Virtual Smart Cards - Enroll On Behalf Of

Similar Messages

• Logon with Virtual Smart Card Breaks Run As Administrator

  I've been testing the Virtual Smart Card (VSC) capability on a Surface Pro 2 and Dell Latitude E7240.
  This may be by design however, I have noticed that if I login using the VSC I am unable to use "Run As Administrator" functionality - for example:
  Command Prompt from Start Screen
  Task Manager
  I'm prompted for a username / password or the VSC PIN.
  In my environment the Administrative user does not have a VSC, so it is a username/password. When using Run As Administrator I'm therefore always entering a username and password.
  Once the credentials are entered the prompt goes away but the application never runs.
  If I lock/unlock the session and login using username/password for the non-admin user, instead of the VSC and PIN, I am able to elevate using Run As.
  I have noticed that I can use the workaround as specified in this article:
  http://support.microsoft.com/kb/2013976
  To work around this issue, start the application using the Run as different user right-click context menu option and select the smart card reader of choice.
  Click Start, select Programs, and locate the shortcut item in the Programs menu or the application folder for the application you want to run
  Hold down the SHIFT key while you right-click the shortcut item, and select Run as different user.
  Enter the username, password and the domain name or choose a smart card logon.
  Seems a little odd... maybe I am missing something. If anyone can assist that would be great.
  Thanks, Chris
  MCTS 70-640 | MCTS 70-642 | Prince2 Practitioner| ITIL Foundation v3 | http://www.cb-net.co.uk

  Hi Chris,
  I also have this issue. I think it is a known issue for Windows.
  I did some more research in web and found what I was looking for.
  RUNAS /SMARTCARD Only Supports a Single Smart Card Reader
  http://support.microsoft.com/kb/2013976
  How Smart Card Logon Works in Windows
  http://technet.microsoft.com/en-us/library/ff404285(v=WS.10).aspx
  Guidelines for enabling smart card logon with third-party certification authorities
  http://support.microsoft.com/kb/281245
  Thanks

• Unlocked Virtual Smart Card using the PUK and Adminkey

  At my company we use virtual
  smart card with WIN8.1
  and some user has blocked you from failed attempts
  by the VSC. The question is
  whether there is a tool that allows unlocked
  the virtual smart card using
  the PUK or Adminkey password? The error
  that occurs to me is the following:
  “The security device cannot process the PIN.
  The PIN has been blocked temporarity because too many incorrect PINs have been entered, Try again later. If this message reoccurs, contact your administrator to reset the lockout
  period for this security device”

  Hi dtencio,
  It`s unreasonable to use PUK or Admin key instead of PIN ,because
  the VSC uses two-factor authentication and this guarantees the pc`security.
  To get more information, here is link for reference:
  Evaluate Virtual Smart Card Security
  http://technet.microsoft.com/en-us/library/dn579257.aspx
  When PIN is blocked or the TPM is in a lockout state, we recommend you to contact with your administrator to reset user PIN or reset lockout of TPM.
  If you are tired of the frequent blocked or locked out issue, we recommend you to contact with your administrator to change the lockout time in policy.
  Best regards 

• Virtual Smart Cards with a 3rd Party CA

  Hi,
    I am new to this but we want to start implemeting virtual smart cards but I am having difficult finding out how to use a 3rd party CA with them. Any help would be appreciated.
  Thanks in advace,
  Liz

  Hi Liz,
  Here is an article below which could be useful to you:
  Guidelines for enabling smart card logon with third-party certification authorities
  http://support.microsoft.com/kb/281245
  Best Regards,
  Amy

• How to include the user as a recipient of the email generated when a smart card certificate is issued by an Enrollment Agent on behalf of a user.

  How can I add the requester name in the To: field of the email generated when a Smart Card certificate is issued on his behalf.
  I want to address the possibility of someone (Enrollment Agent) issuing a Smart Card certificate on behalf of a user, assign a PIN and use it without the user's knowledge.
  There doesn't seem to be a way in the registry to define a variable to be used in a manner similar to the TitleArg & TitleFormat way of using %1.
  Jamal Saket OSFI Canada

  Hi,
  Thank you for your question.  
  I am trying to involve someone familiar with this topic to further look at this issue. There might be some time delay. Appreciate your patience. 
  Thank you for your understanding and support.
  TechNet Subscriber Support
  If you are
  TechNet Subscription
  user and have any feedback on our support quality, please send your feedback
  here.
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• Cannot enroll a customize "smart card connexion" template

  Hello everyone !
  Sorry for my bad English i am French
  i create a new template for "enrollment agent"
  Only change name and security right for enrollment
  My ca has no enrollment agent restrictions
  i hadded the template "smart card connexion" for delivering by my ca
  i enroll my "enrollment agent" certificate
  i try to "enroll in the name of" ...
  it's OK
  i create my own template based on the template "smard card connexion" 
  Only change name and security right for enrollment (read + enrolment on the "authenticate users" group)
  try to enroll "in the name of ..."
  and i can't see the model in the enrollment process
  just the original one
  i delete the original one "smart card connexion" for my ca don't deliver it
  and try to enroll "in the name of ..."
  still can't see my own custumized model
  The list of model i can use is empty
  if i click the chek box "see all models"
  my custumized model is mark as : "This model require to much signatures from the enrollment autority. Only one signature from the enrollment autority is allowed. mutiple signatures are not allow in a certificae request."
  Help please !!

  Hi Pat,
  Based on my research, the option Policy type required in signature
  defines which specific application policy, issuance policy, or both are required in the signing certificate.
  Application policy option specifies the application policy that must be included in the signing certificate used to sign the certificate request, while
  Issuance policy option specifies the issuance policy that must be included in the signing certificate used to sign the certificate request.
  More information for you:
  Administering Certificate Templates
  http://technet.microsoft.com/en-us/library/cc725621(v=WS.10).aspx
  Best Regards,
  Amy
  You write :
  Based on my research ...
  - Application policy option specifies the application policy 
  - Issuance policy option specifies the issuance policy 
  How many times did You spend to come to this ... shiny ... conclusion ??
  Not too much i hope ?
  Ah ah ah ah ah !!!
  lol
  But You have all my gratitude !
  Realy
  You answer the question of my post (and still try with one more i post here)
  So thanks again !!!
  I take a look at You Link
  This post is ... closed !

• RDS Gateway + Smart Card Error [ The specified user name does not exist.]

  I have the following Windows Server 2008 R2 servers:
  addsdc.contoso.com, AD DS Domain Controller for contoso.com
  adcsca.contoso.com, AD CS Enterprise CA, CDPs/AIAs published externally.
  fileserver.contoso.com, RDS Session Host for Administration enabled
  rdsgateway.contoso.com, RDS Gateway enabled
  tmgserver.contoso.com, 'Publishing' rdsgateway.contoso.com but with pass-through authentication
  And the following Windows 7 PCs:
  internalclient.contoso.com
  externalclient.fabrikam.com
  There's no trust between the domains, the external client is completely separate on the internet but the CA certificate for contoso.com has been installed in the trusted Root CA store. All servers have certificates for secure RDP.
  I enrolled for a custom 'Smart Card Authentication' certificate with Client Authentication and Smart Card Logon EKUs from the CA, stored on my new Gemalto smart card using the Microsoft Base Smart Card CSP.
  From internalclient.contoso.com, I can RDP to fileserver.contoso.com
  using the smart card just fine with no certificate errors.
  From externalclient.fabrikam.com, I can RDP to fileserver.contoso.com
  via rdsgateway.contoso.com using a username and password just fine with no certificate errors.
  From externalclient.fabrikam.com, I can RDP to fileserver.contoso.com
  via rdsgateway.contoso.com using the smart card to authenticate to the gateway, and a username and password to authenticate to the end server, just fine.
  BUT from when using a smart card to authenticate to the end server via the gateway, it fails with:
       The specified user name does not exist. Verify the username and try logging in again. If the problem continues, contact your system administrator or technical support. 
  When I move the client into the internal network and try the connection again (still via the RDS Gateway), it works fine - the only thing I can think of is being outside the network and not being able to contact the AD DS DC for Kerberos is causing the issue
  - but I'm pretty sure this is a supported scenario?
  The smart card works fine internally, the subject of the certificate is the user's common name (John Smith) and the only SAN is
  [email protected] which matches the UPN of the user account as it was auto-enrolled.
  Does anyone have any ideas?

  I had a similar issue where I am using a smart card through a Remote Desktop Gateway. I had to disable Network Level Authentication (NLA) on the destination Remote Desktop Server. If anyone has another way around this, I'd appreciate hearing it. I'd prefer
  to use NLA.

• Security-Kerberos Event ID 9 - Smart Card not working for Login due to CRL download failure

  We have 8 computers that users were able to login with a Smart Card on one day. The next day they couldn't. Everyone else can login with a Smart Card without issue. These users can login with their smart card on other systems without issue. No users can
  login on the affected computers with a SmartID.
  In all cases, users can login on affected computers with their user ID and password.
  All traces on the domain controllers indicate the smart card PKI cert was validated by OCSP and the Kerberos session ticket was passed back to the client.
  However the client can't download the CRL from the CRL server for validation during login and always reports the CRL server is unavailable.
  Using CertUtil, you can validate manually the DC cert and the CRL will download from CRL server.  You can also hit the HTTP site for the CRL download and manually download the CRL.  All this once logged in using user id and password.
  You can't unlock the computer with a Smart card or login with a smart card.
  Packet trace indicates Kerberos session properly negotiated with workstation and DC. 
  Everything fails once client workstation can't download CRL during login.
  Any suggestions on where to look next?
  We have reloaded Activclient smart card validation software.  Still no effect on issue. 
  Smart card is readable once user is logged in, via Activclient, and Windows recognizes certs on smart card when inserted for login.
  Problem occurs during CRL download only, so login or any type of validation fails.

  Got it.
  So try to do what i suggested, exclude the CRL downloaded on Friday and try to rebuild it.
  Check it here:
  To resolve this issue:
  Delete the domain controller certificate that is no longer valid.
  Request a new certificate.
  To perform these procedures, you must be a member of the Domain
  Admins group, or you must have been delegated the appropriate authority.
  Delete the domain controller certificate that is no longer valid
  To delete the domain controller certificate that is no longer valid:
  On the domain controller, click Start, and then click
  Run.
  Type mmc.exe, and then press ENTER.
  If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click
  Continue.
  Click File, and then click Add/Remove Snap-in.
  Click Certificates, and then click Add.
  Click Computer account, click Next, and then click
  Finish.
  Click OK to open the Certificates snap-in.
  Expand Certificates (Local computer), expand Personal, and then click
  Certificates.
  Right-click the old domain controller certificate, and then click Delete.
  Click Yes, confirming that you want to delete the certificate.
  After the certificate is deleted, follow the procedure in the "Request a new certificate" section.
  Request a new certificate
  To request a new certificate:
  Expand Certificates (Local computer),right-click Personal, and then click
  Request New Certificate.
  Complete the appropriate information in the Certificate Enrollment Wizard for a domain controller certificate.
  Close the Certificates snap-in.
  Verify
  To perform this procedure, you must be a member of the Domain
  Admins group, or you must have been delegated the appropriate authority.
  To verify that the Kerberos Key Distribution Center (KDC) certificate is available and working properly:
  Click Start, point to All Programs, click
  Accessories, right-click Command Prompt, and then click
  Run as administrator.
  If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click
  Continue.
  At the command prompt, type certutil -dcinfo verify, and then press ENTER.
  If you receive a successful verification, the Kerberos KDC certificate is installed and operating correctly.
  Sergio Figueiredo
  Microsoft Certified Solutions Associate

• Sun Ray Smart Card User Authentication

  Hello All,
  I recently installed SRSS 4.1 I created 6 users for testing, 3 of which use SRWC to connect to Windows VM's. My problem is with the smart cards. They are required for the user access the SunRay and that part works, however it doesnt seem the cards are binded to any particular user. For instance any of the 6 cards can be inserted and logged into any of the accounts (correct username and pw of course). I thought that each card was linked to one user account which provided increased security. The way it is working now is kind of useless.
  Any Suggestions?

  Hi,
  It depends very much on which type of card you are using and what authentication mechanism you set up.
  The SIMPLE card that SUN ships as the Sun Ray card does AFAIK not have any options for personalisation on the Card.
  What you can do with it is to use AMGH ( Advanced Multi Group Homeing is a SunRay server feature ) and tie
  the CARD ID to a user name. So that when the card is inserted in the Sun Ray , you user ID will be pre-entered in the
  UNIX login dialoge. But this does not prohibit the card from being used to log in as a differernt user ID .
  If you use the Sun VDI 2.0 ( virtual desktop infrastructure ) software. You need to Populate the Sun Ray Server DataStore
  with the Names that will be used as machine names of the virtual PC's in VMware. It is almost nessesary that the
  User name is equal to the Vmware Virtual Machin name.
  So in VDI the the Username in SRS-DS assoiated with a CARD becomes the virtual Machine name.
  ( this is not the same as the user name in AMGH but keeping the two the same probably limits the confusion )
  If you get hold of a more advanced Public KEY Interchange card, it is possible to set up PKI login to a windows session
  this involves some software in the windows XP client to read the smart card in the Sun Ray and to authenticate the card
  whit PKI to a known certificate that you have stored for the Card in a Directory ( Active Directory or some other one )
  The Sun Ray server can be loaded with the PC/SC - bypass software that allows a Windows server/client using the
  Sun Windows Connector RDP software, to read and write directly to the SmartCard inserted in the SUnRay.
  The Virtual PC or terminal server will work with the Smartcard reader as if it was local on the WIndows machine.
  The "Active CARD" company has such a solution amongst others.
  Regards
  //Lars

• Smart Card on Elevated Permissions

  I'm setting up a QA Web server on a virtual server and having trouble with the Smart Card (this is in order to upgrade from Win03 to Win12 in production). I've been able to bypass the log on with no issue. I've disabled UAC down to the registry level. However,
  I need to recover my private key on a web certificate. To do so, you use CertUtil -repairstore <serial>. When you do this, it is prompting me to insert a smart card for elevated permission (even though I'm running cmd as admin and logged in as admin).
  I haven't been able to find, anywhere, how I can either bypass this or change the prompt to enter credentials. The only option the smart card prompt offers me is "ok" and "cancel" - since it's a virtual machine (and since I don't have a
  smart card) there is no option for me to insert one. Clicking ok does nothing and clicking cancel causes CertUtil to fail with "access denied" (as I would imagine it would). 
  Does anyone know how I can either bypass the smart card prompt or change the prompt to allow for credentials to be entered? I've been Google'ing for days now and feel myself dying a little bit with every search...

  Hi Gesoss,
  Please grant "Issue and Manage Certificates" for your current account
   then try again.
  The related KB:
  Checklist: Configure CAs to Issue and Manage Certificates
  http://technet.microsoft.com/en-us/library/cc771533.aspx
  I’m glad to be of help to you!
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• Use smart card for 802.1x secured WiFi authentication

  Hi,
  is it possible to use a certificate stored on a USB Security Token for WiFi 802.1x authentication?
  I have setup a test environment with all required components (AD, Enterprise CA, NPS, WPA2-Enterprise capable WiFi Access Point, all required certificates, all Server 2012 R2 / Windows 8.1 Pro) and created a user certificate for WPA2-Enterprise secured
  WiFi access (802.1x). Everthing works fine as long as the user certificate is stored in the local certificate store of the user's client computer: The user can connect to the WiFi network and the NPS logs show that the user has been authenticated correctly
  and granted access.
  To test this scenario with a Smart Card (Safenet USB Token), I stored that same user certificate on the token (incl. private key). The Safenet software on the client computer automatically makes the certificate stored on the token available in the local
  certificate store as soon as the token has been plugged in (checked via MMC Certificates snap-in). But the certificate can't obviously be used for the desired WiFi authentication: If I try to connect the secured WiFi (the same as in scenario 1) the connection
  fails.
  As I'm using exactly the same certificate in both scenarios, I don't think there's anything wrong with the settings in the certificate, the NPS or any other infrastructure component. The reason for failure in scenario 2 must be lying somewhere in either
  the local client computer configuration or in the Safenet software on the client computer.
  I'm very familiar with all the PKI and authentication stuff, but I'm new to smart cards. Are there differences between different types of smart cards and for what purpose one can use them? (USB tokens, chip cards, virtual tokens, etc.?)
  Has anybody experience in creating a 802.1x secured WiFi access with smart card based user certificates who could advise?
  Thanks + Best Regards
  Matt

  Hi,
  I found some links form technet site which can be helpful in this case
  Network access authentication and certificates
  http://technet.microsoft.com/en-us/library/cc759575(v=ws.10).aspx
  Enable smart card or other certificate authentication
  http://technet.microsoft.com/en-us/library/cc737336(v=ws.10).aspx
  Quote:
  Client certificate requirements
  With EAP-TLS or PEAP-EAP-TLS, the server accepts the client authentication attempt when the certificate meets the following requirements:
  The client certificate is issued by an enterprise CA or mapped to a user or computer account in Active Directory.
  The user or computer certificate on the client chains to a trusted root CA, includes the Client Authentication purpose in EKU extensions (the object identifier for Client Authentication is 1.3.6.1.5.5.7.3.2), and fails neither the checks that are performed
  by CryptoAPI and specified in the remote access policy nor the Certificate object identifier checks that are specified in IAS remote access policy.
  The 802.1X client does not use registry-based certificates that are either smart card-logon or password-protected certificates.
  For user certificates, the Subject Alternative Name (SubjectAltName) extension in the certificate contains the user principal name (UPN).
  For computer certificates, the Subject Alternative Name (SubjectAltName) extension in the certificate must contain the client's fully qualified domain name (FQDN), which is also called the DNS name
  Yolanda Zhu
  TechNet Community Support

• Compaq 6910p Smart card reader and a sim care

  I have a compaq 6910p laptop, what is a  Smart card reader and the sim card use for

  Hey marionholt,
  I am sorry, but to get your issue more exposure, I would suggest posting it in the commercial forums, since this is a commercial product. You can do this at http://h30499.www3.hp.com/hpeb/
  I hope this helps!
  I worked on behalf of HP

• Automatic Smart Card Certificate Renewal

  We have a problem where our Smart Card certificates are starting to expire but the automatic renewal process is failing.
  Is it actually possible to auto renew Smart Card certs without requiring any user input (other than the PIN)?
  There are two errors in the event log -
  Event ID:      16
  Description:
  Certificate enrollment for <domain>\<username> failed to renew a SmartcardLogon certificate with request ID N/A from <ca server name> (Provider could not perform the action since the context was acquired as silent. 0x80090022 (-2146893790)).
  Event ID:      6
  Automatic certificate enrollment for <domain>\<username> failed (0x80090022) Provider could not perform the action since the context was acquired as silent.
  The certificate template is configured with all the correct permissions (Read,Enroll,AutoEnroll) and group policy is configured with the auto enrolment settings. 
  Thanks in advance.

  This may be caused by a incorrect certificate template configuration. In the Request Handling tab (IIRC), there are several radio buttons where you specify whether enrollment may ask for user input during enrollment or not. You need to allow user input
  during enrollment for smart card templates.
  My weblog: en-us.sysadmins.lv
  PowerShell PKI Module: pspki.codeplex.com
  PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
  Check out new: SSL Certificate Verifier
  Check out new:
  PowerShell FCIV tool.

• CAC or smart card use with Oracle database and web server

  I've been asked to smart card (CAC) enable our Oracle web server and database access. We currently use CAC to access many of our other applications.
  Where can I find the following information
  Oracle software required (and is it an additional cost)
  How to integrate Oracle App server (web server) with CAC.
  How would I need to change the database users accounts to be CAC enabled rather than database users accounts.
  Thanks
  steven jackson
  [email protected]
  614-692-9768

  Virtualisation is not certified for Oracle RAC on Windows.
  +Certified Software on Oracle VM [ID 464754.1]+ note states:
  Oracle Real Application Clusters (RAC)
      Oracle 10.2.0.4 and up (10gR2) and 11.1.0.7 and up (11gR1) and 11gR2 RAC for Linux x86 and Linux x86_64 certified on Oracle VM
          Guest OS: Oracle Linux 5.1 (and above) RHEL 5.1 (and above) for Linux x86 / Linux x86_64
          Paravirtualized (PV) mode only (Guest OS and drivers)
          Only supported on Oracle VM 2.1.2 and above
          Live-migration of an Oracle RAC VM is supported with Oracle VM 2.2.1 and above.
          Previous versions are not supported. Please refer to this link for best practices.
          Over-committing CPUs is not recommended, but supported with the following restrictions:
              The total amount of VCPUs allocated to guest domains (running Oracle RAC guests), should not exceed
              two times (2x) the amount of real CPUs / cores in the Oracle VM server.
              The amount of VCPUs allocated to a single guest domain should not exceed the amount of real CPUs /
              cores in the Oracle VM server.
              Maintain Oracle VMs default VCPU allocation for dom-0: Oracle VM will allocate 1 VCPU for each real CPU or core to dom-0.
              CPU pinning is only recommended for hard partitioning. If no hard partitioning is required, CPU pinning should not be used.
          Static support only (dynamic support is being planned):
              Dynamic resizing of guest virtual machine is not supported (VCPU, memory and I/O)
              Virtual Machine Pause/Restore of an active Real Application Cluster virtual machine is not supported.

• Windows smart card logon and kdc certificate (2008R2)

  dear, 
  we are trying to implement a smartcard logon on 2008r2 dc and ca. Environment:
  Domain controller - windows server 2008 R2
  CA - windows server 2008 R2
  testing server - windows server 2008 R2
  when using smartcard logon, a message pops up "The system could not log you on. You cannot use a smart card to log on because smart
  card logon is not supported for your user account. Contact your system administrator to ensure that smart card logon is configured for your organization.".
  The domain controller has an error message : "Event 19: This event indicates an attempt was made to use smartcard logon, but the KDC is unable to use the PKINIT protocol because it is missing a suitable certificate",
  when using "net stop kdc && net start kdc" there is a warning : "event 29 : The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card
  logon may not function correctly if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate."
  There were 2 dead CAs in the environment, we deleted them manually by following the instructions in http://support.microsoft.com/kb/555151;
  We tried to renew the domain controller certification with the instructions in http://technet.microsoft.com/en-us/library/cc734096.aspx；http://technet.microsoft.com/en-us/library/cc733944(v=ws.10).aspx,
  the result of "certutil -dcinfo verify" seemed to be correct, but the event 19 and 29 are still there. 
  How could we resolve this problem? Thanks in advance 
  The output of "certutil -dcinfo verify" is :
  0: CTXDC
  *** Testing DC[0]: CTXDC
  **  Enterprise Root Certificates for DC CTXDC 
  Certificate 0:
  Serial Number: 781902753c5627b64bd4e45c38b648df
  Issuer: CN=demo2CA, DC=demo2, DC=internal, DC=jiean-technologies, DC=lan
   NotBefore: 2013/4/11 11:57
   NotAfter: 2018/4/11 12:07
  Subject: CN=demo2CA, DC=demo2, DC=internal, DC=jiean-technologies, DC=lan
  Certificate Template Name: CA
  CA Version: V0.0
  Signature matches Public Key
  Root Certificate: Subject matches Issuer
  Template: CA, Root Certification Authority
  Cert Hash(sha1): 24 43 b0 79 33 8d f4 74 2d 52 df 75 3a 50 73 85 62 25 fb 86
  **  KDC certificate for DC
  CTXDC 
  certificate 0:
  Serial Number: 611648d2000000000030
  Issuer: CN=demo2CA, DC=demo2, DC=internal, DC=jiean-technologies, DC=lan
   NotBefore: 2013/4/21 12:05
   NotAfter: 2014/4/21 12:05
  Subject: CN=CTXDC.demo2.internal.jiean-technologies.lan
  Certificate Template Name: DomainController
  Non-root Certificate
  template: DomainController, domain controller
  Cert Hash(sha1): e5 e5 5f 80 b0 cd 7f b5 3d 86 51 3e f3 70 d0 8e 39 48 45 cd
  dwFlags = CA_VERIFY_FLAGS_NT_AUTH (0x10)
  dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
  dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
  Application[0] = 1.3.6.1.5.5.7.3.1
  Server Authentication
  Application[1] = 1.3.6.1.5.5.7.3.2
  Client Authentication
  ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
  HCCE_LOCAL_MACHINE
  CERT_CHAIN_POLICY_NT_AUTH
  -------- CERT_CHAIN_CONTEXT --------
  ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ChainContext.dwRevocationFreshnessTime: 10 Hours, 36 Minutes, 16 Seconds
  SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  SimpleChain.dwRevocationFreshnessTime: 10 Hours, 36 Minutes, 16 Seconds
  CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0
    Issuer: CN=demo2CA, DC=demo2, DC=internal, DC=jiean-technologies, DC=lan
    NotBefore: 2013/4/21 12:05
    NotAfter: 2014/4/21 12:05
    Subject: CN=CTXDC.demo2.internal.jiean-technologies.lan
    Serial: 611648d2000000000030
    SubjectAltName: Other Name:DS object GUID=04 10 f1 68 15 d4 e6 4a 8c 40 80 c6 15 16 1d 26 49 4d, DNS Name=CTXDC.demo2.internal.jiean-technologies.lan
    Template: DomainController
    e5 e5 5f 80 b0 cd 7f b5 3d 86 51 3e f3 70 d0 8e 39 48 45 cd
    Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
    Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
      CRL 54:
      Issuer: CN=demo2CA, DC=demo2, DC=internal, DC=jiean-technologies, DC=lan
      52 95 06 73 26 3a 6a 22 a3 6f d7 6e b2 f3 4c 3d 02 9b 7e 54
      Delta CRL 55:
      Issuer: CN=demo2CA, DC=demo2, DC=internal, DC=jiean-technologies, DC=lan
      8c c0 97 5e a3 13 9d a1 5c a2 c1 86 e8 65 ff b0 8b ea f4 a3
    Application[0] = 1.3.6.1.5.5.7.3.2
  Server Authentication
    Application[1] = 1.3.6.1.5.5.7.3.1
  Client Authentication
  CertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0
    Issuer: CN=demo2CA, DC=demo2, DC=internal, DC=jiean-technologies, DC=lan
    NotBefore: 2013/4/11 11:57
    NotAfter: 2018/4/11 12:07
    Subject: CN=demo2CA, DC=demo2, DC=internal, DC=jiean-technologies, DC=lan
    Serial: 781902753c5627b64bd4e45c38b648df
    Template: CA
    24 43 b0 79 33 8d f4 74 2d 52 df 75 3a 50 73 85 62 25 fb 86
    Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
    Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
    Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  Exclude leaf cert:
    33 0e 29 2d 44 b0 f9 5d a8 7d 03 26 52 e0 cf 00 4c bf 66 2d
  Full chain:
    04 60 4a 63 ea 44 36 5a 8a 3e 43 b5 23 2a ee 8e a6 05 16 3b
  Verified Issuance Policies: None
  Verified Application Policies:
      1.3.6.1.5.5.7.3.2
  Server Authentication
      1.3.6.1.5.5.7.3.1
  Client Authentication
  1 KDC certs for CTXDC
  CertUtil: -DCInfo command completed successfully.

  The KDC certificate must be good for "SmartCard logon" purpose. It is currently not.
  I you do not use smartcards, do not worry.