When I attempt to logon with my smartcard on this (and all other domain) PCs, I get the error "The system could not log you on. Your credentials could not be verified."
I am logging in from a windows vista PC with a SC331 smart card reader. I have taken the following actions:
-Download the updated (1.40) drivers for my Smart Card Reader
-Download and re-install ActivClient v6.2.0.154
-Download and install FIXS1204031
-Download and run "InstallRoot_v3.15A" from the DISA website (contains DoD certs I needed) on both the primary domain controller and my workstation.
I have verified the following:
-The active directory account I am attempting to give this card access to has the EDIPI with .mil selected for the user logon name with DOMAIN\UserName as the pre-windows 2000 name.
-The EDIPI found on the smart card matches the above
-The "DOD CA-29" certificate on the card has the following for common name: LAST.FIRST.MIDDLE.EDIPI where edipi is a ten digit number
-The "DOD CA-29" certificate derives from the "DOD ROOT CA 2" certificate
-The "DOD ROOT CA 2" certificate is present under Trusted Root Cerfication Authorities\Certificates in the Certificates Snap-In for MMC on both the workstation and the primary domain controller
-The "DOD CA-29" certificate is present under the Intermediate Certifications\Certificates in the Certificates Snap-In for MMC on both the workstation and the primary domain controller
-The "DOD CA-29" certificate is issued by the "DOD ROOT CA 2" certificate and doesn't expire until 2017
-I opened the PKIView.msc enterprise container on the primary domain controller and added the "DOD CA-27 through CA-30" to the list. (Already contained previous CA 11-26 certs.)
I was getting the following error:
"The Domain Controller rejected the client certificate of user EDIPI@mil, used for smartcard logon. The following error was returned from the certificate validation process: A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider." in the eventlog.
From here checked the properties of the CA-29 certificate and found that is "appears to be trusted". I opened the command prompt and entered:
certutil -enterprise -viewstore ntauth
I found that the CA-27 to CA-30 certs were not in that store.
I entered the following:
certutil -enterprise -addstore NTAuth "C:\Cert\CA27.cer" (where I stored it)
certutil -enterprise -addstore NTAuth "C:\Cert\CA28.cer" (where I stored it)
certutil -enterprise -addstore NTAuth "C:\Cert\CA29.cer" (where I stored it)
certutil -enterprise -addstore NTAuth "C:\Cert\CA30.cer" (where I stored it)
These all returned message stating that the certificates (with some information) were added to the store.
I re-booted the machine thinking that I had solved the problem and got the error mentioned in the beginning of this post. "The system could not log you on. Your credentials could not be verified."
And just to verify, when I type enter
echo %logonserver%
I get the hostname of my primary domain controller so I should be validating directly to it, rather than any other DC.
Other people
have logged in since I arrived at this site with their CAC cards but they have CA21-26.
At this point, I'm very out of my element (primary network engineer that dabbles in software). Thoughts/suggestions?
Thanks in advance.
