Dear all,
We have a problem with smart card interactive logon, below are the symptoms:
- smart card interactive logon works on some servers in the same domain
- root certificate is deployed via GPO and present in the trusted root cert store on every domain computer
- certutil -verify -urlfetch works fine for domain controller certificate and user certificate on the problematic server where smart card interactive logon is not working
- enabled CAPI2, found out that on the server where smart card interactive logon is not working,"CERT_CHAIN_POLICY_NTAUTH" is being used for "CertVerifyCertificateChainPolicy", on the working node, "CERT_CHAIN_POLICY_BASE" is being used.
i wonder if there is any setting to let server use "CERT_CHAIN_POLICY_BASE" for "CertVerifyCertificateChainPolicy"? or am i missing anything? thanks in advance!
Cheers,
Best Regards, Bruce