Hi all.
I have stanalone offline RootCA, and enterprise domain SubCA on DC on Windows 2012 server. I have Windows 2003 Terminal Server, users logon to TS via smart cards - and this work fine.
Now I added Windows server 2012 as "Terminal Server".
Now I added Windows server 2012 R2 as "Terminal Server".
I configured both servers identically.
Users can logon via smart card to Windows Server 2012.
Users CAN NOT logon via smart card to Windows Server 2012 R2.
When user trying to logon via smart card, they have information:
"An untrusted cartification authority was detected while processing the domain controller certificate used for authentication. Additional information..."
I run a certutil.exe -scinfo on both Windows 2012/2012R2 servers.
I found differences in the (~) same place in the output log.
On Windows 2012:
Exclude leaf cert:
b4 44 8f fb fb b4 5f 03 39 76 dc cc e8 da 02 e0 d0 cc b6 32
Full chain:
c8 3d 07 12 ea 4d 0e 5a 8c 50 fc 56 2e 51 f1 68 6a 26 90 77
------------------------------------
Verified Issuance Policies: None
Verified Application Policies:
1.3.6.1.5.5.7.3.2 Client Authentication
1.3.6.1.4.1.311.20.2.2 Smart Card Logon
On Windows 2012 R2:
Exclude leaf cert:
78 7e 6c 60 3f 20 c6 f6 e8 74 c8 36 e3 d3 88 ac 12 60 41 32
Full chain:
b8 a9 fa 6c db 07 cd 32 86 17 8c 88 02 ba d0 4b 8c ac 2d 58
Issuer: CN=XXX CA, OU=Certification Services, O=XX, C=XX
NotBefore: 2013-11-22 12:42
NotAfter: 2014-11-22 12:42
Subject: CN=XX Test, OU=XX, OU=UXX, DC=XX, DC=com
Serial: 7a0084f
SubjectAltName: Other Name:Principal Name=XX@XX
Template: Smartcard Logon Behalf 2048
1d 2a bb dc 2a 9c 70 0d b5 35 47 44 ee 61 60 ab 71 97 66 ff
A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider. 0x800b0112 (-2146762478)
I run a certutil -verify xx.cer on both Servers 2012/2012R2 and on both servers have the ~exact same thing.
Windows 2012:
Exclude leaf cert:
f6 0e 96 da c7 08 9a 78 12 97 a6 b6 22 df 57 9d e7 03 41 df
Full chain:
f0 fb 19 66 e8 6c 4f ea b4 d5 ea 6d 5e 38 54 07 b0 9f 52 96
------------------------------------
Verified Issuance Policies: None
Verified Application Policies:
1.3.6.1.4.1.311.20.2.2 Smart Card Logon
1.3.6.1.5.5.7.3.2 Client Authentication
Leaf certificate revocation check passed
Windows 2012 R2:
Exclude leaf cert:
84 18 5b 9d 06 61 60 73 c6 37 80 f4 25 33 c4 d3 5e ef 4a 93
Full chain:
63 8e 9e 37 78 c9 93 bb 4d da f4 e3 4b 7e 2b 14 49 28 0f 5d
------------------------------------
Verified Issuance Policies: None
Verified Application Policies:
1.3.6.1.4.1.311.20.2.2 Smart Card Logon
1.3.6.1.5.5.7.3.2 Client Authentication
Leaf certificate revocation check passed
Whether Windows 2012R2 is not trying to build a certificate path, treating smart card logon certificate as (Sub)CA certificate?
___________________________________________________
Previous and probably wrong idea:
The only thing that comes to my mind is my SubCA.
I have two CA Certyficates:
Certyficate #0 (expired)
Certyficate #1 <- valid.
I guess that all Windows before Windows 2012 R2 build certyficafion chain from valid (second #1) certyficate. Windows 2012 R2 take first and we have:
"A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider.
[ value] 800B0112 "
This is a bug or feature?
How I can fix this without removal Certificate #0 from my SubCA?
Best regards
Jacek Marek
MCSA Windows Server 2012