Hello!
I am trying to log on to a domain that is foreign (no trust between the domains) to the domain that is issuing the user certificate for smart card logon.
The scenario is as follows:
Domain "A" is used for issuing users smart cards, used for logging into domain "B"
Domain "A" uses 2008r2 servers (DCs, CA), and domain "B" is a 2003 domain (one Domain Controller, NO Certificate Authority(!))
Here are the documents I followed:
Guidelines that I used:
SC authentication changes article:
http://technet.microsoft.com/en-us/library/cc721959(v=ws.10).aspx
Another helpful article:
http://support.microsoft.com/kb/281245
One of the possible issues here, is the fact that the target domain has no CA, and that's why I can't implement the following requirement:
Required: Domain controllers must be configured with a domain controller certificate to authenticate smartcard users
(Or can I?)
In any case, this is the requirement :
Request and install a domain controller certificate on the domain controller(s). Each domain controller that is going to authenticate smart card users must have a domain controller certificate.
When I issue a certificate, using this recommendation from the first link I provided:
I can't even unlock my station from the issuing domain ("A"). I have an authentication/credential error.
Anyway, when I enable the UPN checkbox and reissue the smart card, I can log into stations in domain "A", but when I try logging into domain "B", I get the following error:
- The system could not log you on. You cannot use a smart card to log on because smart card logon is not supported for your user account
I imported the Root CA cert from domain "A", to domain "B", and when opening certificates from domain "A" in domain "B" stations, the chain of trust seems to be OK (no red 'x' icon)
So...
How do I make this thing work?
Thanks in advance,
--Marom