HELP....smart card certificate was not trusted - logon denied !

B

barabba72

Hi all,

I have a particular user who cannot logon using his smart card. He was
able to use it until yesterday.
The terminal server says that "the smart card certificate used for
authentication was not trusted".

Other users have no problems in logging on to the domain using smart
cards.

I checked the user's published certificate and it's ok, still valid.
the CRL distribution point is also fine and still valid. I already
checked Microsoft Knowledge Base 281245.

Windows 2000 domain - PKI,
Windows 2003 Terminal Server
Windows XPE Thin Clients in workgroup
ActivCard Gold 2.3.1

Anyone has an idea ?
Thank you very much for your help.
 
M

Miha Pihler [MVP]

Hi,

Can you run PKI Health tool (it is in Windows Server 2003 Resource Kit
Tools) on this computer? It might give you an idea what could be wrong
(maybe it can't reach CRL or CRL is out of date etc...).

Can this user logon to any other PC in domain?
 
B

Brian Komar

Hi all,

I have a particular user who cannot logon using his smart card. He was
able to use it until yesterday.
The terminal server says that "the smart card certificate used for
authentication was not trusted".

Other users have no problems in logging on to the domain using smart
cards.

I checked the user's published certificate and it's ok, still valid.
the CRL distribution point is also fine and still valid. I already
checked Microsoft Knowledge Base 281245.

Windows 2000 domain - PKI,
Windows 2003 Terminal Server
Windows XPE Thin Clients in workgroup
ActivCard Gold 2.3.1

Anyone has an idea ?
Thank you very much for your help.
Click to expand...
Do the following command from both the client computer and the terminal
services computer. The command requires that you export the smart card
certificate as a DER or BASE64 file.

certutil -verify -urlfetch <certfile>

The output should provide information as to why the certificate is not
trusted.

Brian
 
B

barabba72

Thank you both for your helping me. I really appreciate it.
Tomorrow I will check what you suggest and will post any results.

Regards.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Smart Card Logon 1
question about private certificate stored on smart card 4
Smart Card Logon + CRL refresh period 2
Certificate Problem - Smart Card Logon 3
User can logon after certificate is revoked 2
smart card authentication api 1
Certificate revocation in VPN smart card connection under win2003 2
smart card logon: Error: invalid handle 1

Top