Cannot enroll a customize "smart card connexion" template

Hello everyone !
Sorry for my bad English i am French
i create a new template for "enrollment agent"
Only change name and security right for enrollment
My ca has no enrollment agent restrictions
i hadded the template "smart card connexion" for delivering by my ca
i enroll my "enrollment agent" certificate
i try to "enroll in the name of" ...
it's OK
i create my own template based on the template "smard card connexion" 
Only change name and security right for enrollment (read + enrolment on the "authenticate users" group)
try to enroll "in the name of ..."
and i can't see the model in the enrollment process
just the original one
i delete the original one "smart card connexion" for my ca don't deliver it
and try to enroll "in the name of ..."
still can't see my own custumized model
The list of model i can use is empty
if i click the chek box "see all models"
my custumized model is mark as : "This model require to much signatures from the enrollment autority. Only one signature from the enrollment autority is allowed. mutiple signatures are not allow in a certificae request."
Help please !!

Hi Pat,
Based on my research, the option Policy type required in signature
defines which specific application policy, issuance policy, or both are required in the signing certificate.
Application policy option specifies the application policy that must be included in the signing certificate used to sign the certificate request, while
Issuance policy option specifies the issuance policy that must be included in the signing certificate used to sign the certificate request.
More information for you:
Administering Certificate Templates
http://technet.microsoft.com/en-us/library/cc725621(v=WS.10).aspx
Best Regards,
Amy
You write :
Based on my research ...
- Application policy option specifies the application policy 
- Issuance policy option specifies the issuance policy 
How many times did You spend to come to this ... shiny ... conclusion ??
Not too much i hope ?
Ah ah ah ah ah !!!
lol
But You have all my gratitude !
Realy
You answer the question of my post (and still try with one more i post here)
So thanks again !!!
I take a look at You Link
This post is ... closed !

Similar Messages

  • KDC Event ID 29 - The KDC cannot find a suitable certificate to use for smart card logons...

    I am getting the event (below) every day on a new 2008 domain controller that I brought up recently. The DC has a domain controller certificate, that was automatically issued by an online enterprise CA. This CA is located in another domain (child domain) within the same forest. The 2008 DC is in the top-lvel domain.  None of the other domain controllers , which are 2003, are reporting this message. I ran certutil.exe, and it successfully verifies all domain controller certificates, including the certificate on my new 2008 DC. Any ideas why these messages continue to appear?
    The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate.

    Hi,
    I have checked the file. Here is my findings:
    1.    The computer name of the domain controllers are different in this dcinfo.txt file. There is no Swampoak. I would like to confirm which one is Windows Server 2008 domain controller.
    2.    The domain controller Buckeye and Madrone both have 2 KDC certificates, one is expired and the other one is valid:
    *** Testing DC[0]: MADRONE
    ** KDC Certificates for DC MADRONE
    Certificate 0:  -à Valid
    Serial Number: 116bbdd90000000000b6
    Issuer: ***
    NotBefore: 12/15/2008 2:28 AM
    NotAfter: 12/15/2009 2:28 AM
    Subject: CN=madrone.****
    Certificate Template Name (Certificate Type): DomainController
    Non-root Certificate
    Template: DomainController, Domain Controller
    Certificate 1:   --à Expired
    Serial Number: 15c2f00b000000000028
    Issuer: ****
    NotBefore: 3/9/2007 3:05 PM
    NotAfter: 3/8/2008 3:05 PM
    Subject: EMPTY (DNS Name=madrone.****)
    Non-root Certificate
    Template: DomainControllerAuthentication, Domain Controller Authentication
    *** Testing DC[1]: BUCKEYE
    ** KDC Certificates for DC BUCKEYE
    Certificate 0:  -à Expired
    Serial Number: 15c4ddc2000000000029
    Issuer: *****
    NotBefore: 3/9/2007 3:07 PM
    NotAfter: 3/8/2008 3:07 PM
    Subject: EMPTY (DNS Name=buckeye.****)
    Non-root Certificate
    Template: DomainControllerAuthentication, Domain Controller Authentication
    Certificate 1: -à Valid
    Serial Number: 115f34ec0000000000b4
    Issuer: ****
    NotBefore: 12/15/2008 2:15 AM
    NotAfter: 12/15/2009 2:15 AM
    Subject: CN=buckeye.****
    Certificate Template Name (Certificate Type): DomainController
    Non-root Certificate
    Template: DomainController, Domain Controller
    Suggestion:
    1.    Please delete the expired certificate and then reboot the domain controller and test the issue again.
    2.    If the issue persists, please request a new Domain Controller Authentication certificate on the domian controller and check the result.

  • How to include the user as a recipient of the email generated when a smart card certificate is issued by an Enrollment Agent on behalf of a user.

    How can I add the requester name in the To: field of the email generated when a Smart Card certificate is issued on his behalf.
    I want to address the possibility of someone (Enrollment Agent) issuing a Smart Card certificate on behalf of a user, assign a PIN and use it without the user's knowledge.
    There doesn't seem to be a way in the registry to define a variable to be used in a manner similar to the TitleArg & TitleFormat way of using %1.
    Jamal Saket OSFI Canada

    Hi,
    Thank you for your question.  
    I am trying to involve someone familiar with this topic to further look at this issue. There might be some time delay. Appreciate your patience. 
    Thank you for your understanding and support.
    TechNet Subscriber Support
    If you are
    TechNet Subscription
    user and have any feedback on our support quality, please send your feedback
    here.
    We
    are trying to better understand customer views on social support experience, so your participation in this
    interview project would be greatly appreciated if you have time.
    Thanks for helping make community forums a great place.

  • Virtual Smart Cards - Enroll On Behalf Of

    Hello There!
    Here's the scenario:
    - Windows 8.1 Laptop with TPM 1.2
    - Windows 2012R2 CA
    - Windows Enrollment Agent Workstation
    Steps:
    1) New VSC is created on laptop
    2) Admin RDPs from laptop to trusted workstation and enrolls the VSC for the user
    3) The user logs into the Laptop and RDPs into a domain joined machine. He gets this error:
    The difference between a USB Smart card and the VSC is that when I plugin the USB one, the certificates are copied in the user certificate store. This does not happen with the VSC.
    How can this be fixed? Is there a way to virtually unplug and re-plug the VSC so that the OS will copy the certs in the user cert store?
    What am I missing?
    Thank you,
    Claudio

    Hi,
    Glad to hear that the issue is solved!
    Thank you very much for sharing, your solution is very beneficial to other people who have similar issues.
    Please feel free to let us know if you encounter any issues in the future.
    Best Regards,
    Amy
    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

  • Customize Non-Smart Card Mobility (NSCM) login screen

    Is there a way to customize the NSCM login screen to have customer-specific content in it?

    Hi Chris,
    I also have this issue. I think it is a known issue for Windows.
    I did some more research in web and found what I was looking for.
    RUNAS /SMARTCARD Only Supports a Single Smart Card Reader
    http://support.microsoft.com/kb/2013976
    How Smart Card Logon Works in Windows
    http://technet.microsoft.com/en-us/library/ff404285(v=WS.10).aspx
    Guidelines for enabling smart card logon with third-party certification authorities
    http://support.microsoft.com/kb/281245
    Thanks

  • T430s Smart Card reader cannot read some cards

    Hi all,
    I have a T430s with a smart card reader.
    Turns out that some cards (including, as it happens, one of my personal cards) the reader can't read. It either does not respond at all, or gives an "unknown card" identification. The very same card, on the very same laptop, using an Athena USB reader, works flawlessly.
    I'd say it's a reader malfunction BUT some other cards are read perfectly by my built-in reader... Why would the reader refuse to read certain cards?
    Any ideas? Anyone seen something like this?
    Thanks for any insight!

    Hey 127kmph,
    If the driver for the media card reader doesn't work,
    I found your computer in the personal system reference and saw you actually have no Smartcard reader. But you do have the 4-1 media card reader. Which is specific to all machine types of the T430s.
    With a little more investigating I found out that
    You have a Ricoh Multi Card Reader on the computer. This reader is able to read SDHC cards, but to get it to work fully you have to update the driver.
    Here is the link to the driver. Which this driver supports XP, Vista, and Windows 7.
    http://support.lenovo.com/en_US/downloads/detail.page?DocID=DS014960
    Thank you NINE.
    Hope this works out for you
    Please let us know,
    Alex
    Was this or another post on the forum helpful? Click the star on the left side of the screen to give kudos! Did someone solve the problem you encountered? Click Solution Provided to let us know!
    What we Do in Life will Echo through Eternity. -Maximus Aurelius

  • Safari can use my CAC (Smart) Card to login to government websites but Firefox cannot.

    Safari and even Google Crome can access my CAC Card and login to government websites, however Firefox just doesn't seem to even try. OSX Lion, Apple Macbook Pro, Firefox 5.0.1.

    Try:
    * [/questions/808161] Trying to use a CAC smart card reader with Mac version of Firefox
    * https://militarycac.com/firefox.htm

  • Windows smart card logon and kdc certificate (2008R2)

    dear, 
    we are trying to implement a smartcard logon on 2008r2 dc and ca. Environment:
    Domain controller - windows server 2008 R2
    CA - windows server 2008 R2
    testing server - windows server 2008 R2
    when using smartcard logon, a message pops up "The system could not log you on. You cannot use a smart card to log on because smart
    card logon is not supported for your user account. Contact your system administrator to ensure that smart card logon is configured for your organization.".
    The domain controller has an error message : "Event 19: This event indicates an attempt was made to use smartcard logon, but the KDC is unable to use the PKINIT protocol because it is missing a suitable certificate",
    when using "net stop kdc && net start kdc" there is a warning : "event 29 : The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card
    logon may not function correctly if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate."
    There were 2 dead CAs in the environment, we deleted them manually by following the instructions in http://support.microsoft.com/kb/555151;
    We tried to renew the domain controller certification with the instructions in http://technet.microsoft.com/en-us/library/cc734096.aspx;http://technet.microsoft.com/en-us/library/cc733944(v=ws.10).aspx,
    the result of "certutil -dcinfo verify" seemed to be correct, but the event 19 and 29 are still there. 
    How could we resolve this problem? Thanks in advance 
    The output of "certutil -dcinfo verify" is :
    0: CTXDC
    *** Testing DC[0]: CTXDC
    **  Enterprise Root Certificates for DC CTXDC 
    Certificate 0:
    Serial Number: 781902753c5627b64bd4e45c38b648df
    Issuer: CN=demo2CA, DC=demo2, DC=internal, DC=jiean-technologies, DC=lan
     NotBefore: 2013/4/11 11:57
     NotAfter: 2018/4/11 12:07
    Subject: CN=demo2CA, DC=demo2, DC=internal, DC=jiean-technologies, DC=lan
    Certificate Template Name: CA
    CA Version: V0.0
    Signature matches Public Key
    Root Certificate: Subject matches Issuer
    Template: CA, Root Certification Authority
    Cert Hash(sha1): 24 43 b0 79 33 8d f4 74 2d 52 df 75 3a 50 73 85 62 25 fb 86
    **  KDC certificate for DC
    CTXDC 
    certificate 0:
    Serial Number: 611648d2000000000030
    Issuer: CN=demo2CA, DC=demo2, DC=internal, DC=jiean-technologies, DC=lan
     NotBefore: 2013/4/21 12:05
     NotAfter: 2014/4/21 12:05
    Subject: CN=CTXDC.demo2.internal.jiean-technologies.lan
    Certificate Template Name: DomainController
    Non-root Certificate
    template: DomainController, domain controller
    Cert Hash(sha1): e5 e5 5f 80 b0 cd 7f b5 3d 86 51 3e f3 70 d0 8e 39 48 45 cd
    dwFlags = CA_VERIFY_FLAGS_NT_AUTH (0x10)
    dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
    dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
    Application[0] = 1.3.6.1.5.5.7.3.1
    Server Authentication
    Application[1] = 1.3.6.1.5.5.7.3.2
    Client Authentication
    ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
    HCCE_LOCAL_MACHINE
    CERT_CHAIN_POLICY_NT_AUTH
    -------- CERT_CHAIN_CONTEXT --------
    ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    ChainContext.dwRevocationFreshnessTime: 10 Hours, 36 Minutes, 16 Seconds
    SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    SimpleChain.dwRevocationFreshnessTime: 10 Hours, 36 Minutes, 16 Seconds
    CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0
      Issuer: CN=demo2CA, DC=demo2, DC=internal, DC=jiean-technologies, DC=lan
      NotBefore: 2013/4/21 12:05
      NotAfter: 2014/4/21 12:05
      Subject: CN=CTXDC.demo2.internal.jiean-technologies.lan
      Serial: 611648d2000000000030
      SubjectAltName: Other Name:DS object GUID=04 10 f1 68 15 d4 e6 4a 8c 40 80 c6 15 16 1d 26 49 4d, DNS Name=CTXDC.demo2.internal.jiean-technologies.lan
      Template: DomainController
      e5 e5 5f 80 b0 cd 7f b5 3d 86 51 3e f3 70 d0 8e 39 48 45 cd
      Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
      Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
        CRL 54:
        Issuer: CN=demo2CA, DC=demo2, DC=internal, DC=jiean-technologies, DC=lan
        52 95 06 73 26 3a 6a 22 a3 6f d7 6e b2 f3 4c 3d 02 9b 7e 54
        Delta CRL 55:
        Issuer: CN=demo2CA, DC=demo2, DC=internal, DC=jiean-technologies, DC=lan
        8c c0 97 5e a3 13 9d a1 5c a2 c1 86 e8 65 ff b0 8b ea f4 a3
      Application[0] = 1.3.6.1.5.5.7.3.2
    Server Authentication
      Application[1] = 1.3.6.1.5.5.7.3.1
    Client Authentication
    CertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0
      Issuer: CN=demo2CA, DC=demo2, DC=internal, DC=jiean-technologies, DC=lan
      NotBefore: 2013/4/11 11:57
      NotAfter: 2018/4/11 12:07
      Subject: CN=demo2CA, DC=demo2, DC=internal, DC=jiean-technologies, DC=lan
      Serial: 781902753c5627b64bd4e45c38b648df
      Template: CA
      24 43 b0 79 33 8d f4 74 2d 52 df 75 3a 50 73 85 62 25 fb 86
      Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
      Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
      Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    Exclude leaf cert:
      33 0e 29 2d 44 b0 f9 5d a8 7d 03 26 52 e0 cf 00 4c bf 66 2d
    Full chain:
      04 60 4a 63 ea 44 36 5a 8a 3e 43 b5 23 2a ee 8e a6 05 16 3b
    Verified Issuance Policies: None
    Verified Application Policies:
        1.3.6.1.5.5.7.3.2
    Server Authentication
        1.3.6.1.5.5.7.3.1
    Client Authentication
    1 KDC certs for CTXDC
    CertUtil: -DCInfo command completed successfully.

    The KDC certificate must be good for "SmartCard logon" purpose. It is currently not.
    I you do not use smartcards, do not worry.

  • Windows 7 Smart Card Logon

    Hi,
    Testing PKI with Windows 7 x64 under a (otherwise) working public key infrastructure (Windows 2008 CA) using Smart Card certificates based on V2 templates. I've enrolled an AD user successfully with a smartcard and validating the cert it looks all ok (via certutil -scinfo). For all intents and purposes the smart card appears ok but when I try to logon with the user and the smartcard inserted in the machine, I get the following error message:
    "The system could not log you on. You cannot use a smart card to log on because smart card login is not supported for your user account. Contact your system administrator to ensure that smart card logon is configured for your organization."
    Kind of weird message :-/ The smart card reader is in-built on a Dell E6400 ATG... the smart card itself is a Gemalto .NET based card. I've validated that the cert is correctly written to the card via the netsolutions site at Gemalto ... Windows 7 reads the smart card and the user ID correctly from the GUI Logon screen ... it's only when I enter the PIN and it attempts to logon do I get the above message....
    Is there anything "special" I need to do in Windows 7 or in group policy to enable smart card support?? This has worked fine in the past on XP....
    Both the smart card service and the certificate propogation service are running...
    Regards,
    Mylo

    Stigh,
    OK..... I've got it working with Windows 7 on the 6400 together with the Mobile Internet Broadband using domain-based interactive logon.... so the pressures off at least at this end :-)
    "I actually disagree."
    I can see you're healthy motivated to fix the problem.. which is good :-)
    "As long as there is a EKU in the certificate, it should work for local logon."
    Agreed (kind of).. although in your case the common name (the username) is the key identifier for logon purposes..  a UPN in this case is moot as there is no domain to speak of.... I'm assuming the Smart Card Login OID is present in your certificate template together with Client Authentication, and that the purpose is set to "Signature and Smartcard Logon".. I'm working with V2 templates at the mo...
    "In GPedit, under Computer Configuration-Windows Components-Smart Card there are policies to disable certain paramters. I need to read more on those.
    In my case I haven't tweaked any settings via GPO... to resolve the problem described earlier I ended adding the AMT HECI driver for the chipset and the Broadcom drivers from the Connection Manager packs.... I suspect it was the latter that was the problem. Again I haven't installed any Dell Connection Manager software so I'm relying purely on drivers.
    "Btw; Dell SmartCard is not available for shopping in Norway where I'm located; so I can not enroll any cards through Controlpoint/Wave manager. My Gemalto.NET card is purchased from a local store"
    The Gemalto drivers from Windows 7 RTM worked ok for me.
    "The reason for using the laptop as stand alone outside domain is that it's "never" connected locally to any wired network, and there is no reason for it to be a member of the domain.
    OK, but here's where I disagree :-) .. the machine in question will need to connect back to your Enterprise CA certificate distribution point (CDP) to check that the certificate is valid. That's part of basic PKI functionality to ensure certificates are valid. In your case, you'll need an HTTP-based CDP reachable from the local machine, i.e. reachable over a LAN or over the Internet from the "stand-alone" machine, as default LDAP CDP's are meaningless as your client is not domain-joined. Otherwise, you'll need to turn off certificate revokation on the local machine completely, which is diluting security even further. 
    "Its only connecting through RDP and for Outlook (Exchange 2007). Here I use the certificate for RDP logon and for signing/encrypting emails."
    I was slight confused here.. so you don't intend to use the smartcard for local logon? If this is the case this is a workable scenario. You can use a smartcard from a non-domain joined machine to connect for RDP logon. S/MIME is also possible from Outlook, but YMMV as you may run into trust issues when sending encrypted mails to parties that don't trust your CA. Again, bear in mind the comments made earlier about the CDP... the "stand-alone" machine will still need to "connect" back to the CA to access the CDP/AIA, plus you'll have to do certificate renewals etc.
    On a parting note, you need to be clear about why you really need to use smart cards (in this scenario). You're working outside the normal working conventions of Windows with a non-domain joined machine and the pay-off in this case is negligible. I'm not trying to dissuade you from continuing but it's likely to be an uphill struggle.
    Good luck and post back if you want to discuss further!
    Regards,
    Mylo

  • Automatic Smart Card Certificate Renewal

    We have a problem where our Smart Card certificates are starting to expire but the automatic renewal process is failing.
    Is it actually possible to auto renew Smart Card certs without requiring any user input (other than the PIN)?
    There are two errors in the event log -
    Event ID:      16
    Description:
    Certificate enrollment for <domain>\<username> failed to renew a SmartcardLogon certificate with request ID N/A from <ca server name> (Provider could not perform the action since the context was acquired as silent. 0x80090022 (-2146893790)).
    Event ID:      6
    Automatic certificate enrollment for <domain>\<username> failed (0x80090022) Provider could not perform the action since the context was acquired as silent.
    The certificate template is configured with all the correct permissions (Read,Enroll,AutoEnroll) and group policy is configured with the auto enrolment settings. 
    Thanks in advance.

    This may be caused by a incorrect certificate template configuration. In the Request Handling tab (IIRC), there are several radio buttons where you specify whether enrollment may ask for user input during enrollment or not. You need to allow user input
    during enrollment for smart card templates.
    My weblog: en-us.sysadmins.lv
    PowerShell PKI Module: pspki.codeplex.com
    PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
    Check out new: SSL Certificate Verifier
    Check out new:
    PowerShell FCIV tool.

  • Problem Signing Email with Digital Certificate from Smart Card, Outlook 2013

    Hi there, I'm the IT guy for a small company.  I've configured several people in the company to use their smart cards for email signing through Outlook 2013, but a a few computers are giving me this error:
    "Microsoft Outlook cannot sign or encrypt this message because there are no certificates which can be used to send from the e-mail address '<e-mail address>'. Either get a new digital ID to use with this account, or use the Accounts button to
    send the message using an account that you have certificates for."
    I've been in the Trust Center, I see the signing and encrypting certificates. (SHA-1 and 3DES).  Yet when I try to sign, Outlook always fails on the error.
    For my computer, I was able to fix this by adding a "SupressNameChecks" DWORD set to 1 in the Registry under HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook.  However, this fix is not working for the other people in the company.
    Any other ideas?  Really pulling my hair out on this one, I've tried everything I could find on the net it seems.

    Hi,
    Please checked “E-mail name” under the section ‘Include this information in alternate subject name” on the Subject Name tab of the certificate template.
    We can export the entrust managed services root CA cert from a working machine and import into the trusted root store of a non-working machine. For detailed steps about it, please refer to:
    How To Import and Export Certificates So That You Can Use S/MIME in Outlook Web Access on Multiple Computers
    http://support.microsoft.com/kb/823503/en-us
    Hope it helps.
    Regards,
    Winnie Liang
    TechNet Community Support

  • RDS Gateway + Smart Card Error [ The specified user name does not exist.]

    I have the following Windows Server 2008 R2 servers:
    addsdc.contoso.com, AD DS Domain Controller for contoso.com
    adcsca.contoso.com, AD CS Enterprise CA, CDPs/AIAs published externally.
    fileserver.contoso.com, RDS Session Host for Administration enabled
    rdsgateway.contoso.com, RDS Gateway enabled
    tmgserver.contoso.com, 'Publishing' rdsgateway.contoso.com but with pass-through authentication
    And the following Windows 7 PCs:
    internalclient.contoso.com
    externalclient.fabrikam.com
    There's no trust between the domains, the external client is completely separate on the internet but the CA certificate for contoso.com has been installed in the trusted Root CA store. All servers have certificates for secure RDP.
    I enrolled for a custom 'Smart Card Authentication' certificate with Client Authentication and Smart Card Logon EKUs from the CA, stored on my new Gemalto smart card using the Microsoft Base Smart Card CSP.
    From internalclient.contoso.com, I can RDP to fileserver.contoso.com
    using the smart card just fine with no certificate errors.
    From externalclient.fabrikam.com, I can RDP to fileserver.contoso.com
    via rdsgateway.contoso.com using a username and password just fine with no certificate errors.
    From externalclient.fabrikam.com, I can RDP to fileserver.contoso.com
    via rdsgateway.contoso.com using the smart card to authenticate to the gateway, and a username and password to authenticate to the end server, just fine.
    BUT from when using a smart card to authenticate to the end server via the gateway, it fails with:
         The specified user name does not exist. Verify the username and try logging in again. If the problem continues, contact your system administrator or technical support. 
    When I move the client into the internal network and try the connection again (still via the RDS Gateway), it works fine - the only thing I can think of is being outside the network and not being able to contact the AD DS DC for Kerberos is causing the issue
    - but I'm pretty sure this is a supported scenario?
    The smart card works fine internally, the subject of the certificate is the user's common name (John Smith) and the only SAN is
    [email protected] which matches the UPN of the user account as it was auto-enrolled.
    Does anyone have any ideas?

    I had a similar issue where I am using a smart card through a Remote Desktop Gateway. I had to disable Network Level Authentication (NLA) on the destination Remote Desktop Server. If anyone has another way around this, I'd appreciate hearing it. I'd prefer
    to use NLA.

  • Security-Kerberos Event ID 9 - Smart Card not working for Login due to CRL download failure

    We have 8 computers that users were able to login with a Smart Card on one day. The next day they couldn't. Everyone else can login with a Smart Card without issue. These users can login with their smart card on other systems without issue. No users can
    login on the affected computers with a SmartID.
    In all cases, users can login on affected computers with their user ID and password.
    All traces on the domain controllers indicate the smart card PKI cert was validated by OCSP and the Kerberos session ticket was passed back to the client.
    However the client can't download the CRL from the CRL server for validation during login and always reports the CRL server is unavailable.
    Using CertUtil, you can validate manually the DC cert and the CRL will download from CRL server.  You can also hit the HTTP site for the CRL download and manually download the CRL.  All this once logged in using user id and password.
    You can't unlock the computer with a Smart card or login with a smart card.
    Packet trace indicates Kerberos session properly negotiated with workstation and DC. 
    Everything fails once client workstation can't download CRL during login.
    Any suggestions on where to look next?
    We have reloaded Activclient smart card validation software.  Still no effect on issue. 
    Smart card is readable once user is logged in, via Activclient, and Windows recognizes certs on smart card when inserted for login.
    Problem occurs during CRL download only, so login or any type of validation fails.

    Got it.
    So try to do what i suggested, exclude the CRL downloaded on Friday and try to rebuild it.
    Check it here:
    To resolve this issue:
    Delete the domain controller certificate that is no longer valid.
    Request a new certificate.
    To perform these procedures, you must be a member of the Domain
    Admins group, or you must have been delegated the appropriate authority.
    Delete the domain controller certificate that is no longer valid
    To delete the domain controller certificate that is no longer valid:
    On the domain controller, click Start, and then click
    Run.
    Type mmc.exe, and then press ENTER.
    If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click
    Continue.
    Click File, and then click Add/Remove Snap-in.
    Click Certificates, and then click Add.
    Click Computer account, click Next, and then click
    Finish.
    Click OK to open the Certificates snap-in.
    Expand Certificates (Local computer), expand Personal, and then click
    Certificates.
    Right-click the old domain controller certificate, and then click Delete.
    Click Yes, confirming that you want to delete the certificate.
    After the certificate is deleted, follow the procedure in the "Request a new certificate" section.
    Request a new certificate
    To request a new certificate:
    Expand Certificates (Local computer),right-click Personal, and then click
    Request New Certificate.
    Complete the appropriate information in the Certificate Enrollment Wizard for a domain controller certificate.
    Close the Certificates snap-in.
    Verify
    To perform this procedure, you must be a member of the Domain
    Admins group, or you must have been delegated the appropriate authority.
    To verify that the Kerberos Key Distribution Center (KDC) certificate is available and working properly:
    Click Start, point to All Programs, click
    Accessories, right-click Command Prompt, and then click
    Run as administrator.
    If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click
    Continue.
    At the command prompt, type certutil -dcinfo verify, and then press ENTER.
    If you receive a successful verification, the Kerberos KDC certificate is installed and operating correctly.
    Sergio Figueiredo
    Microsoft Certified Solutions Associate

  • Smart Card Omnikey 3121 (USB) on MacPro MAC OS 10.4.7 won´t work

    Hello,
    I´m trying to use an USB OMNIKEY Smartcard 3121 on my MacPro for email encryption in a Citrix Session.
    If a put the smartcard into the reader, the red light is flashing 1 sec only. The content from the smart card is not delivered into the Citrix Session. But the PC/SC Testprogram can connect to the reader.
    Changing the rights of the whole content in directory /var/run/pcscd/ to 666 does not solve the problem.
    Does anybody have an experience with this?
    Thank you!
    macy:~ pcsctest
    MUSCLE PC/SC Lite Test Program
    Testing SCardEstablishContext : Command successful.
    Testing SCardGetStatusChange
    Please insert a working reader : Command successful.
    Testing SCardListReaders : Command successful.
    Reader 01: OMNIKEY CardMan 3x21 0 0
    Enter the reader number : 01
    Waiting for card insertion
    : Command successful.
    Testing SCardConnect : Command successful.
    Testing SCardStatus : Command successful.
    Current Reader Name : OMNIKEY CardMan 3x21 0 0
    Current Reader State : 34
    Current Reader Protocol : 1
    Current Reader ATR Size : 15
    Current Reader ATR Value : 3B FA 98 00 FF C1 10 31 FE 55 C8 04 53 41 47 5F 50 4B 49 32 70
    Testing SCardDisconnect : Command successful.
    Testing SCardReleaseContext : Command successful.
    PC/SC Test Completed Successfully !
    macy:~ ls -al /usr/libexec/SmartCardServices/drivers/
    total 0
    drwxr-xr-x 8 root wheel 272 Sep 27 19:41 .
    drwxr-xr-x 5 root wheel 170 Aug 17 06:56 ..
    drwxr-xr-x 3 root wheel 102 Aug 17 06:56 CC-PC-Card.bundle
    dr-xr-xr-x 3 root wheel 102 Aug 17 06:56 CCIDClaDDssDrDiver.bundle
    drwxr-xr-x 3 root wheel 102 Aug 17 06:56 SCR24XHndlr.bundle
    drwxr-xr-x 3 root wheel 102 Aug 17 06:56 ifd-ASEIIIeUSB.bundle
    drwxr-xr-x 3 root wheel 102 Aug 17 06:56 ifdokcm4040macos-2.0.0.bundle
    drwxr-xr-x 3 root wheel 102 Sep 26 12:04 ifdokcm3x21macintel-2.5.0.bundle
    Mac OS X Version 10.4.7 (Build 8K1124)
    2006-09-26 12:26:02 +0200
    2006-09-26 12:26:02.894 SystemUIServer[136] lang is:de
    src/PCSC/pcscdaemon.c:559 main: Cannot unlink /var/run/pcscd/.pcscpub: Permission denied
    src/PCSC/pcscdaemon.c:564 main: Cannot unlink /var/run/pcscd/.pcscomm: Permission denied
    src/PCSC/pcscdaemon.c:569 main: Cannot rmdir /var/run/pcscd: Permission denied
    src/PCSC/pcscdaemon.c:575 main: Cannot unlink /var/run/pcscd.pid: Permission denied
    macy:/var/run/pcscd ls -al
    total 136
    drwxr-xr-t 4 root daemon 136 Sep 27 19:35 .
    drwxrwxr-x 39 root daemon 1326 Sep 27 19:55 ..
    srw-rw-rw- 1 root daemon 0 Sep 27 19:35 .pcscomm
    -rw-r--r-- 1 root daemon 65537 Sep 27 19:35 .pcscpub
    MacPro   Mac OS X (10.4.7)   Smart Card Omnikey 3121 (USB)
    MacPro   Mac OS X (10.4.7)  

    Wilkommen zu Apple Discussions!
    I'd contact Omnikey and ask them if they have tested their key on 10.4.7. If they only have used a previous version of Mac OS X you may need a Mac which came with the older version of Mac OS X that they tested with or older. If you do have the older operating system as compatible with that computer, you may want to install a second hard drive on your machine with that older operating system.
    Macs can't run an older operating system than they shipped with.

  • Looking for a smart card reader compatible with Mac OS X 10.5

    Hi there,
    I am looking for a smart card (card with microCPU) reader which is compatible with Mac OS X 10.5 .
    In substance, what I need is a little space to store all my passwords in, due to the fact that I might forget one: I have many to remember!
    I have an USB key, but I use it in many computers, even in ones whose security cannot be 100% trusted.. and I want no doubt when talking about safety.
    Here's an image of what I want in poor words:
    http://www.ordnas.it/prodotti/lett_mem/imgpr1592-01-3.jpg
    The main issue is that most SC readers are /not/ Mac compatible.
    So what brand should I opt for ? What costs should I expect ?
    Thank to everyone who'll help.
    Tyrexionibus

    Thank you for your answer.
    This might be a solution, I'll take it seriously.
    Can this other be a solution too ?
    http://www.athena-scs.com/product.asp?pid=1
    On the manufacturer's page, it's stated that it's compatible with Mac OS X.
    41 bucks + shipping + the price of a smart card..

Maybe you are looking for

  • Can't print from iBook G4 via Windows XP to an HP PSC 1410

    Hello, I realize this question is very similar to others on this discussion but I haven't been able to find an answer to my problem. I cannot print from my iBook via XP to an HP PSC 1410. I can print from my iBook via XP to an HP LaserJet 4L. I was a

  • How can I get passed the set up page?

    I used Time machine from my old computer and used the external hard drive to plug in my new pro. I'm not sure if I just had a lot to put on the pro that it is taking so long, but it's been sitting on the "Thank You. Your Mac is set up and ready to us

  • Recovery from backup fails... what to do?

    My iPhone 3gs has been getting slower and slower over some time now. Sometimes it could take up to one minuet to lock the phone after pressing the button. Also my photos was unavailable from the iPhone, every time I tried to access the photos or an a

  • AP and AR Cube Table in R/3

    Experts, This is kind of a mix of FI and BW - I can see 3 different cubes in our BW system - one for GL, 1 for AP and 1 for AR - But what are the tables from which it gets this info : I am under the impression that it is BSEG for GL, but then BSEG co

  • Is the Epson Artisan 1430 compatible with Maverick?

    I am thinking of purchasing an Epson Aratisian 1430 to use with my iMac.  Is it compatible with the new download OS X Mavericks?