Windows smart card logon and kdc certificate (2008R2)

Similar Messages

• Windows 7 Smart Card Logon

  Hi,
  Testing PKI with Windows 7 x64 under a (otherwise) working public key infrastructure (Windows 2008 CA) using Smart Card certificates based on V2 templates. I've enrolled an AD user successfully with a smartcard and validating the cert it looks all ok (via certutil -scinfo). For all intents and purposes the smart card appears ok but when I try to logon with the user and the smartcard inserted in the machine, I get the following error message:
  "The system could not log you on. You cannot use a smart card to log on because smart card login is not supported for your user account. Contact your system administrator to ensure that smart card logon is configured for your organization."
  Kind of weird message :-/ The smart card reader is in-built on a Dell E6400 ATG... the smart card itself is a Gemalto .NET based card. I've validated that the cert is correctly written to the card via the netsolutions site at Gemalto ... Windows 7 reads the smart card and the user ID correctly from the GUI Logon screen ... it's only when I enter the PIN and it attempts to logon do I get the above message....
  Is there anything "special" I need to do in Windows 7 or in group policy to enable smart card support?? This has worked fine in the past on XP....
  Both the smart card service and the certificate propogation service are running...
  Regards,
  Mylo

  Stigh,
  OK..... I've got it working with Windows 7 on the 6400 together with the Mobile Internet Broadband using domain-based interactive logon.... so the pressures off at least at this end :-)
  "I actually disagree."
  I can see you're healthy motivated to fix the problem.. which is good :-)
  "As long as there is a EKU in the certificate, it should work for local logon."
  Agreed (kind of).. although in your case the common name (the username) is the key identifier for logon purposes..  a UPN in this case is moot as there is no domain to speak of.... I'm assuming the Smart Card Login OID is present in your certificate template together with Client Authentication, and that the purpose is set to "Signature and Smartcard Logon".. I'm working with V2 templates at the mo...
  "In GPedit, under Computer Configuration-Windows Components-Smart Card there are policies to disable certain paramters. I need to read more on those.
  In my case I haven't tweaked any settings via GPO... to resolve the problem described earlier I ended adding the AMT HECI driver for the chipset and the Broadcom drivers from the Connection Manager packs.... I suspect it was the latter that was the problem. Again I haven't installed any Dell Connection Manager software so I'm relying purely on drivers.
  "Btw; Dell SmartCard is not available for shopping in Norway where I'm located; so I can not enroll any cards through Controlpoint/Wave manager. My Gemalto.NET card is purchased from a local store"
  The Gemalto drivers from Windows 7 RTM worked ok for me.
  "The reason for using the laptop as stand alone outside domain is that it's "never" connected locally to any wired network, and there is no reason for it to be a member of the domain.
  OK, but here's where I disagree :-) .. the machine in question will need to connect back to your Enterprise CA certificate distribution point (CDP) to check that the certificate is valid. That's part of basic PKI functionality to ensure certificates are valid. In your case, you'll need an HTTP-based CDP reachable from the local machine, i.e. reachable over a LAN or over the Internet from the "stand-alone" machine, as default LDAP CDP's are meaningless as your client is not domain-joined. Otherwise, you'll need to turn off certificate revokation on the local machine completely, which is diluting security even further. 
  "Its only connecting through RDP and for Outlook (Exchange 2007). Here I use the certificate for RDP logon and for signing/encrypting emails."
  I was slight confused here.. so you don't intend to use the smartcard for local logon? If this is the case this is a workable scenario. You can use a smartcard from a non-domain joined machine to connect for RDP logon. S/MIME is also possible from Outlook, but YMMV as you may run into trust issues when sending encrypted mails to parties that don't trust your CA. Again, bear in mind the comments made earlier about the CDP... the "stand-alone" machine will still need to "connect" back to the CA to access the CDP/AIA, plus you'll have to do certificate renewals etc.
  On a parting note, you need to be clear about why you really need to use smart cards (in this scenario). You're working outside the normal working conventions of Windows with a non-domain joined machine and the pay-off in this case is negligible. I'm not trying to dissuade you from continuing but it's likely to be an uphill struggle.
  Good luck and post back if you want to discuss further!
  Regards,
  Mylo

• KDC Event ID 29 - The KDC cannot find a suitable certificate to use for smart card logons...

  I am getting the event (below) every day on a new 2008 domain controller that I brought up recently. The DC has a domain controller certificate, that was automatically issued by an online enterprise CA. This CA is located in another domain (child domain) within the same forest. The 2008 DC is in the top-lvel domain.  None of the other domain controllers , which are 2003, are reporting this message. I ran certutil.exe, and it successfully verifies all domain controller certificates, including the certificate on my new 2008 DC. Any ideas why these messages continue to appear?
  The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate.

  Hi,
  I have checked the file. Here is my findings:
  1.    The computer name of the domain controllers are different in this dcinfo.txt file. There is no Swampoak. I would like to confirm which one is Windows Server 2008 domain controller.
  2.    The domain controller Buckeye and Madrone both have 2 KDC certificates, one is expired and the other one is valid:
  *** Testing DC[0]: MADRONE
  ** KDC Certificates for DC MADRONE
  Certificate 0:  -à Valid
  Serial Number: 116bbdd90000000000b6
  Issuer: ***
  NotBefore: 12/15/2008 2:28 AM
  NotAfter: 12/15/2009 2:28 AM
  Subject: CN=madrone.****
  Certificate Template Name (Certificate Type): DomainController
  Non-root Certificate
  Template: DomainController, Domain Controller
  Certificate 1:   --à Expired
  Serial Number: 15c2f00b000000000028
  Issuer: ****
  NotBefore: 3/9/2007 3:05 PM
  NotAfter: 3/8/2008 3:05 PM
  Subject: EMPTY (DNS Name=madrone.****)
  Non-root Certificate
  Template: DomainControllerAuthentication, Domain Controller Authentication
  *** Testing DC[1]: BUCKEYE
  ** KDC Certificates for DC BUCKEYE
  Certificate 0:  -à Expired
  Serial Number: 15c4ddc2000000000029
  Issuer: *****
  NotBefore: 3/9/2007 3:07 PM
  NotAfter: 3/8/2008 3:07 PM
  Subject: EMPTY (DNS Name=buckeye.****)
  Non-root Certificate
  Template: DomainControllerAuthentication, Domain Controller Authentication
  Certificate 1: -à Valid
  Serial Number: 115f34ec0000000000b4
  Issuer: ****
  NotBefore: 12/15/2008 2:15 AM
  NotAfter: 12/15/2009 2:15 AM
  Subject: CN=buckeye.****
  Certificate Template Name (Certificate Type): DomainController
  Non-root Certificate
  Template: DomainController, Domain Controller
  Suggestion:
  1.    Please delete the expired certificate and then reboot the domain controller and test the issue again.
  2.    If the issue persists, please request a new Domain Controller Authentication certificate on the domian controller and check the result.

• Smart card logon with third party CA combined with ADFS to Office 365

  Greetings,
  I've been trying figure out how to implement ADFS to Office 365 in MS cloud in our environment, with little luck. I have a working 2012 domain and we are already using smart card logon on Windows 7/8 workstations. Certificates on smart cards are issued by
  3rd party CA. This far every thing is fine and working, necessary root certificates are added to trusted Trusted Root Certification Authorities, UPN suffixes and users' UPNs are set according to UPN on the certificates and users successfully log on to
  workstations with smart cards.
  Now I face the requirement to enable SSOto Office 365 with accounts from our AD. I've been told by our MS partner and Dr. Google that in order to do that user account name (upn) in AD and in O365 need to match. Now the fact that account UPN in our AD is
  not usable in O365 (because it is set to match 3rd party certificate UPN) and I have not found a way to enable smart card log on without changing UPN in AD. 
  Does anyone has experience of such a configuration? Is it possible to use AD federation to O365 at all in our case?
  Best regards, and thanks in advance
  Timo

  On Fri, 25 Apr 2014 09:27:05 +0000, Timo Kallioniemi wrote:
  Now I face the requirement to enable SSOto Office 365 with accounts from our AD. I've been told by our MS partner and Dr. Google that in order to do that user account name (upn) in AD and in O365 need to match. Now the fact that account UPN in our AD
  is not usable in O365 (because it is set to match 3rd party certificate UPN) and I have not found a way to enable smart card log on without changing UPN in AD. 
  Does anyone has experience of such a configuration? Is it possible to use AD federation to O365 at all in our case?
  This is not a general Windows server security issue. You should post your
  question in an O365 support forum.
  http://community.office365.com/en-us/f/default.aspx
  Paul Adare - FIM CM MVP
  Technology is dominated by two types of people: Those who understand
  what they do not manage. Those who manage what they do not understand.
  -- Putt's Law

• T450s -- Display, NGFF SSD, Smart Card Reader, and m.2 SSD slots

  I'm looking to order a T450s and have a few questions about options when configuring the order:
  1080 Display -- Does anyone know if the 1080 display (non-touch) is made by LG or AUO or someone else? There was extensive discussion about the T440s, and people got different brands and the AUO was the preferred brand.
  16GB m.2 NGFF SSD -- If I remove this option, and want to add a 3rd party compatible NGFF SSD later, can I do this?
  3rd m.2 SSD Slot -- The options are None, 3rd m.2 SSD slot, or Smart Card Reader. If I select the Smart Card Reader option, can I later remove the Smart Card Reader and use it as a 3rd m.2 SSD slot? Or, if I select 3rd m.2 SSD slot and later want to use it for a Smart Card Reader, can I buy a Smart Card Reader and plug it into the slot?

  Lenovo uses different FHD diplays for the T450s: one by AU Optronics and the other by LG Display.
  However, the T450s uses a different LG display than the T440s. The LG screen of the T450s ("
  LP140WF3-SPD1") seems to be much better than the LG screen of the T440s.
  If you remove the 16GB M.2 SSD option, you can add a M.2 SSD later.
  If you have a device with two M.2 slots, you can't use a M.2 SSD and WWAN at the same time.
  If you have a device with three M.2 slots, you can only use single-sided M.2 SSDs in the third M.2 slot.
  Both the SmartCard reader and the third M.2 slot are attached to the mainboard via a flexible flat cable.
  If you choose the SmartCard reader, the warranty might be lost if you want to use the third M.2 slot, because you have to replace some parts that aren't so-called CRUs (consumer replaceable units).

• Compaq 6910p Smart card reader and a sim care

  I have a compaq 6910p laptop, what is a  Smart card reader and the sim card use for

  Hey marionholt,
  I am sorry, but to get your issue more exposure, I would suggest posting it in the commercial forums, since this is a commercial product. You can do this at http://h30499.www3.hp.com/hpeb/
  I hope this helps!
  I worked on behalf of HP

• Smart card login and sparsebundle password

  Hi,
  I am using a PIV profiled card to login to my mac. I am using Snow Leopard 10.6.2 and have successfully used the card to login to the machine and do signed and encrypted emails. Every login I get prompted after smart card login for the password for my sparsebundle (I had been using filevault prior to introducing the card) and even though I tick the "save password" option I still am prompted on each login. Does anyone know if there is any way to associate my smartcard login with an existing sparsebundle? Also, is there any way to force the machine to use a smart card login only (i.e. remove the password option)?
  Many thanks
  Michael

  I'm guessing that since you are not entering a password, the sparse bundle is not being unlocked. I don't know of a way to tie it to the smart card login. It sounds similar to when you put a different password on your default keychain. It won't unlock on login because you are not entering its password.

• Set up a smart card for user logon to windows server 2012 R2

  Good Evening,
  I have Windows Server 2012 R2 Datacenter edition (dreamspark license)
  Is it possible to successfully set up smart card logon to a server ? I already have the smart card reader, smart card and the certificate (which is also my digital signature) I know how to setup a DC role (as far as I know, the server has to be in a domain
  to use smart card logon) I would like to logon using to my PC using a smart card and set the certificate I already have to use as a certificate for logon.
  Kind Regards,
  Tomasz

  It would take a few things to do this, and could cause some security issues. In short, I assume the certificate you "already have" came from another environment or a commercial provider. You would need to configure your computer to trust that CA
  to be an issuer of smart card authentication certificates. That effectively moves a good portion of your computer security control out of your environment. For many environments that is an unacceptable security risk.
  If you dont have an Active Directory running, you will also need to make some accommodations to the standard guides. I dont believe there are any published guides on how to do this with a single server and third-party CAs. 
  Here are some references for generic smart card authentications. They are not 100% applicable to your need, so some interpretation is going to be needed.
  http://msdn.microsoft.com/en-us/library/windows/desktop/aa380142(v=vs.85).aspx
  http://msdn.microsoft.com/en-us/library/windows/desktop/aa380142(v=vs.85).aspx
  Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years.

• Windows 8.1 default logon prompt for smart card instead of username/password

  Hello,
  We are currently in our pre-deployment test phase for Windows 8.1 and are trying to knock out the high visibility problems that we notice.  One of the issues we've noticed:
  When logging into Windows, the default prompt is for a username/password.  all of our users are using smart cards, so they have to click "sign-in options", click the smart card icon, and then enter their PIN.  How would I change the startup
  screen to default to smart card?
  Also, when locking the screen by removing the card it again prompts for the username/password when unlocking the screen.  So the users again have to click on "sign-in options" and select the smart card, otherwise they risk locking out their
  account by entering the PIN in the username/password field.
  when locking the screen via ctrl-alt-del or windows-L unlocking does default to the smart card, so I know it can be done! 
  thanks,
  -Nick

  Hi,
  I'm afraid we couldn't change the Sign-in Options order, I checked GP and Registry, there is no way to do it.
  However, there is another way is just enable "Require smart card" In GP. While after this policy enabled, All users will have to use smart cards to log on to the network. This means that the organization must have a reliable public key infrastructure (PKI)
  in place, and provide smart cards and smart card readers for all users.
  Location: GPO_name\Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
  Roger Lu
  TechNet Community Support

• Logon with Virtual Smart Card Breaks Run As Administrator

  I've been testing the Virtual Smart Card (VSC) capability on a Surface Pro 2 and Dell Latitude E7240.
  This may be by design however, I have noticed that if I login using the VSC I am unable to use "Run As Administrator" functionality - for example:
  Command Prompt from Start Screen
  Task Manager
  I'm prompted for a username / password or the VSC PIN.
  In my environment the Administrative user does not have a VSC, so it is a username/password. When using Run As Administrator I'm therefore always entering a username and password.
  Once the credentials are entered the prompt goes away but the application never runs.
  If I lock/unlock the session and login using username/password for the non-admin user, instead of the VSC and PIN, I am able to elevate using Run As.
  I have noticed that I can use the workaround as specified in this article:
  http://support.microsoft.com/kb/2013976
  To work around this issue, start the application using the Run as different user right-click context menu option and select the smart card reader of choice.
  Click Start, select Programs, and locate the shortcut item in the Programs menu or the application folder for the application you want to run
  Hold down the SHIFT key while you right-click the shortcut item, and select Run as different user.
  Enter the username, password and the domain name or choose a smart card logon.
  Seems a little odd... maybe I am missing something. If anyone can assist that would be great.
  Thanks, Chris
  MCTS 70-640 | MCTS 70-642 | Prince2 Practitioner| ITIL Foundation v3 | http://www.cb-net.co.uk

  Hi Chris,
  I also have this issue. I think it is a known issue for Windows.
  I did some more research in web and found what I was looking for.
  RUNAS /SMARTCARD Only Supports a Single Smart Card Reader
  http://support.microsoft.com/kb/2013976
  How Smart Card Logon Works in Windows
  http://technet.microsoft.com/en-us/library/ff404285(v=WS.10).aspx
  Guidelines for enabling smart card logon with third-party certification authorities
  http://support.microsoft.com/kb/281245
  Thanks

• Smart Card Reader not showing correct certificates?

  Running 10.5.6 with an SCR331, G4 desktop. I have been using entourage, smart card reader, and CAC successfully for quite some time.
  My CAC was recently updated with new certificates. When I insert my card reader with CAC into my machine, the keychain (and Entourage) show the old certificates which aren't even on my CAC anymore. Obviously I can't get Entourage (or other websites) to work without being able to access the new certs.
  I verified the CAC & reader were good by looking at it using a windows XP machine. The three new certificates were there.
  I also used another Mac (lap top) to verify the certs. I inserted my reader into the lap top, and the keychain on that machine displayed the correct certificates.
  I have tried several methods of rebuilding/replacing my keychain without success. Is there another token that needs to be cleared? Any help in letting access the new certificates would be very much appreciated.
  Thanks,
  Bob

  If you did what a lot of people did you put your certs locally and you do not need to do this. Delete them from your keychain and just in cert your CAC. Then create a "IDPref" for the DoD site you are trying to access and you should be good to go. If you need help, I have written a good "How-to" on my webblog. Just do a search for "safari and CAC".
  Jonathan
  <Edited by Host>

• Using smart card/nfc tag for authentication on Windows 8 devices NOT in a domain

  Title says it all. We have Sony RC-S380 readers and Acer Iconia W510 tablets with builtin Broadcom NFC chips. We can read tags and configure them for the usual proximity stuff (URIs, mail, etc.) but we are looking for authentication purposes, however without
  using ADFS or domain security. Can anyone point us in the right direction?

  Hi,
  By default, smart card is not available for stand alone computer and local account.
  This authentication technology might be helpful to you:
  EIDAuthenticate - Smart card logon on stand alone computers and local accounts
  http://www.mysmartlogon.com/products/eidauthenticate.html
  Please Note: Since the website is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
  Karen Hu
  TechNet Community Support

• Smart Card Reader 2 on Windows 8

  I have a need to use a smart card to log into my work laptop.  Unfortunately, my laptop does not have a built-in smart card reader and I'd like to avoid using an external USB smart card reader if possible.  For this reason, I purchased a Blackberry Smart Card Reader 2, which from what I could find online, should be able to provide the same functionality as an external USB smart card reader.
  I installed the software and rebooted the computer.  However, when I try and discover the Smart Card Reader (SCR) the laptop seems to see the SCR, but then the connection window closes and I never get the chance to enter the PIN.  Reviewing the eventlogs and system processes, I can see that BlackberrySCRService.exe process which is running as a service quits after the device is discovered.
  I've tried running the Windows compatibility tool on the process which suggested running in XP compatibility mode, but that did not help.  Can somebody tell me how I can use my Blackberry SCR 2 on my Windows 8 laptop?  Thanks in advance.

  hello, I don't have any knowledge about that reader.
  You can find the manual here:
  http://docs.blackberry.com/en/admin/subcategories/​?userType=2&category=BlackBerry+Smart+Card+Reader
  My personal understanding is that this reader is not compatible with Windows 7 and Windows 8, and only if that BlackBerry is linked to a BES server.
  The search box on top-right of this page is your true friend, and the public Knowledge Base too:

• TACACS+ and Smart Card login

  We are currently using Cisco ACS 5.3 integrated with Active Directory for authentication to our Cisco devices. We are looking to move to smart card logins and trying to find out if this is possible to authenticate to the console/ssh on the router/switch using a smart card.

  Direct Smart card authentication is not supported for vty / console session on IOS. However, via TACACS to a AAA server (e.g. Cisco ACS) you can turn it to use a two factor-based external authentication store. Even if the Smart card get the PKI cert of some kind to the client PC and then to the terminal emulator like Putty or SecureCRT, AAA with Tacacs + would not be possible as Tacacs is not capable for encapsulating any kind of PKI.
  Jatin Katyal
  - Do rate helpful posts -

• RDS Gateway + Smart Card Error [ The specified user name does not exist.]

  I have the following Windows Server 2008 R2 servers:
  addsdc.contoso.com, AD DS Domain Controller for contoso.com
  adcsca.contoso.com, AD CS Enterprise CA, CDPs/AIAs published externally.
  fileserver.contoso.com, RDS Session Host for Administration enabled
  rdsgateway.contoso.com, RDS Gateway enabled
  tmgserver.contoso.com, 'Publishing' rdsgateway.contoso.com but with pass-through authentication
  And the following Windows 7 PCs:
  internalclient.contoso.com
  externalclient.fabrikam.com
  There's no trust between the domains, the external client is completely separate on the internet but the CA certificate for contoso.com has been installed in the trusted Root CA store. All servers have certificates for secure RDP.
  I enrolled for a custom 'Smart Card Authentication' certificate with Client Authentication and Smart Card Logon EKUs from the CA, stored on my new Gemalto smart card using the Microsoft Base Smart Card CSP.
  From internalclient.contoso.com, I can RDP to fileserver.contoso.com
  using the smart card just fine with no certificate errors.
  From externalclient.fabrikam.com, I can RDP to fileserver.contoso.com
  via rdsgateway.contoso.com using a username and password just fine with no certificate errors.
  From externalclient.fabrikam.com, I can RDP to fileserver.contoso.com
  via rdsgateway.contoso.com using the smart card to authenticate to the gateway, and a username and password to authenticate to the end server, just fine.
  BUT from when using a smart card to authenticate to the end server via the gateway, it fails with:
       The specified user name does not exist. Verify the username and try logging in again. If the problem continues, contact your system administrator or technical support. 
  When I move the client into the internal network and try the connection again (still via the RDS Gateway), it works fine - the only thing I can think of is being outside the network and not being able to contact the AD DS DC for Kerberos is causing the issue
  - but I'm pretty sure this is a supported scenario?
  The smart card works fine internally, the subject of the certificate is the user's common name (John Smith) and the only SAN is
  [email protected] which matches the UPN of the user account as it was auto-enrolled.
  Does anyone have any ideas?

  I had a similar issue where I am using a smart card through a Remote Desktop Gateway. I had to disable Network Level Authentication (NLA) on the destination Remote Desktop Server. If anyone has another way around this, I'd appreciate hearing it. I'd prefer
  to use NLA.