Security-Kerberos Event ID 9 - Smart Card not working for Login due to CRL download failure

We have 8 computers that users were able to login with a Smart Card on one day. The next day they couldn't. Everyone else can login with a Smart Card without issue. These users can login with their smart card on other systems without issue. No users can
login on the affected computers with a SmartID.
In all cases, users can login on affected computers with their user ID and password.
All traces on the domain controllers indicate the smart card PKI cert was validated by OCSP and the Kerberos session ticket was passed back to the client.
However the client can't download the CRL from the CRL server for validation during login and always reports the CRL server is unavailable.
Using CertUtil, you can validate manually the DC cert and the CRL will download from CRL server.  You can also hit the HTTP site for the CRL download and manually download the CRL.  All this once logged in using user id and password.
You can't unlock the computer with a Smart card or login with a smart card.
Packet trace indicates Kerberos session properly negotiated with workstation and DC. 
Everything fails once client workstation can't download CRL during login.
Any suggestions on where to look next?
We have reloaded Activclient smart card validation software.  Still no effect on issue. 
Smart card is readable once user is logged in, via Activclient, and Windows recognizes certs on smart card when inserted for login.
Problem occurs during CRL download only, so login or any type of validation fails.

Got it.
So try to do what i suggested, exclude the CRL downloaded on Friday and try to rebuild it.
Check it here:
To resolve this issue:
Delete the domain controller certificate that is no longer valid.
Request a new certificate.
To perform these procedures, you must be a member of the Domain
Admins group, or you must have been delegated the appropriate authority.
Delete the domain controller certificate that is no longer valid
To delete the domain controller certificate that is no longer valid:
On the domain controller, click Start, and then click
Run.
Type mmc.exe, and then press ENTER.
If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click
Continue.
Click File, and then click Add/Remove Snap-in.
Click Certificates, and then click Add.
Click Computer account, click Next, and then click
Finish.
Click OK to open the Certificates snap-in.
Expand Certificates (Local computer), expand Personal, and then click
Certificates.
Right-click the old domain controller certificate, and then click Delete.
Click Yes, confirming that you want to delete the certificate.
After the certificate is deleted, follow the procedure in the "Request a new certificate" section.
Request a new certificate
To request a new certificate:
Expand Certificates (Local computer),right-click Personal, and then click
Request New Certificate.
Complete the appropriate information in the Certificate Enrollment Wizard for a domain controller certificate.
Close the Certificates snap-in.
Verify
To perform this procedure, you must be a member of the Domain
Admins group, or you must have been delegated the appropriate authority.
To verify that the Kerberos Key Distribution Center (KDC) certificate is available and working properly:
Click Start, point to All Programs, click
Accessories, right-click Command Prompt, and then click
Run as administrator.
If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click
Continue.
At the command prompt, type certutil -dcinfo verify, and then press ENTER.
If you receive a successful verification, the Kerberos KDC certificate is installed and operating correctly.
Sergio Figueiredo
Microsoft Certified Solutions Associate

Similar Messages

  • Additional Fields for ESS-Business Card Not Working for Certain Countries

    Dear Experts,
    We were trying to configure the additional fields to be displayed in Business Card - Overview Screen for all countries. We don't have problem configure and get the new fields display for Malaysia (Molga = 14) but having problem for the field to display for Hong Kong (Molga = 27) and Singapore (Molga - 25).
    The strange thing is I am following the same steps as I configured for Malaysia. Somehow it is not working for Hong Kong and Singapore. As I understand, there is only 1 place to configure in SPRO for this requirement:
    Personnel Management -> Employee Self-Service -> Service-Specific Settings -> Own Data -> Customizing of Personal Information Screens -> Determine Fields for Business Card on Overview Screen
    Please help!

    Hi Siddhart,
    Thank you for the information. We are currently in EhP3 with below Support Components installed.
    Software Component: SAP_HR
    Release: 600
    Level: 60
    Highest Support Package: SAPKE60060
    Software Component: EA-HR
    Release: 603
    Level: 34
    Highest Support Package: SAPK-60334INEAHR
    The note 1159911 provided is within SAPK-60304INEAHR. Thus, I don't think this is the root cause of this inconsistency base on the Highest Support Package installed in our system.
    Anymore hint? Anyone? Please...

  • Smart Resizing not working for RDWEB Published desktop

    I have a working RDS deployment, I am able to change the screen resolution of the published desktops both in powershell and registry. However if I add the 'smart sizing' option, this does not get published in the .rdp file. I have added the entries
    in registry but that did not work either. Is this a feature that is disabled by default or I am missing something ?

    Sorry for the wrong information. Smart Resizing  is works with older version of rdp client too (in win 8 you can switch this mode via GUI).
    You must distribute updated version of .rdp file (with smart sizing:i:1 line) to RDS client

  • HT2486 Smart Group not working for Multiple 'Not a Member of' Options

    I am trying to go through my contacts and assign everyone to a group.  I want to create a smart group whose criteria is "not in Group 1" AND 'Not in Group 2'.
    This does not work.  It simply gives me all the contacts.
    Also, is there anyone to see a contact and know to which groups they belong.  When I can't remember who someone is, it is helpful if I know what group.

    I have a different conclusion : for me, it works since 10.9 where it has never worked before (and I just checked it still works with 10.9.1) !
    I did not modified my groups, they simply started to work properly with 10.9.

  • Creative cloud not work !!! error code : download failure.....I'm paying your site but can not find the answer to my problem

    download failure

    There are few steps that I could suggest that might be resolve the conflict for you, Please follow the below mentioned steps and do let us know if this worked or not.
    1) I can see that Time Machine is active in the background. Can you please open the Preferences for Time machine and disable TIme machine and try again.
    2) If the step 1 doesn't work, please try a different network and check again.
    3) If none of the options above works, please navigate to Utilities> Adobe Application manager and make sure that we have full READ & WRITE permission on this folder and Utilities> Adobe Creative Cloud folder.
    Also, navigate to /LIBRARY/APPLICATION SUPPORT/ADOBE and give the READ&WRITE permission to the all the user accounts.
    4) Post this, try again.
    Do let us know if this worked for you or not.

  • TS1292 Bought UK itunes card not working for Canadian set up account

    bought an itunes card while living in the UK and I have not been able to add it to my itunes account which is traced to Canada. Anyway around this?
    Thanks

    No. Gift cards are usable only in the country in which the card was sold. You cannot use a UK gift card in Canada.
    Regards.

  • Mac Smart Folder not working for Images received o...

    Hi Guys, 
    Im a project manager and uses Skype alot. For my ease Im using Mac Smart folder option to place all the filese I received in the selective folder. 
    Solution :
    1. I created a Smart Folder
    2. In Smart folder I place a filter "Where From"
    3. In "Where From" I use the sender Skype ID 
    4. I put auto recieve file on skype this is convinent as I don't have to click on every file seprately
    Issue :
    Images recieved through Skype aren't providing all data like "Senders SkypeID" in More Info>Where From field. Getting this data for all other documents and audio files. 
    Key Finding :
    Im using this method for the last one year but haven't got this issue in past. But recently my images aren't filter properly. 
    a. When I check the info of documet file. It shows me the sender name in "Where from" field - Thats perfect. (File>Get Info>Where From)
    b. When I check the info of an iamge file. It doesn't show the sender username. 
    Please assist me on this issue as this impacting my overall project effeciency. 
    Note : The issue happened recently.
    Regards, 
    Cashew. 
    Attachments:
    Screen Shot 2015-02-23 at 11.55.01 am.png ‏93 KB
    Screen Shot 2015-02-23 at 11.54.49 am.png ‏107 KB

    hi there,
    that error message sounds like you placed a shared folder within a parent folder that is not shared. It also can help to boot into Recovery Mode (pressing Command and R simultanously when hearing the startup tune), launch Disk Utility, select the disk containing your OSX installation (usually named Macintosh HD) and choose Verify Disk Permissions. Should any problems be reported select Repair Disk Permissions. Once that is finished, reboot normally.
    Though unlikely, it might have happened during all the folder removing and readding that some Permissions are out of sync. So checking these Permissions is merely a precaution
    Once you are back in "normal" OSX using your admin account, try this:
    Open Terminal from the Utilites folder
    enter the following commands one line at a time:
    mkdir /Users/Shared/Family
    mkdir /Users/Shared/Family/Movies
    mkdir /Users/Shared/Family/Mom
    chown -R <placeholder> /Users/Shared/Family           
    chmod -R 755 /Users/Shared/Family
    Be sure to replace <placeholder> with your account's short name (no brackets!)
    Now open System Preferences and select Sharing
    Select File Sharing from the left pane
    Click on the little plus and add /Users/Shared/Family to your shares (The subfolders are automatically included)
    in the right most pane check the access privileges. They are set, so that you can read and write to those folders, while everyone else can only read. If you want everybody to have read and write privileges, use 777 instead of 755 within the terminal last command.
    Now the other computers should be able to see and use the shared folder you just created.
    If you create individual user accounts on your machine for every family member you want to access the shared folders, you can choose far more sophisticated levels of access privileges.
    Hope this helps,
    Chris

  • 'Share Card' not working for Outlook 2011.

    I'm trying to email a contact as an attachment from the Contacts app by using the Share button specifically. I want to send it via Outlook and it gives me the option to within the list. However, upon clicking Share Card with Outlook, all that occurs is a blank new message in Outlook with no .vcf attached. Can't figure out what is causing this to fail, as there are no variables that I can think of that would be getting in the way of this simple procedure.

    Contact Microsoft support. Those are MS products. Neither one uses the spell checking facilities built into OS X.

  • Smart dialing not working for me

    I have Alltel, which requires 10 digit dialing.  I turned on the smart dialing feature, and entered my area code.   But every time I dial a 7 digit number, I just get an error message from Alltel that I must use 10 digits.  Is there a trick to getting smart dial working?

    Odd, I don't have the "use 1 for National Dialing" setting.
    Perhaps you should turn that to Yes.
    1. If any post helps you please click the below the post(s) that helped you.
    2. Please resolve your thread by marking the post "Solution?" which solved it for you!
    3. Install free BlackBerry Protect today for backups of contacts and data.
    4. Guide to Unlocking your BlackBerry & Unlock Codes
    Join our BBM Channels (Beta)
    BlackBerry Support Forums Channel
    PIN: C0001B7B4   Display/Scan Bar Code
    Knowledge Base Updates
    PIN: C0005A9AA   Display/Scan Bar Code

  • USB keyboard not working for login

    I use a usb extented  keyboard on my iMac 3.06Mhz and at startup it is not being recognized. I have to use my bluetooth keyboard to enter this question.
    How or why is this a Problem. it was working fine before I made the installation of 10.9 ... but I was having intermittent problems w/ 10.8

    Maybe it needs to be plugged into the Mac before it goes to sleep...
    Because when it wasn't letting me type anything I tried every USB port on the Mac itself, as well as the monitors, and even using an extender. Nothing worked.
    However, I did eventually leave the keyboard plugged into the Mac and it woke up without a problem this morning. So, I'm hoping your solution did the trick!
    Thanks

  • Logic Studio: Software Update not working for Compressor and can't download

    I'm a Logic Studio customer. The 3.0.2 update isn't working from Software Update. I've tried to download the installation file separately, but it looks like you need a Final Cut Studio SN to download. Compressor is part of Logic Studio, so we need to be able to update also - without relying on Software Update. Thanks guys

    Hello there Brad,
    I was thinking it might be a good idea to delete and re install the iMovie and iPhoto applications from the Mac App store.
    First find the apps in your Applications folder in finder, and move them to the trash and restart your computer.
    Then use this article to re download them from the Mac App Store.
    Mac App Store: Finding your purchased apps
    http://support.apple.com/kb/HT4483
    Apps purchased via the Mac App Store
    When purchased via the Mac App Store, apps are installed in the Applications folder. Icons for purchased apps are automatically placed in the current user's Dock. There is also a purchases tab in the Mac App Store where you can see all of your Mac App Store downloads.
    Cheers,
    Sterling

  • I have installed the agent 10 or 15 times and one installation hasfailed, no error appeared during the installation but I am havinginconsistent issues with my ethernet card not working here and there. Werebooted and can log into Novell client but th

    I have installed the agent 10 or 15 times and one installation has failed, no error appeared during the installation but I am having inconsistent issues with my ethernet card not working here and there. We rebooted and can log into Novell client but the login prompt did not appear for ESM client or the icon was not in the systray. Everything seems to work, besides at times (a couple times today) it terminates his ethernet card/connection. I would re-image his computer but he has several applications and it would take several hours, so I am hoping someone has an idea to fix this issue. So I was trying to figure out why he did not get the prompt to login and why it's not in the systray and it appears to not have completed the install? I checked the add/remove programs, its not listed within their, I also checked the registry and found nothing for endpoint within their, but the files are within c:\program files\novell\zenworks endpoint security.
    I have also tried uninstalling it but that fails due to it "not being installed", and it will not reinstall over itself either.
    I did notice that stuninstdrv.exe is running in task manager. Any help would be great...
    Windows xp sp3
    ESM 3.5.154
    Thanks,
    Andy

    If you are searching the registry, check for the "Senforce" string. It should be at HKLM\Software\Senforce
    Try running the install program for the ZSC with the following command line:
    setup.exe /V"STUNINSTALL=1"
    If you've specified an uninstall password, try this one instead:
    setup.exe /V"STUNINSTALL=1 STUIP=password"" (please note the double quote at the end)
    Let me know if that helped you.
    Daniel
    >>>
    From: Andy_DeWees<[email protected] du>
    To:novell.support.zenworks.endpoint-security-management
    Date: 2/5/2009 12:52 PM
    Subject: I have installed the agent 10 or 15 times and one installation hasfailed, no error appeared during the installation but I am havinginconsistent issues with my ethernet card not working here and there. Werebooted and can log into Novell client but the login prompt did not appearfor ESM client or the icon was not in the systray. Everything seems towork, besides at times (a couple times today) it terminates his ethernetcard/connection. I would re-image his computer but he has severalapplications and
    I have installed the agent 10 or 15 times and one installation has failed, no error appeared during the installation but I am having inconsistent issues with my ethernet card not working here and there. We rebooted and can log into Novell client but the login prompt did not appear for ESM client or the icon was not in the systray. Everything seems to work, besides at times (a couple times today) it terminates his ethernet card/connection. I would re-image his computer but he has several applications and it would take several hours, so I am hoping someone has an idea to fix this issue. So I was trying to figure out why he did not get the prompt to login and why it's not in the systray and it appears to not have completed the install? I checked the add/remove programs, its not listed within their, I also checked the registry and found nothing for endpoint within their, but the files are within c:\program files\novell\zenworks endpoint security.
    I have also tried uninstalling it but that fails due to it "not being installed", and it will not reinstall over itself either.
    I did notice that stuninstdrv.exe is running in task manager. Any help would be great...
    Windows xp sp3
    ESM 3.5.154
    Thanks,
    Andy

  • I have an event in my calendar that was sent by someone who does not work for the company anymore and I am reminded 2 times a week. How can I remove it?

    I have an event in my calendar that was sent by someone that does not work for the company anymore and I am reminded 2 times a week. How do I delete it?

    Tap on the event to open the event. Click the 'Edit' button in the event bubble, then press the 'Delete Event' button at the bottom of the Edit pop-up. It's a little different for events that come through Microsoft Exchange, you tap the event to bring up bubble and click the 'Details' button, and then press 'Decline' to remove the event.

  • Runtime error R6025 message after log on to Vista - Flash Card not working

    Hi
    I'm a newbie & would appreciate any advice.
    I am getting a runtime error message R6025 when I log on to Windows Vista.
    When I click out of the box I then get a message saying Toshiba Flash Card not working.
    I cancel that and my laptop is ok except I don't know if the flashcard is working or not because I don't know what it does.
    Sorry if I sound thick
    Thanks
    Neelie

    Hi
    I found this MS knowledge base article:
    +Description of the R6025 run-time error in Visual C++\+
    http://support.microsoft.com/kb/125749
    But I doubt this description would be useful for you or anyone here. It describes this error in Visual C++ and this is programming language.
    However, I think you should simply reinstall the Value Added Package which you could download firstly from the Toshiba European page.
    At first you have to remove the old Value Added Package from the system, then reboot the notebook and follow with new VAP installation.
    Bye

  • SB04100 Sound Blaster Card not working after computer rebuild

    =SB0400 Sound Blaster Card not working after computer rebuildZ I did a full disk format and reinstall for a friend on a Dimension 3000, running XP SP3. There is no sound at all. Speakers are good, tested on another system. Model number on the back of the sound card is SB0400, so I assume this is an older 24 bit PCI SoundBlaster card. Although I reinstalled all drivers from Dell, I found no drivers for this. The Creative site has no listing for this model.
    Computer does not seem to recognize the card. Have not opened the box yet but I assume if I were to remove and then reinstall the card it would be recognized (?) I then have to find an SB0400 driver.
    Does anyone know where I can find an SB0400 driver ? Does the strategy of pulling and reinstalling the card make sense ? (I have really avoided tampering with any of the hardware on this box -- since it is not mine.)

    Re: SB0400 Sound Blaster Card not working after computer rebuild? Thanks much for your response. Problem solved for now. I removed the board and then reinserted it, after which I was able to download the drivers directly. Some of my difficulty with this whole process has been ) I didn't know there was no working speaker in the computer and 2) I apparently misunderstood the BIOS settings for this. I re-set it up as an add-on board during the troubleshooting process. After loading the driver, I went back to the original setting (don't recall what it was but it was for integrated sound). The setting for integrated sound works fine, with external speakers and the new 24 bit driver. Still some noise (popping and static) but this board shares the bus with 2 other cards one of which is a wireless network card. May be a PCI latency issue but I'm reluctant to change that because the network card is a bit shaky anyway.
    Everything works for now -- I'll be glad to get this particular computer out of my house !

Maybe you are looking for

  • BAPI/FM for creation of CONTACT RECORD for the contract account

    Hi All, I need to create a contact record for the a contract account. The contact record details will be maintained in the table BCONT. Let me know if there is a function module/BAPI/any othere way to create a contact record. Regards Shiva

  • Move image in Pages document to iPhoto

    I received some photos that were imbedded in a Word document as images. I want to transfer the photos to iPhoto to use in a slideshow. How can I transfer them from Word or Pages to iPhoto? The person that sent them to me is a newbie and deleted the o

  • Markers not shown in legend

    Hi everyone! I'm trying and trying to have markers shown in the legend of a line chart but with no success. Is it a common problem? My XML graph code is this: chart: <Graph graphType="LINE_VERT_ABS" SeriesEffect="SE_AUTO_GRADIENT" markerDisplayed="tr

  • I'm new to java and need help please

    I have an assignment involves modifying a previous assignment. the code for the previous assigment is shown below.(it was required to be done as an applet this assigment can be an application or an applet) I'm trying to modify this code to read a tex

  • Snail download speed from Digital River, now download locked

    I need urgent help with download of my Adobe purchase (Order number: 25382727724)! Only a few days ago, I purchased Adobe CS6 Master Collection from Digital River. However, I've had a painful downloading experience. Oftentimes, the shown downloading