Options
Smart Card Logon Problem Inside
When I attempt to logon with my smartcard on this (and all other domain) PCs, I get the error "The system could not log you on. Your credentials could not be verified."
I am logging in from a windows vista PC with a SC331 smart card reader. I have taken the following actions:
-Download the updated (1.40) drivers for my Smart Card Reader
-Download and re-install ActivClient v6.2.0.154
-Download and install FIXS1204031
-Download and run "InstallRoot_v3.15A" from the DISA website (contains DoD certs I needed) on both the primary domain controller and my workstation.
I have verified the following:
-The active directory account I am attempting to give this card access to has the EDIPI with .mil selected for the user logon name with DOMAIN\UserName as the pre-windows 2000 name.
-The EDIPI found on the smart card matches the above
-The "DOD CA-29" certificate on the card has the following for common name: LAST.FIRST.MIDDLE.EDIPI where edipi is a ten digit number
-The "DOD CA-29" certificate derives from the "DOD ROOT CA 2" certificate
-The "DOD ROOT CA 2" certificate is present under Trusted Root Cerfication Authorities\Certificates in the Certificates Snap-In for MMC on both the workstation and the primary domain controller
-The "DOD CA-29" certificate is present under the Intermediate Certifications\Certificates in the Certificates Snap-In for MMC on both the workstation and the primary domain controller
-The "DOD CA-29" certificate is issued by the "DOD ROOT CA 2" certificate and doesn't expire until 2017
-I opened the PKIView.msc enterprise container on the primary domain controller and added the "DOD CA-27 through CA-30" to the list. (Already contained previous CA 11-26 certs.)
I was getting the following error:
"The Domain Controller rejected the client certificate of user EDIPI@mil, used for smartcard logon. The following error was returned from the certificate validation process: A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider." in the eventlog.
From here checked the properties of the CA-29 certificate and found that is "appears to be trusted". I opened the command prompt and entered:
I found that the CA-27 to CA-30 certs were not in that store.
I entered the following:
These all returned message stating that the certificates (with some information) were added to the store.
I re-booted the machine thinking that I had solved the problem and got the error mentioned in the beginning of this post. "The system could not log you on. Your credentials could not be verified."
And just to verify, when I type enter
I get the hostname of my primary domain controller so I should be validating directly to it, rather than any other DC.
Other people have logged in since I arrived at this site with their CAC cards but they have CA21-26.
At this point, I'm very out of my element (primary network engineer that dabbles in software). Thoughts/suggestions?
Thanks in advance.
I am logging in from a windows vista PC with a SC331 smart card reader. I have taken the following actions:
-Download the updated (1.40) drivers for my Smart Card Reader
-Download and re-install ActivClient v6.2.0.154
-Download and install FIXS1204031
-Download and run "InstallRoot_v3.15A" from the DISA website (contains DoD certs I needed) on both the primary domain controller and my workstation.
I have verified the following:
-The active directory account I am attempting to give this card access to has the EDIPI with .mil selected for the user logon name with DOMAIN\UserName as the pre-windows 2000 name.
-The EDIPI found on the smart card matches the above
-The "DOD CA-29" certificate on the card has the following for common name: LAST.FIRST.MIDDLE.EDIPI where edipi is a ten digit number
-The "DOD CA-29" certificate derives from the "DOD ROOT CA 2" certificate
-The "DOD ROOT CA 2" certificate is present under Trusted Root Cerfication Authorities\Certificates in the Certificates Snap-In for MMC on both the workstation and the primary domain controller
-The "DOD CA-29" certificate is present under the Intermediate Certifications\Certificates in the Certificates Snap-In for MMC on both the workstation and the primary domain controller
-The "DOD CA-29" certificate is issued by the "DOD ROOT CA 2" certificate and doesn't expire until 2017
-I opened the PKIView.msc enterprise container on the primary domain controller and added the "DOD CA-27 through CA-30" to the list. (Already contained previous CA 11-26 certs.)
I was getting the following error:
"The Domain Controller rejected the client certificate of user EDIPI@mil, used for smartcard logon. The following error was returned from the certificate validation process: A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider." in the eventlog.
From here checked the properties of the CA-29 certificate and found that is "appears to be trusted". I opened the command prompt and entered:
certutil -enterprise -viewstore ntauth
I found that the CA-27 to CA-30 certs were not in that store.
I entered the following:
certutil -enterprise -addstore NTAuth "C:\Cert\CA27.cer" (where I stored it) certutil -enterprise -addstore NTAuth "C:\Cert\CA28.cer" (where I stored it) certutil -enterprise -addstore NTAuth "C:\Cert\CA29.cer" (where I stored it) certutil -enterprise -addstore NTAuth "C:\Cert\CA30.cer" (where I stored it)
These all returned message stating that the certificates (with some information) were added to the store.
I re-booted the machine thinking that I had solved the problem and got the error mentioned in the beginning of this post. "The system could not log you on. Your credentials could not be verified."
And just to verify, when I type enter
echo %logonserver%
I get the hostname of my primary domain controller so I should be validating directly to it, rather than any other DC.
Other people have logged in since I arrived at this site with their CAC cards but they have CA21-26.
At this point, I'm very out of my element (primary network engineer that dabbles in software). Thoughts/suggestions?
Thanks in advance.
Comments
-
Options
break
Member Posts: 20 ■□□□□□□□□□
An account failed to log on.
Subject:
Security ID: SYSTEM
Account Name: workstation1$
Account Domain: domain
Logon ID: 0x3e7
Logon Type: 2
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: [Snipped EDIPI]@mil
Account Domain:
Failure Information:
Failure Reason: An Error occured during Logon.
Status: 0xc00000bb
Sub Status: 0x0
Process Information:
Caller Process ID: 0x928
Caller Process Name: C:\Windows\System32\winlogon.exe
I'm now getting this error for all my Vista and Server 2003 machines. :-/
All the vista machines were working as of yesterday and now nothing works. I have made no changes in the intervening time other than linking and unlinking a GPO. -
Options
Everyone
Member Posts: 1,661
I had replied to this earlier, but my session crashed in the middle of replying and couldn't get reconnected to TE for some reason... anyway...
There was an issue with Kerberos in XP and 2003 that were fixed by SP2... however since you mentioned Vista, probably not the same issue.
Have you seen this? Smart card logon error 0xC00000BB - Risque Management
I'm betting the cards with the later CA's that don't work are from a different manufacture than the cards with the earlier CA's that do work...
You should probably contact the DoD PKI SPO on this one...