SmartCard logon issues

Event ID: 21
Event Source: KDC
Event Type: Warning
Event Description: TThe client certificate for the user #$%\#$%# is not valid, and resulted in a failed smartcard logon. Please contact the user for more information about the certificate they're attempting to use for smartcard logon. The chain status was : A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider.

This started happening just recently. The only thing i've down was publish new intermidate CA certs using the following command;

certutil -dspublish -f "Cert name / location" NTAuthCA

that was yesterday and now today people are reporting the issue that they cannot log in with their certs.

The Domain controller rejected the client certificate of user $#$#$@#$# used for smart card logon. The following error from the certificate validation process:

A certificate chain processed correctly but one of the CA certifiates is not trusted by the policy provider

Either I did not publish the certificates correctly (their in the correct location in the DS stores). I'm currently troubleshooting but my mind is currently running a blank. What I've done was delete the cert from the DS store and republish it again but that did nto work.

What I am thinking on doing is going to the registry location

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\NTAuth\Certificates

and deleteing them that way (if for some odd reason the delstore command did not work).

Any ideas? Would be greatly appreciated.

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

higherho

Wrong store location. Sorry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\system certificates

higherho

Resolved. Cleaned up AD (the previous SA had certs in like every store possible). One of the Root certs was not in the proper trusted area. At least thats all I did and comfirmed with my AD accoutn and another users and both logged in with are smart cards.

What a day. now onto the next task! Dell sending me wrong equipment

higherho

So, now even though I got everyone up and running from CA 24 and down. Any user with CA 26 to CA 30 cannot login still. Even though those certs are published to the domain controllers stores and to the NTAUTH store and in the proper stores on the users machine. guh =/ Thank goodness I love troubleshooting

CodeBlox

As large as our network is, I'm surpised that we never have issues like what you're having here. I've never had a call about a smartcard issue that was this detailed haha. Then again, I'm just a lowly tier 1

higherho

I'm sure you have a lot of people on your teams! Where I'm at, its a one man show lol. I only have 50 users on this development network but 300 on the production (on that network theirs more than just me but not on the development side). The development side I'm learning so much more! Seriously more equipment, more Microsoft technologies, Cisco, etc. The only downside is when I come home, I need a break from IT because work drains me so much (its difficult to study for certs when I'm home sometimes).

On Friday night (right around 6 pm est) I figured it out! I ran the following command;

certutil -enterprise -viewstore NtAUTH

I took notice that the main CA's for the new CA's were not in the NTAuth store (but they were in the system certificates store). So first on the DC's I ran this command;

certutil -enterprise -addstore -f "Certname.cer" (any certs that were missing). Then I went to the users machine that I was testing and added the missing ones on hers. Rebooted her laptop and she logged in just fine

So I'm going to create a batch script that will run on bootup to install those certs in those stores instead of me going to each user individually. After I figured that out, I left work to enjoy my weekend without worrying about people getting errors logging in.