Windows 7 Smart Card Logon

Hi,
Testing PKI with Windows 7 x64 under a (otherwise) working public key infrastructure (Windows 2008 CA) using Smart Card certificates based on V2 templates. I've enrolled an AD user successfully with a smartcard and validating the cert it looks all ok (via certutil -scinfo). For all intents and purposes the smart card appears ok but when I try to logon with the user and the smartcard inserted in the machine, I get the following error message:
"The system could not log you on. You cannot use a smart card to log on because smart card login is not supported for your user account. Contact your system administrator to ensure that smart card logon is configured for your organization."
Kind of weird message :-/ The smart card reader is in-built on a Dell E6400 ATG... the smart card itself is a Gemalto .NET based card. I've validated that the cert is correctly written to the card via the netsolutions site at Gemalto ... Windows 7 reads the smart card and the user ID correctly from the GUI Logon screen ... it's only when I enter the PIN and it attempts to logon do I get the above message....
Is there anything "special" I need to do in Windows 7 or in group policy to enable smart card support?? This has worked fine in the past on XP....
Both the smart card service and the certificate propogation service are running...
Regards,
Mylo

Stigh,
OK..... I've got it working with Windows 7 on the 6400 together with the Mobile Internet Broadband using domain-based interactive logon.... so the pressures off at least at this end :-)
"I actually disagree."
I can see you're healthy motivated to fix the problem.. which is good :-)
"As long as there is a EKU in the certificate, it should work for local logon."
Agreed (kind of).. although in your case the common name (the username) is the key identifier for logon purposes.. a UPN in this case is moot as there is no domain to speak of.... I'm assuming the Smart Card Login OID is present in your certificate template together with Client Authentication, and that the purpose is set to "Signature and Smartcard Logon".. I'm working with V2 templates at the mo...
"In GPedit, under Computer Configuration-Windows Components-Smart Card there are policies to disable certain paramters. I need to read more on those.
In my case I haven't tweaked any settings via GPO... to resolve the problem described earlier I ended adding the AMT HECI driver for the chipset and the Broadcom drivers from the Connection Manager packs.... I suspect it was the latter that was the problem. Again I haven't installed any Dell Connection Manager software so I'm relying purely on drivers.
"Btw; Dell SmartCard is not available for shopping in Norway where I'm located; so I can not enroll any cards through Controlpoint/Wave manager. My Gemalto.NET card is purchased from a local store"
The Gemalto drivers from Windows 7 RTM worked ok for me.
"The reason for using the laptop as stand alone outside domain is that it's "never" connected locally to any wired network, and there is no reason for it to be a member of the domain.
OK, but here's where I disagree :-) .. the machine in question will need to connect back to your Enterprise CA certificate distribution point (CDP) to check that the certificate is valid. That's part of basic PKI functionality to ensure certificates are valid. In your case, you'll need an HTTP-based CDP reachable from the local machine, i.e. reachable over a LAN or over the Internet from the "stand-alone" machine, as default LDAP CDP's are meaningless as your client is not domain-joined. Otherwise, you'll need to turn off certificate revokation on the local machine completely, which is diluting security even further.
"Its only connecting through RDP and for Outlook (Exchange 2007). Here I use the certificate for RDP logon and for signing/encrypting emails."
I was slight confused here.. so you don't intend to use the smartcard for local logon? If this is the case this is a workable scenario. You can use a smartcard from a non-domain joined machine to connect for RDP logon. S/MIME is also possible from Outlook, but YMMV as you may run into trust issues when sending encrypted mails to parties that don't trust your CA. Again, bear in mind the comments made earlier about the CDP... the "stand-alone" machine will still need to "connect" back to the CA to access the CDP/AIA, plus you'll have to do certificate renewals etc.
On a parting note, you need to be clear about why you really need to use smart cards (in this scenario). You're working outside the normal working conventions of Windows with a non-domain joined machine and the pay-off in this case is negligible. I'm not trying to dissuade you from continuing but it's likely to be an uphill struggle.
Good luck and post back if you want to discuss further!
Regards,
Mylo

Similar Messages

Windows smart card logon and kdc certificate (2008R2)

dear,
we are trying to implement a smartcard logon on 2008r2 dc and ca. Environment:
Domain controller - windows server 2008 R2
CA - windows server 2008 R2
testing server - windows server 2008 R2
when using smartcard logon, a message pops up "The system could not log you on. You cannot use a smart card to log on because smart
card logon is not supported for your user account. Contact your system administrator to ensure that smart card logon is configured for your organization.".
The domain controller has an error message : "Event 19: This event indicates an attempt was made to use smartcard logon, but the KDC is unable to use the PKINIT protocol because it is missing a suitable certificate",
when using "net stop kdc && net start kdc" there is a warning : "event 29 : The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card
logon may not function correctly if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate."
There were 2 dead CAs in the environment, we deleted them manually by following the instructions in http://support.microsoft.com/kb/555151;
We tried to renew the domain controller certification with the instructions in http://technet.microsoft.com/en-us/library/cc734096.aspx；http://technet.microsoft.com/en-us/library/cc733944(v=ws.10).aspx,
the result of "certutil -dcinfo verify" seemed to be correct, but the event 19 and 29 are still there.
How could we resolve this problem? Thanks in advance
The output of "certutil -dcinfo verify" is :
0: CTXDC
*** Testing DC[0]: CTXDC
** Enterprise Root Certificates for DC CTXDC
Certificate 0:
Serial Number: 781902753c5627b64bd4e45c38b648df
Issuer: CN=demo2CA, DC=demo2, DC=internal, DC=jiean-technologies, DC=lan
NotBefore: 2013/4/11 11:57
NotAfter: 2018/4/11 12:07
Subject: CN=demo2CA, DC=demo2, DC=internal, DC=jiean-technologies, DC=lan
Certificate Template Name: CA
CA Version: V0.0
Signature matches Public Key
Root Certificate: Subject matches Issuer
Template: CA, Root Certification Authority
Cert Hash(sha1): 24 43 b0 79 33 8d f4 74 2d 52 df 75 3a 50 73 85 62 25 fb 86
** KDC certificate for DC
CTXDC
certificate 0:
Serial Number: 611648d2000000000030
Issuer: CN=demo2CA, DC=demo2, DC=internal, DC=jiean-technologies, DC=lan
NotBefore: 2013/4/21 12:05
NotAfter: 2014/4/21 12:05
Subject: CN=CTXDC.demo2.internal.jiean-technologies.lan
Certificate Template Name: DomainController
Non-root Certificate
template: DomainController, domain controller
Cert Hash(sha1): e5 e5 5f 80 b0 cd 7f b5 3d 86 51 3e f3 70 d0 8e 39 48 45 cd
dwFlags = CA_VERIFY_FLAGS_NT_AUTH (0x10)
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
Application[0] = 1.3.6.1.5.5.7.3.1
Server Authentication
Application[1] = 1.3.6.1.5.5.7.3.2
Client Authentication
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_NT_AUTH
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwRevocationFreshnessTime: 10 Hours, 36 Minutes, 16 Seconds
SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwRevocationFreshnessTime: 10 Hours, 36 Minutes, 16 Seconds
CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0
Issuer: CN=demo2CA, DC=demo2, DC=internal, DC=jiean-technologies, DC=lan
NotBefore: 2013/4/21 12:05
NotAfter: 2014/4/21 12:05
Subject: CN=CTXDC.demo2.internal.jiean-technologies.lan
Serial: 611648d2000000000030
SubjectAltName: Other Name:DS object GUID=04 10 f1 68 15 d4 e6 4a 8c 40 80 c6 15 16 1d 26 49 4d, DNS Name=CTXDC.demo2.internal.jiean-technologies.lan
Template: DomainController
e5 e5 5f 80 b0 cd 7f b5 3d 86 51 3e f3 70 d0 8e 39 48 45 cd
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
CRL 54:
Issuer: CN=demo2CA, DC=demo2, DC=internal, DC=jiean-technologies, DC=lan
52 95 06 73 26 3a 6a 22 a3 6f d7 6e b2 f3 4c 3d 02 9b 7e 54
Delta CRL 55:
Issuer: CN=demo2CA, DC=demo2, DC=internal, DC=jiean-technologies, DC=lan
8c c0 97 5e a3 13 9d a1 5c a2 c1 86 e8 65 ff b0 8b ea f4 a3
Application[0] = 1.3.6.1.5.5.7.3.2
Server Authentication
Application[1] = 1.3.6.1.5.5.7.3.1
Client Authentication
CertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0
Issuer: CN=demo2CA, DC=demo2, DC=internal, DC=jiean-technologies, DC=lan
NotBefore: 2013/4/11 11:57
NotAfter: 2018/4/11 12:07
Subject: CN=demo2CA, DC=demo2, DC=internal, DC=jiean-technologies, DC=lan
Serial: 781902753c5627b64bd4e45c38b648df
Template: CA
24 43 b0 79 33 8d f4 74 2d 52 df 75 3a 50 73 85 62 25 fb 86
Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
Exclude leaf cert:
33 0e 29 2d 44 b0 f9 5d a8 7d 03 26 52 e0 cf 00 4c bf 66 2d
Full chain:
04 60 4a 63 ea 44 36 5a 8a 3e 43 b5 23 2a ee 8e a6 05 16 3b
Verified Issuance Policies: None
Verified Application Policies:
1.3.6.1.5.5.7.3.2
Server Authentication
1.3.6.1.5.5.7.3.1
Client Authentication
1 KDC certs for CTXDC
CertUtil: -DCInfo command completed successfully.

The KDC certificate must be good for "SmartCard logon" purpose. It is currently not.
I you do not use smartcards, do not worry.

Smart card logon with third party CA combined with ADFS to Office 365

Greetings,
I've been trying figure out how to implement ADFS to Office 365 in MS cloud in our environment, with little luck. I have a working 2012 domain and we are already using smart card logon on Windows 7/8 workstations. Certificates on smart cards are issued by
3rd party CA. This far every thing is fine and working, necessary root certificates are added to trusted Trusted Root Certification Authorities, UPN suffixes and users' UPNs are set according to UPN on the certificates and users successfully log on to
workstations with smart cards.
Now I face the requirement to enable SSOto Office 365 with accounts from our AD. I've been told by our MS partner and Dr. Google that in order to do that user account name (upn) in AD and in O365 need to match. Now the fact that account UPN in our AD is
not usable in O365 (because it is set to match 3rd party certificate UPN) and I have not found a way to enable smart card log on without changing UPN in AD.
Does anyone has experience of such a configuration? Is it possible to use AD federation to O365 at all in our case?
Best regards, and thanks in advance
Timo

On Fri, 25 Apr 2014 09:27:05 +0000, Timo Kallioniemi wrote:
Now I face the requirement to enable SSOto Office 365 with accounts from our AD. I've been told by our MS partner and Dr. Google that in order to do that user account name (upn) in AD and in O365 need to match. Now the fact that account UPN in our AD
is not usable in O365 (because it is set to match 3rd party certificate UPN) and I have not found a way to enable smart card log on without changing UPN in AD.
Does anyone has experience of such a configuration? Is it possible to use AD federation to O365 at all in our case?
This is not a general Windows server security issue. You should post your
question in an O365 support forum.
http://community.office365.com/en-us/f/default.aspx
Paul Adare - FIM CM MVP
Technology is dominated by two types of people: Those who understand
what they do not manage. Those who manage what they do not understand.
-- Putt's Law

KDC Event ID 29 - The KDC cannot find a suitable certificate to use for smart card logons...

I am getting the event (below) every day on a new 2008 domain controller that I brought up recently. The DC has a domain controller certificate, that was automatically issued by an online enterprise CA. This CA is located in another domain (child domain) within the same forest. The 2008 DC is in the top-lvel domain. None of the other domain controllers , which are 2003, are reporting this message. I ran certutil.exe, and it successfully verifies all domain controller certificates, including the certificate on my new 2008 DC. Any ideas why these messages continue to appear?
The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate.

Hi,
I have checked the file. Here is my findings:
1.    The computer name of the domain controllers are different in this dcinfo.txt file. There is no Swampoak. I would like to confirm which one is Windows Server 2008 domain controller.
2.    The domain controller Buckeye and Madrone both have 2 KDC certificates, one is expired and the other one is valid:
*** Testing DC[0]: MADRONE
** KDC Certificates for DC MADRONE
Certificate 0: -à Valid
Serial Number: 116bbdd90000000000b6
Issuer: ***
NotBefore: 12/15/2008 2:28 AM
NotAfter: 12/15/2009 2:28 AM
Subject: CN=madrone.****
Certificate Template Name (Certificate Type): DomainController
Non-root Certificate
Template: DomainController, Domain Controller
Certificate 1:   --à Expired
Serial Number: 15c2f00b000000000028
Issuer: ****
NotBefore: 3/9/2007 3:05 PM
NotAfter: 3/8/2008 3:05 PM
Subject: EMPTY (DNS Name=madrone.****)
Non-root Certificate
Template: DomainControllerAuthentication, Domain Controller Authentication
*** Testing DC[1]: BUCKEYE
** KDC Certificates for DC BUCKEYE
Certificate 0: -à Expired
Serial Number: 15c4ddc2000000000029
Issuer: *****
NotBefore: 3/9/2007 3:07 PM
NotAfter: 3/8/2008 3:07 PM
Subject: EMPTY (DNS Name=buckeye.****)
Non-root Certificate
Template: DomainControllerAuthentication, Domain Controller Authentication
Certificate 1: -à Valid
Serial Number: 115f34ec0000000000b4
Issuer: ****
NotBefore: 12/15/2008 2:15 AM
NotAfter: 12/15/2009 2:15 AM
Subject: CN=buckeye.****
Certificate Template Name (Certificate Type): DomainController
Non-root Certificate
Template: DomainController, Domain Controller
Suggestion:
1.    Please delete the expired certificate and then reboot the domain controller and test the issue again.
2.    If the issue persists, please request a new Domain Controller Authentication certificate on the domian controller and check the result.

Set up a smart card for user logon to windows server 2012 R2

Good Evening,
I have Windows Server 2012 R2 Datacenter edition (dreamspark license)
Is it possible to successfully set up smart card logon to a server ? I already have the smart card reader, smart card and the certificate (which is also my digital signature) I know how to setup a DC role (as far as I know, the server has to be in a domain
to use smart card logon) I would like to logon using to my PC using a smart card and set the certificate I already have to use as a certificate for logon.
Kind Regards,
Tomasz

It would take a few things to do this, and could cause some security issues. In short, I assume the certificate you "already have" came from another environment or a commercial provider. You would need to configure your computer to trust that CA
to be an issuer of smart card authentication certificates. That effectively moves a good portion of your computer security control out of your environment. For many environments that is an unacceptable security risk.
If you dont have an Active Directory running, you will also need to make some accommodations to the standard guides. I dont believe there are any published guides on how to do this with a single server and third-party CAs.
Here are some references for generic smart card authentications. They are not 100% applicable to your need, so some interpretation is going to be needed.
http://msdn.microsoft.com/en-us/library/windows/desktop/aa380142(v=vs.85).aspx
http://msdn.microsoft.com/en-us/library/windows/desktop/aa380142(v=vs.85).aspx
Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years.

Logon with Virtual Smart Card Breaks Run As Administrator

I've been testing the Virtual Smart Card (VSC) capability on a Surface Pro 2 and Dell Latitude E7240.
This may be by design however, I have noticed that if I login using the VSC I am unable to use "Run As Administrator" functionality - for example:
Command Prompt from Start Screen
Task Manager
I'm prompted for a username / password or the VSC PIN.
In my environment the Administrative user does not have a VSC, so it is a username/password. When using Run As Administrator I'm therefore always entering a username and password.
Once the credentials are entered the prompt goes away but the application never runs.
If I lock/unlock the session and login using username/password for the non-admin user, instead of the VSC and PIN, I am able to elevate using Run As.
I have noticed that I can use the workaround as specified in this article:
http://support.microsoft.com/kb/2013976
To work around this issue, start the application using the Run as different user right-click context menu option and select the smart card reader of choice.
Click Start, select Programs, and locate the shortcut item in the Programs menu or the application folder for the application you want to run
Hold down the SHIFT key while you right-click the shortcut item, and select Run as different user.
Enter the username, password and the domain name or choose a smart card logon.
Seems a little odd... maybe I am missing something. If anyone can assist that would be great.
Thanks, Chris
MCTS 70-640 | MCTS 70-642 | Prince2 Practitioner| ITIL Foundation v3 | http://www.cb-net.co.uk

Hi Chris,
I also have this issue. I think it is a known issue for Windows.
I did some more research in web and found what I was looking for.
RUNAS /SMARTCARD Only Supports a Single Smart Card Reader
http://support.microsoft.com/kb/2013976
How Smart Card Logon Works in Windows
http://technet.microsoft.com/en-us/library/ff404285(v=WS.10).aspx
Guidelines for enabling smart card logon with third-party certification authorities
http://support.microsoft.com/kb/281245
Thanks

Using smart card/nfc tag for authentication on Windows 8 devices NOT in a domain

Title says it all. We have Sony RC-S380 readers and Acer Iconia W510 tablets with builtin Broadcom NFC chips. We can read tags and configure them for the usual proximity stuff (URIs, mail, etc.) but we are looking for authentication purposes, however without
using ADFS or domain security. Can anyone point us in the right direction?

Hi,
By default, smart card is not available for stand alone computer and local account.
This authentication technology might be helpful to you:
EIDAuthenticate - Smart card logon on stand alone computers and local accounts
http://www.mysmartlogon.com/products/eidauthenticate.html
Please Note: Since the website is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
Karen Hu
TechNet Community Support

RDS Gateway + Smart Card Error [ The specified user name does not exist.]

I have the following Windows Server 2008 R2 servers:
addsdc.contoso.com, AD DS Domain Controller for contoso.com
adcsca.contoso.com, AD CS Enterprise CA, CDPs/AIAs published externally.
fileserver.contoso.com, RDS Session Host for Administration enabled
rdsgateway.contoso.com, RDS Gateway enabled
tmgserver.contoso.com, 'Publishing' rdsgateway.contoso.com but with pass-through authentication
And the following Windows 7 PCs:
internalclient.contoso.com
externalclient.fabrikam.com
There's no trust between the domains, the external client is completely separate on the internet but the CA certificate for contoso.com has been installed in the trusted Root CA store. All servers have certificates for secure RDP.
I enrolled for a custom 'Smart Card Authentication' certificate with Client Authentication and Smart Card Logon EKUs from the CA, stored on my new Gemalto smart card using the Microsoft Base Smart Card CSP.
From internalclient.contoso.com, I can RDP to fileserver.contoso.com
using the smart card just fine with no certificate errors.
From externalclient.fabrikam.com, I can RDP to fileserver.contoso.com
via rdsgateway.contoso.com using a username and password just fine with no certificate errors.
From externalclient.fabrikam.com, I can RDP to fileserver.contoso.com
via rdsgateway.contoso.com using the smart card to authenticate to the gateway, and a username and password to authenticate to the end server, just fine.
BUT from when using a smart card to authenticate to the end server via the gateway, it fails with:
The specified user name does not exist. Verify the username and try logging in again. If the problem continues, contact your system administrator or technical support.
When I move the client into the internal network and try the connection again (still via the RDS Gateway), it works fine - the only thing I can think of is being outside the network and not being able to contact the AD DS DC for Kerberos is causing the issue
- but I'm pretty sure this is a supported scenario?
The smart card works fine internally, the subject of the certificate is the user's common name (John Smith) and the only SAN is
[email protected] which matches the UPN of the user account as it was auto-enrolled.
Does anyone have any ideas?

I had a similar issue where I am using a smart card through a Remote Desktop Gateway. I had to disable Network Level Authentication (NLA) on the destination Remote Desktop Server. If anyone has another way around this, I'd appreciate hearing it. I'd prefer
to use NLA.

Use smart card for 802.1x secured WiFi authentication

Hi,
is it possible to use a certificate stored on a USB Security Token for WiFi 802.1x authentication?
I have setup a test environment with all required components (AD, Enterprise CA, NPS, WPA2-Enterprise capable WiFi Access Point, all required certificates, all Server 2012 R2 / Windows 8.1 Pro) and created a user certificate for WPA2-Enterprise secured
WiFi access (802.1x). Everthing works fine as long as the user certificate is stored in the local certificate store of the user's client computer: The user can connect to the WiFi network and the NPS logs show that the user has been authenticated correctly
and granted access.
To test this scenario with a Smart Card (Safenet USB Token), I stored that same user certificate on the token (incl. private key). The Safenet software on the client computer automatically makes the certificate stored on the token available in the local
certificate store as soon as the token has been plugged in (checked via MMC Certificates snap-in). But the certificate can't obviously be used for the desired WiFi authentication: If I try to connect the secured WiFi (the same as in scenario 1) the connection
fails.
As I'm using exactly the same certificate in both scenarios, I don't think there's anything wrong with the settings in the certificate, the NPS or any other infrastructure component. The reason for failure in scenario 2 must be lying somewhere in either
the local client computer configuration or in the Safenet software on the client computer.
I'm very familiar with all the PKI and authentication stuff, but I'm new to smart cards. Are there differences between different types of smart cards and for what purpose one can use them? (USB tokens, chip cards, virtual tokens, etc.?)
Has anybody experience in creating a 802.1x secured WiFi access with smart card based user certificates who could advise?
Thanks + Best Regards
Matt

Hi,
I found some links form technet site which can be helpful in this case
Network access authentication and certificates
http://technet.microsoft.com/en-us/library/cc759575(v=ws.10).aspx
Enable smart card or other certificate authentication
http://technet.microsoft.com/en-us/library/cc737336(v=ws.10).aspx
Quote:
Client certificate requirements
With EAP-TLS or PEAP-EAP-TLS, the server accepts the client authentication attempt when the certificate meets the following requirements:
The client certificate is issued by an enterprise CA or mapped to a user or computer account in Active Directory.
The user or computer certificate on the client chains to a trusted root CA, includes the Client Authentication purpose in EKU extensions (the object identifier for Client Authentication is 1.3.6.1.5.5.7.3.2), and fails neither the checks that are performed
by CryptoAPI and specified in the remote access policy nor the Certificate object identifier checks that are specified in IAS remote access policy.
The 802.1X client does not use registry-based certificates that are either smart card-logon or password-protected certificates.
For user certificates, the Subject Alternative Name (SubjectAltName) extension in the certificate contains the user principal name (UPN).
For computer certificates, the Subject Alternative Name (SubjectAltName) extension in the certificate must contain the client's fully qualified domain name (FQDN), which is also called the DNS name
Yolanda Zhu
TechNet Community Support

Connect a smart Card

After connecting my computer to Microsoft for updates it has locked me out of administrative access. When wanting to install a software it keeps on saying connect a smart card. I have tried to go on start-Run -and typed gpedit.msc and it says access denied
you do not have permission to perform this operation Group policy error. Please help on how l can resolve this problem. I cant even do any other setting changes on my machine. I am using windows 8.1 pro wit media center on an asus 64bit.

Hi,
Have you any other Administrator account?
If yes, please log on with that account to disable the Smart Card Logon.
Start --> Run --> type gpedit.msc and press Enter.
Navigate to:
Computer Configuration\Administrative Templates\Windows Components\Smart Card
Right-click Turn on Smart Card Plug and Play service and click Edit to disable.
If no, please logon with the built-in administrator to do that if it's enabled.
Otherwise, there is no any other method except reinstallation.
Karen Hu
TechNet Community Support

Authenticate to the Domain using a Smart Card

Hi,
I'm trying to get authenticated using the Smart Card but got the following error messages:
On the Windows XP client, we inserted the PIV card, entered the PIN but received an error message “The system could not log you on. The server authenticating you reported an error (0xC00000BB).”
On the Windows 7 client, we received an error message “The system could not log you on. You cannot use a smart card to log on because smart card logon is not supported for your user account.”
Here is our environment:
-          Domain: Windows 2008 R2
-          Client: Windows XP SP3 and Windows 7
-          Smart Card: USAccess issued PIV card
-          Care Reader: SCR3310
-          Middleware: ActiveClient
Here is what I have already done:
-          Imported the following Entrust certificates from http://sspweb.managed.entrust.com/EMSPKIFSSPCACertificateInformation.html into the Domain under the Trusted Root Certification Authorities
o   Common Policy CA Certificate
o   Common Policy to EMSPKI trust certificate
o   Federal Root CA Expires 06/01/2012
o   Federal SSP CA Expires 05/31/2012
o   Federal Root CA Expires 05/09/2019
o   Federal SSP CA Expires 05/08/2019
-          Added the certificates to the NTAuth store in the Domain
-          Posted Domain controller certificate (issued by NIST internal CA) in the NTAuth store
-          Updated my UPN on the domain to match with the Subject Alternative Name on the card “[email protected]”
-          Domain policy pushed down the Entrust certificates and Domain Controller certificate to the client computer
-          Made PIV Card certificates available to the Windows via ActiveClient middleware
Am I missing some steps or configuration?
Thank you,

To solve one of the issues related to:
"The system could not log you on. You cannot use a smart card to log on because smart card login is not supported for your user account. Contact
your system administrator to ensure that smart card logon is configured for your organization."
On the client side.
Ensure that the Certificate is assigned the Client Authentication function.
You can do this on Internet Explorer:
Tools -> Internet Options -> Content -> Certificates
Then select the certificate
Click the ‘Advanced’ button, this opens the Advanced Options dialog box.
Under ‘Certificate purposes:’ box check:
|X| Client Authentication

Compiling rdesktop with Smart Card support?

Hello,
I've tried like the dikens to compile "rdesktop" (an open source solution to connect Windoze PCs using Microsoft RDP protocol). I can compile and run the source code, but I find it impossible to compile in smart card support. I've tried everything to get the "pcsc-lite" components to compile in - but I'm too much of a makefile noob I'm afraid.
Anyone know how to do this?
There's a related discussion at http://discussions.apple.com/thread.jspa?messageID=8652963.
Any help appreciated
~Matt

Hi,
Thank you for posting in Windows Server Forum.
In a Remote Desktop scenario, a user is using a remote server for running services, and the smart card is local to the computer that the user is using. In a smart card logon scenario, the smart card service on the remote server redirects to the smart card reader
connected to the local computer where the user is trying to log on. You can refer following article for details.
Smart Card and Remote Desktop Services
http://technet.microsoft.com/en-us/library/ff404286(v=ws.10).aspx
Hope it helps!
Thanks.
Dharmesh Solanki
TechNet Community Support

Customize Non-Smart Card Mobility (NSCM) login screen

Is there a way to customize the NSCM login screen to have customer-specific content in it?

Hi Chris,
I also have this issue. I think it is a known issue for Windows.
I did some more research in web and found what I was looking for.
RUNAS /SMARTCARD Only Supports a Single Smart Card Reader
http://support.microsoft.com/kb/2013976
How Smart Card Logon Works in Windows
http://technet.microsoft.com/en-us/library/ff404285(v=WS.10).aspx
Guidelines for enabling smart card logon with third-party certification authorities
http://support.microsoft.com/kb/281245
Thanks

Virtual Smart Cards with a 3rd Party CA

Hi,
I am new to this but we want to start implemeting virtual smart cards but I am having difficult finding out how to use a 3rd party CA with them. Any help would be appreciated.
Thanks in advace,
Liz

Hi Liz,
Here is an article below which could be useful to you:
Guidelines for enabling smart card logon with third-party certification authorities
http://support.microsoft.com/kb/281245
Best Regards,
Amy

Generate certificates valid for smart card (Windows logon) with third party PKI (not Microsoft)

Hello everyone
today I am working on a mounted on a Red Hat Enterprise PKI
Linux Server release 5.5 (Tikanga) is Easycert 5.2.2.15. We need to know what are the necessary data that we have to go to the PKI so it can generate certificates of users in Active Directory for use with a USB Token (ACOS5-64 CHIP CRYPTO) functioning as Smart
Card to make the login of users on computers.
On the other hand also we need to know the necessary settings between the third party pki and the domains controllers (Windows 2012).
Greetings and I hope for you response.
TechCach

> It is for Windows 2012.
nothing changed since Windows Server 2003. Here is a KB article:
http://support2.microsoft.com/kb/281245
> Is
the
scenario
supported
by
microsoft?
yes, of course. See KB article above.
My weblog: en-us.sysadmins.lv
PowerShell PKI Module: pspki.codeplex.com
PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
Check out new: SSL Certificate Verifier
Check out new:
PowerShell FCIV tool.

Windows 7 Smart Card Logon

Similar Messages

Maybe you are looking for