Certificate Problem - Smart Card Logon

[Tim]

Hi,

I have smart card logon configured in Windows XP and 2003. Previously with
Windows 2000 Server it worked fine. I had not been using it as the cards had
become intermittent, but wish to test it again under XP (with new cards)and
with IIS SSL for Web Development and again, smart card logon ...

The following appears in the event log when I attempt to logon:

Event Type: Error
Event Source: Kerberos
Event Category: None
Event ID: 9
Date: 6/07/2004
Time: 4:09:40 p.m.
User: N/A
Computer: <My Desktop Computer>
Description:
The client has failed to validate the Domain Controller certificate for <My
Domain>. The error data contains the information returned from the
certificate validation process. Contact your system administrator to
determine why the Domain Controller certificate is invalid.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 13 20 09 80 . .€
or
0000: 80092013

____

On the Server, events such as these appear, but not to any strict time
relationship:

Event Type: Warning
Event Source: KDC
Event Category: None
Event ID: 20
Date: 6/07/2004
Time: 3:43:58 p.m.
User: N/A
Computer: <My Server>
Description:
The currently selected KDC certificate was once valid, but now is invalid
and no suitable replacement was found. Smartcard logon may not function
correctly if this problem is not remedied. Have the system administrator
check on the state of the domain's public key infrastructure. The chain
status is in the error data.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00000014 80092013 00000000 00000000

____

The CA was configured with a 'fake' issuer certificate for the purposes of
testing Secure Web with SSL and appraisal of Smart Card logon. IE the issuer
certificate has at its root <My Domain>.

How do I go about overcoming the above issue? Previously I believe the
solution was to install a copy of the root CA certificate on the desktop
machine concerned... It is still there.

Thanks,
- Tim

 

[Bob Qin [MSFT]]

Hi Tim,

Thanks for your posting here.

Is your Domain Controller being issued the Domain Controller Authentication
certificate? In Windows 2003, we introduced the Domain Controller
Authentication template which is a version 2 template for 2003 Domain
Controllers.

If not, please enable Autoenrollment in the Default Domain Controllers
policy.

Computer Configuration >Windows Settings >Security Settings >Public Key
Policies

Properties of Autoenrollment Settings. Enabled "Enroll certificates

automatically"
and "Update certificates that use the certificate templates".

Wish it helps.

Regards,
Bob Qin
Product Support Services
Microsoft Corporation

Get Secure! - www.microsoft.com/security

====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Tim]

Thanks,

After your suggestion and re-issuing a DC certificate this has now come
right.

- Tim

 

[Bob Qin [MSFT]]

Hi Tim,

I am glad to hear that the problem has been resolved.

If you have any further questions or concerns, please feel free to post
here. It is our pleasure to be of assistance.

Thanks again for using Microsoft News Group!

Regards,
Bob Qin
Product Support Services
Microsoft Corporation

Get Secure! - www.microsoft.com/security

====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.