to the domain with the same name.
  Rejoining to the domain via "mycomp" corrected the issue.
  Netlogsetup.log:
  01/06 15:24:01 -----------------------------------------------------------------
  01/06 15:24:01 NetpValidateName: checking to see if 'BR021WS025' is valid as type 1 name
  01/06 15:24:01 NetpCheckNetBiosNameNotInUse for 'BR021WS025' [MACHINE] returned 0x0
  01/06 15:24:01 NetpValidateName: name 'BR021WS025' is valid for type 1
  01/06 15:24:01 -----------------------------------------------------------------
  01/06 15:24:01 NetpValidateName: checking to see if 'BR021WS025.mycompany.tx.com' is valid as type 5 name
  01/06 15:24:01 NetpValidateName: name 'BR021WS025.mycompany.tx.com' is valid for type 5
  01/06 15:24:01 -----------------------------------------------------------------
  01/06 15:24:01 NetpValidateName: checking to see if 'FGYJ' is valid as type 2 name
  01/06 15:24:01 NetpCheckNetBiosNameNotInUse for 'FGYJ' [ Workgroup as MACHINE]  returned 0x0
  01/06 15:24:01 NetpValidateName: name 'FGYJ' is valid for type 2
  01/06 15:24:01 -----------------------------------------------------------------
  01/06 15:24:01 NetpUnJoinDomain: unjoin from 'mycomp' using '(null)' creds, options: 0x4
  01/06 15:24:01  OS Version: 5.0
  01/06 15:24:01  Build number: 2195
  01/06 15:24:01  ServicePack: Service Pack 4
  01/06 15:24:01 NetpUnJoinDomain: status of getting computer name: 0x0
  01/06 15:24:01 NetpApplyJoinState: actions: 0xb803a
  01/06 15:24:01 NetpDsGetDcName: trying to find DC in domain 'mycomp', flags: 0x1020
  01/06 15:24:01 NetpDsGetDcName: failed to find a DC in the specified domain: 0x54b
  01/06 15:24:01 NetpApplyJoinState: initiating a rollback due to earlier errors
  01/06 15:24:01 NetpApplyJoinState: actions: 0x40000
  01/06 15:24:01 NetpGetLsaPrimaryDomain: status: 0x0
  01/06 15:24:01 NetpUnJoinDomain: status: 0x54b
  01/06 15:24:01 -----------------------------------------------------------------
  01/06 15:24:01 NetpUnJoinDomain: unjoin from 'mycomp' using '(null)' creds, options: 0x0
  01/06 15:24:01  OS Version: 5.0
  01/06 15:24:01  Build number: 2195
  01/06 15:24:01  ServicePack: Service Pack 4
  01/06 15:24:01 NetpUnJoinDomain: status of getting computer name: 0x0
  01/06 15:24:01 NetpApplyJoinState: actions: 0xb003a
  01/06 15:24:02 NetpApplyJoinState: status of stopping and setting start type of Netlogon to 16: 0x0
  01/06 15:24:06 NetpApplyJoinState: status of stopping and setting start type of TimeSvc to 16: 0x0
  01/06 15:24:06 NetpGetLsaPrimaryDomain: status: 0x0
  01/06 15:24:06 NetpLsaOpenSecret: status: 0x0
  01/06 15:24:06 NetpLsaOpenSecret: status: 0x0
  01/06 15:24:06 NetpSetLsaPrimaryDomain: for 'mycomp' status: 0x0
  01/06 15:24:06 NetpApplyJoinState: status of setting LSA pri. domain: 0x0
  01/06 15:24:07 NetpApplyJoinState: status of removing from local groups: 0x0
  01/06 15:24:07 NetpApplyJoinState: NON FATAL: status of removing DNS registrations: 0x0
  01/06 15:24:07 NetpUnJoinDomain: status: 0x0
  01/06 15:24:12 -----------------------------------------------------------------
  01/06 15:24:12 NetpDoDomainJoin
  01/06 15:24:12 NetpMachineValidToJoin: 'BR063WS014'
  01/06 15:24:12 NetpGetLsaPrimaryDomain: status: 0x0
  01/06 15:24:12 NetpMachineValidToJoin: status: 0x0
  01/06 15:24:12 NetpJoinWorkgroup: joining computer 'BR063WS014' to workgroup 'FGYJ'
  01/06 15:24:12 NetpValidateName: checking to see if 'FGYJ' is valid as type 2 name
  01/06 15:24:12 NetpCheckNetBiosNameNotInUse for 'FGYJ' [ Workgroup as MACHINE]  returned 0x0
  01/06 15:24:12 NetpValidateName: name 'FGYJ' is valid for type 2
  01/06 15:24:13 NetpSetLsaPrimaryDomain: for 'FGYJ' status: 0x0
  01/06 15:24:13 NetpJoinWorkgroup: status:  0x0
  01/06 15:24:13 NetpDoDomainJoin: status: 0x0
  01/07 10:49:50 -----------------------------------------------------------------
  01/07 10:49:50 NetpValidateName: checking to see if 'mycompany.tx.com' is valid as type 3 name
  01/07 10:49:50 NetpValidateName: 'mycompany.tx.com' is not a valid NetBIOS domain name: 0x7b
  01/07 10:49:50 NetpCheckDomainNameIsValid [ Exists ] for 'mycompany.tx.com' returned 0x0
  01/07 10:49:50 NetpValidateName: name 'mycompany.tx.com' is valid for type 3
  01/07 10:49:59 -----------------------------------------------------------------
  01/07 10:49:59 NetpDoDomainJoin
  01/07 10:49:59 NetpMachineValidToJoin: 'BR021WS025'
  01/07 10:49:59 NetpGetLsaPrimaryDomain: status: 0x0
  01/07 10:49:59 NetpMachineValidToJoin: status: 0x0
  01/07 10:49:59 NetpJoinDomain
  01/07 10:49:59  Machine: BR021WS025
  01/07 10:49:59  Domain: mycompany.tx.com
  01/07 10:49:59  MachineAccountOU: (NULL)
  01/07 10:49:59  Account: mycompany.tx.com\myUserName
  01/07 10:49:59  Options: 0x27
  01/07 10:49:59  OS Version: 5.0
  01/07 10:49:59  Build number: 2195
  01/07 10:49:59  ServicePack: Service Pack 4
  01/07 10:49:59 NetpValidateName: checking to see if 'mycompany.tx.com' is valid as type 3 name
  01/07 10:49:59 NetpValidateName: 'mycompany.tx.com' is not a valid NetBIOS domain name: 0x7b
  01/07 10:49:59 NetpCheckDomainNameIsValid [ Exists ] for 'mycompany.tx.com' returned 0x0
  01/07 10:49:59 NetpValidateName: name 'mycompany.tx.com' is valid for type 3
  01/07 10:49:59 NetpDsGetDcName: trying to find DC in domain 'mycompany.tx.com', flags: 0x1020
  01/07 10:50:00 NetpDsGetDcName: found DC '\\br041svr.mycompany.tx.com' in the specified domain
  01/07 10:50:00 NetpJoinDomain: status of connecting to dc '\\br041svr.mycompany.tx.com': 0x0
  01/07 10:50:00 NetpGetLsaPrimaryDomain: status: 0x0
  01/07 10:50:00 NetpLsaOpenSecret: status: 0xc0000034
  01/07 10:50:00 NetpGetLsaPrimaryDomain: status: 0x0
  01/07 10:50:00 NetpLsaOpenSecret: status: 0xc0000034
  01/07 10:50:01 NetpManageMachineAccountWithSid: NetUserAdd on '\\br041svr.mycompany.tx.com' for 'BR021WS025$' failed: 0x8b0
  01/07 10:50:01 NetpManageMachineAccountWithSid: status of attempting to set password on '\\br041svr.mycompany.tx.com' for 'BR021WS025$': 0x0
  01/07 10:50:01 NetpJoinDomain: status of creating account: 0x0
  01/07 10:50:01 NetpJoinDomain: status of setting netlogon cache: 0x0
  01/07 10:50:01 NetpGetLsaPrimaryDomain: status: 0x0
  01/07 10:50:02 NetpSetLsaPrimaryDomain: for 'mycomp' status: 0x0
  01/07 10:50:02 NetpJoinDomain: status of setting LSA pri. domain: 0x0
  01/07 10:50:02 NetpJoinDomain: status of managing local groups: 0x0
  01/07 10:50:03 NetpJoinDomain: status of setting ComputerNamePhysicalDnsDomain to 'mycompany.tx.com': 0x0
  01/07 10:50:04 NetpJoinDomain: status of starting Netlogon: 0x0
  01/07 10:50:04 NetpWaitForNetlogonSc: waiting for netlogon secure channel setup...
  01/07 10:50:06 NetpWaitForNetlogonSc: status: 0x0, sub-status: 0x0
  01/07 10:50:06 NetpJoinDomain: status of disconnecting from '\\br041svr.mycompany.tx.com': 0x0
  01/07 10:50:06 NetpDoDomainJoin: status: 0x0
  01/11 11:21:08 -----------------------------------------------------------------
  01/11 11:21:08 NetpValidateName: checking to see if 'WK' is valid as type 2 name
  01/11 11:21:20 NetpCheckNetBiosNameNotInUse for 'WK' [ Workgroup as MACHINE]  returned 0x0
  01/11 11:21:20 NetpValidateName: name 'WK' is valid for type 2
  01/11 11:21:20 -----------------------------------------------------------------
  01/11 11:21:20 NetpUnJoinDomain: unjoin from 'mycomp' using '(null)' creds, options: 0x4
  01/11 11:21:20  OS Version: 5.0
  01/11 11:21:20  Build number: 2195
  01/11 11:21:20  ServicePack: Service Pack 4
  01/11 11:21:20 NetpUnJoinDomain: status of getting computer name: 0x0
  01/11 11:21:20 NetpApplyJoinState: actions: 0xb803a
  01/11 11:21:20 NetpDsGetDcName: trying to find DC in domain 'mycomp', flags: 0x1020
  01/11 11:21:56 NetpDsGetDcName: failed to find a DC having account 'BR021WS025$': 0x525
  01/11 11:21:56 NetpDsGetDcName: found DC '\\BR021SVR' in the specified domain
  01/11 11:21:56 NetUseAdd to \\BR021SVR\IPC$ returned 1326
  01/11 11:21:56 Trying add to  \\BR021SVR\IPC$ using NULL Session
  01/11 11:21:56 NetpApplyJoinState: status of connecting to dc '\\BR021SVR': 0x0
  01/11 11:21:57 NetpApplyJoinState: status of stopping and setting start type of Netlogon to 16: 0x0
  01/11 11:22:01 NetpApplyJoinState: status of stopping and setting start type of TimeSvc to 16: 0x0
  01/11 11:22:01 NetpGetLsaPrimaryDomain: status: 0x0
  01/11 11:22:01 NetpLsaOpenSecret: status: 0x0
  01/11 11:22:01 NetpLsaOpenSecret: status: 0x0
  01/11 11:22:01 SamLookupNamesInDomain on BR021WS025$ failed with 0xc0000073
  01/11 11:22:01 NetpManageMachineAccountWithSid: status of disabling account 'BR021WS025$' on '\\BR021SVR': 0x534
  01/11 11:22:01 NetpApplyJoinState: status of disabling account: 0x534
  01/11 11:22:01 NetpApplyJoinState: initiating a rollback due to earlier errors
  01/11 11:22:01 NetpApplyJoinState: actions: 0x40130
  01/11 11:22:01 NetpDsGetDcName: trying to find DC in domain '(null)', flags: 0x1020
  01/11 11:22:26 NetpDsGetDcName: failed to find a DC having account 'BR021WS025$': 0x525
  01/11 11:22:26 NetpDsGetDcName: found DC '\\br021svr.mycompany.tx.com' in the specified domain
  01/11 11:22:26 NetUseAdd to \\br021svr.mycompany.tx.com\IPC$ returned 1326
  01/11 11:22:26 Trying add to  \\br021svr.mycompany.tx.com\IPC$ using NULL Session
  01/11 11:22:26 NetpApplyJoinState: status of connecting to dc '\\br021svr.mycompany.tx.com': 0x0
  01/11 11:22:26 NetpGetLsaPrimaryDomain: status: 0x0
  01/11 11:22:26 NetpLsaOpenSecret: status: 0xc0000034
  01/11 11:22:27 NetpSetMachineAccountPassword: NetUserGetInfo on '\\br021svr.mycompany.tx.com' 'BR021WS025$' failed: 0x8ad
  01/11 11:22:27 NetpApplyJoinState: status of setting machine password: 0x8ad
  01/11 11:22:27 NetpApplyJoinState: status of starting and setting start type of Netlogon to 4: 0x0
  01/11 11:22:28 NetpApplyJoinState: status of starting and setting start type of TimeSvc to 4: 0x0
  01/11 11:22:28 NetpApplyJoinState: status of disconnecting from '\\br021svr.mycompany.tx.com': 0x0
  01/11 11:22:28 NetpApplyJoinState: status of disconnecting from '\\BR021SVR': 0x0
  01/11 11:22:28 NetpUnJoinDomain: status: 0x534
  01/11 11:22:28 -----------------------------------------------------------------
  01/11 11:22:28 NetpUnJoinDomain: unjoin from 'mycomp' using '(null)' creds, options: 0x0
  01/11 11:22:28  OS Version: 5.0
  01/11 11:22:28  Build number: 2195
  01/11 11:22:28  ServicePack: Service Pack 4
  01/11 11:22:28 NetpUnJoinDomain: status of getting computer name: 0x0
  01/11 11:22:28 NetpApplyJoinState: actions: 0xb003a
  01/11 11:22:58 NetpApplyJoinState: status of stopping and setting start type of Netlogon to 16: 0x0
  01/11 11:23:01 NetpApplyJoinState: status of stopping and setting start type of TimeSvc to 16: 0x0
  01/11 11:23:02 NetpGetLsaPrimaryDomain: status: 0x0
  01/11 11:23:02 NetpLsaOpenSecret: status: 0x0
  01/11 11:23:02 NetpLsaOpenSecret: status: 0x0
  01/11 11:23:02 NetpSetLsaPrimaryDomain: for 'mycomp' status: 0x0
  01/11 11:23:02 NetpApplyJoinState: status of setting LSA pri. domain: 0x0
  01/11 11:23:03 NetpApplyJoinState: status of removing from local groups: 0x0
  01/11 11:23:03 NetpApplyJoinState: NON FATAL: status of removing DNS registrations: 0x0
  01/11 11:23:03 NetpUnJoinDomain: status: 0x0
  01/11 11:23:45 -----------------------------------------------------------------
  01/11 11:23:45 NetpDoDomainJoin
  01/11 11:23:45 NetpMachineValidToJoin: 'BR021WS025'
  01/11 11:23:45 NetpGetLsaPrimaryDomain: status: 0x0
  01/11 11:23:45 NetpMachineValidToJoin: status: 0x0
  01/11 11:23:45 NetpJoinWorkgroup: joining computer 'BR021WS025' to workgroup 'WK'
  01/11 11:23:45 NetpValidateName: checking to see if 'WK' is valid as type 2 name
  01/11 11:23:57 NetpCheckNetBiosNameNotInUse for 'WK' [ Workgroup as MACHINE]  returned 0x0
  01/11 11:23:57 NetpValidateName: name 'WK' is valid for type 2
  01/11 11:23:58 NetpSetLsaPrimaryDomain: for 'WK' status: 0x0
  01/11 11:23:58 NetpJoinWorkgroup: status:  0x0
  01/11 11:23:58 NetpDoDomainJoin: status: 0x0
  01/11 11:33:08 -----------------------------------------------------------------
  01/11 11:33:08 NetpValidateName: checking to see if 'mycomp' is valid as type 3 name
  01/11 11:33:17 NetpCheckDomainNameIsValid [ Exists ] for 'mycomp' returned 0x0
  01/11 11:33:17 NetpValidateName: name 'mycomp' is valid for type 3
  01/11 11:34:23 -----------------------------------------------------------------
  01/11 11:34:23 NetpDoDomainJoin
  01/11 11:34:23 NetpMachineValidToJoin: 'BR021WS025'
  01/11 11:34:23 NetpGetLsaPrimaryDomain: status: 0x0
  01/11 11:34:23 NetpMachineValidToJoin: status: 0x0
  01/11 11:34:23 NetpJoinDomain
  01/11 11:34:23  Machine: BR021WS025
  01/11 11:34:23  Domain: mycomp
  01/11 11:34:23  MachineAccountOU: (NULL)
  01/11 11:34:23  Account: mycomp\USER1
  01/11 11:34:23  Options: 0x27
  01/11 11:34:23  OS Version: 5.0
  01/11 11:34:23  Build number: 2195
  01/11 11:34:23  ServicePack: Service Pack 4
  01/11 11:34:23 NetpValidateName: checking to see if 'mycomp' is valid as type 3 name
  01/11 11:34:23 NetpCheckDomainNameIsValid [ Exists ] for 'mycomp' returned 0x0
  01/11 11:34:23 NetpValidateName: name 'mycomp' is valid for type 3
  01/11 11:34:23 NetpDsGetDcName: trying to find DC in domain 'mycomp', flags: 0x1020
  01/11 11:34:35 NetpDsGetDcName: failed to find a DC having account 'BR021WS025$': 0x525
  01/11 11:34:35 NetpDsGetDcName: found DC '\\BR021SVR' in the specified domain
  01/11 11:34:35 NetpJoinDomain: status of connecting to dc '\\BR021SVR': 0x0
  01/11 11:34:35 NetpGetLsaPrimaryDomain: status: 0x0
  01/11 11:34:35 NetpLsaOpenSecret: status: 0xc0000034
  01/11 11:34:35 NetpGetLsaPrimaryDomain: status: 0x0
  01/11 11:34:35 NetpLsaOpenSecret: status: 0xc0000034
  01/11 11:34:36 NetpJoinDomain: status of creating account: 0x0
  01/11 11:34:36 NetpJoinDomain: status of setting netlogon cache: 0x0
  01/11 11:34:36 NetpGetLsaPrimaryDomain: status: 0x0
  01/11 11:34:37 NetpSetLsaPrimaryDomain: for 'mycomp' status: 0x0
  01/11 11:34:37 NetpJoinDomain: status of setting LSA pri. domain: 0x0
  01/11 11:34:37 NetpJoinDomain: status of managing local groups: 0x0
  01/11 11:34:37 NetpJoinDomain: status of setting ComputerNamePhysicalDnsDomain to 'mycompany.tx.com': 0x0
  01/11 11:34:38 NetpJoinDomain: status of starting Netlogon: 0x0
  01/11 11:34:38 NetpWaitForNetlogonSc: waiting for netlogon secure channel setup...
  01/11 11:34:45 NetpWaitForNetlogonSc: status: 0x0, sub-status: 0x0
  01/11 11:34:45 NetpJoinDomain: status of disconnecting from '\\BR021SVR': 0x0
  01/11 11:34:45 NetpDoDomainJoin: status: 0x0
  - I forgot to add when the user experienced this problem I checked for the computer account and found it was not present in the domain on any DCs.

• Can  i use SLE4428 smart card with java card developmentkit 2.1.2

  Can i use SLE4428 smart card with java card developmentkit 2.1.2
  plz reply

  No. SLE4428 is memory card and not Java Card.

• The GX1 uses a SDHC card.  Has anyone else experienced this problem?

  I have recently purchased a Panasonic Digital GX1 camera and cannot import images into iPhoto as I could previously from either a compactflash or SD card using RAW.  The GX1 uses a SDHC card.  When I attempt to import the taken RAW images iPhoto informs me that the images are not in a readable format yet they are RAW images.  Has anyone else experienced this problem with a Panasonic DX1 camera?

  What version of the OS and of iPhoto?
  Here is a list of RAW support for Lion.http://support.apple.com/kb/HT4757  I do not see your camera on it
  There are several ways
  Shoot JPEG rather than RAW
  Use the Canon software (or other third party software like Adobe) to convert images prior to importing to iPhoto
  Wait until your camera is supported
  LN

• Can I use a smart card reader to avoid typing the master password?

  Does anyone know if there's a way of using some physical card reader to avoid having to type the 'Master Password' when prompted for one?
  I understand some people use CAC readers to access certain sites but I'm wondering if there exists some extension/software that can be used to achieve this.
  If relevant, I'm running Firefox 4.0.1 on Windows 7 x64.

  Look at this link http://militarycac.com/mobile.htm
   Cheers, Tom

• Problem with CertificateRequest when using a smart card

  Hello,
  I have used the ssl debug statement to determine that ssl server is sending a CertificateRequest and a list of CAs. The smart card is opened via a password and I think X509KeyManagerImpl compares the Issuer of the smart card certificates with the server sent CAs. However since the issuer is an intermediate CA and only the root CA is in this list, the smartcard certificates are rejected. I CAN'T have the intermediate CA place in the ssl server list.
  Using SSLConnect (KeyManager, X509TrustManager, null). The KeyManager is using NSS and the TrustManager is using opensc-pkcs11 via SunPKCS11. The OS is Linux, kernel 2.6.35.10-74.fc14.i686.
  The intermediate CA is in the local cert store.
  The application being used is DavMail.
  Am I correct in stating that the the smart card certificates are checked against the server sent CAs?
  Does anyone know how to get Java to use he local cert store to find the intermediate CA and then verify it against the Root CA in the server sent list?

  Placed in wrong forum. Moved it to Security Java Secure Socket Extension (JSSE)

• Remotely login error on windows server 2003 using gemalto smart card

  I am getting this error when trying to log on windows server 2003 remotely using smartcard. We have our own CA. We are able to successfully logon on windows server 2008 using same card.

  Hi,
  Base on my research, Event 537 indicates that a logon attempt was made and rejected for some reason other than those covered by explicit audit records in this category.
  Would you please provide more details?
  Are there any related warnings and errors under Application Logs or System Logs?
  By remotely login, do you mean logon via RDP?
  Here are some related links below for you references:
  Event 537
  http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows%20Operating%20System&ProdVer=5.0&EvtID=537&EvtSrc=Security&LCID=1033
  Smart Card and Remote Desktop Services
  http://technet.microsoft.com/en-us/library/ff404286(v=WS.10).aspx
  Please get back to us with the necessary information at your earliest convenience.
  Best Regards,
  Amy Wang

• Smart card required for interactive logon

  Hi ,
  what is the meaning of these in AD. These options are available in user properties in the Account TAb.
  1-Smart card required for interactive logon.
  2-Account is trusted for delegation
  3-Account is senstive cant be delegated
  4-Use kerberos DES
  5-Dont Require Kerberos
  Regards
  Anil

  Hello,
  You will have to logon to domain using a Smart Card. Interactive logon: Require smart card
  Allows a service running under this account to perform operations on behalf of other user accounts on the network. A service running under a user account (otherwise known as a service account) that is trusted for delegation can impersonate a client to gain
  access to resources on the computer where the service is running or to resources on other computers
  You can use this option if the account, for example a Guest or temporary account, cannot be assigned for delegation by another account.
  Provides support for the Data Encryption Standard (DES). DES supports multiple levels of encryption.
  Provides support for alternative implementations of the Kerberos protocol.
  For a full explanation refer to below links:
  Understanding User Accounts
  Delegating authentication
  Regards.
  Mahdi Tehrani   |  
    |  
  www.mahditehrani.ir
  Please click on Propose As Answer or to mark this post as
  and helpful for other people.
  This posting is provided AS-IS with no warranties, and confers no rights.
  How to query members of 'Local Administrators' group in all computers?