dear,
we are trying to implement a smartcard logon on 2008r2 dc and ca. Environment:
Domain controller - windows server 2008 R2
CA - windows server 2008 R2
testing server - windows server 2008 R2
when using smartcard logon, a message pops up "The system could not log you on. You cannot use a smart card to log on because smart card logon is not supported for your user account. Contact your system administrator to ensure that smart card logon is configured for your organization.".
The domain controller has an error message : "Event 19: This event indicates an attempt was made to use smartcard logon, but the KDC is unable to use the PKINIT protocol because it is missing a suitable certificate",
when using "net stop kdc && net start kdc" there is a warning : "event 29 : The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate."
There were 2 dead CAs in the environment, we deleted them manually by following the instructions in http://support.microsoft.com/kb/555151; We tried to renew the domain controller certification with the instructions in http://technet.microsoft.com/en-us/library/cc734096.aspx;http://technet.microsoft.com/en-us/library/cc733944(v=ws.10).aspx, the result of "certutil -dcinfo verify" seemed to be correct, but the event 19 and 29 are still there.
How could we resolve this problem? Thanks in advance
The output of "certutil -dcinfo verify" is :
0: CTXDC
*** Testing DC[0]: CTXDC
** Enterprise Root Certificates for DC CTXDC
Certificate 0:
Serial Number: 781902753c5627b64bd4e45c38b648df
Issuer: CN=demo2CA, DC=demo2, DC=internal, DC=jiean-technologies, DC=lan
NotBefore: 2013/4/11 11:57
NotAfter: 2018/4/11 12:07
Subject: CN=demo2CA, DC=demo2, DC=internal, DC=jiean-technologies, DC=lan
Certificate Template Name: CA
CA Version: V0.0
Signature matches Public Key
Root Certificate: Subject matches Issuer
Template: CA, Root Certification Authority
Cert Hash(sha1): 24 43 b0 79 33 8d f4 74 2d 52 df 75 3a 50 73 85 62 25 fb 86
** KDC certificate for DC
CTXDC
certificate 0:
Serial Number: 611648d2000000000030
Issuer: CN=demo2CA, DC=demo2, DC=internal, DC=jiean-technologies, DC=lan
NotBefore: 2013/4/21 12:05
NotAfter: 2014/4/21 12:05
Subject: CN=CTXDC.demo2.internal.jiean-technologies.lan
Certificate Template Name: DomainController
Non-root Certificate
template: DomainController, domain controller
Cert Hash(sha1): e5 e5 5f 80 b0 cd 7f b5 3d 86 51 3e f3 70 d0 8e 39 48 45 cd
dwFlags = CA_VERIFY_FLAGS_NT_AUTH (0x10)
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
Application[0] = 1.3.6.1.5.5.7.3.1Server Authentication
Application[1] = 1.3.6.1.5.5.7.3.2Client Authentication
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_NT_AUTH
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwRevocationFreshnessTime: 10 Hours, 36 Minutes, 16 Seconds
SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwRevocationFreshnessTime: 10 Hours, 36 Minutes, 16 Seconds
CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0
Issuer: CN=demo2CA, DC=demo2, DC=internal, DC=jiean-technologies, DC=lan
NotBefore: 2013/4/21 12:05
NotAfter: 2014/4/21 12:05
Subject: CN=CTXDC.demo2.internal.jiean-technologies.lan
Serial: 611648d2000000000030
SubjectAltName: Other Name:DS object GUID=04 10 f1 68 15 d4 e6 4a 8c 40 80 c6 15 16 1d 26 49 4d, DNS Name=CTXDC.demo2.internal.jiean-technologies.lan
Template: DomainController
e5 e5 5f 80 b0 cd 7f b5 3d 86 51 3e f3 70 d0 8e 39 48 45 cd
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
CRL 54:
Issuer: CN=demo2CA, DC=demo2, DC=internal, DC=jiean-technologies, DC=lan
52 95 06 73 26 3a 6a 22 a3 6f d7 6e b2 f3 4c 3d 02 9b 7e 54
Delta CRL 55:
Issuer: CN=demo2CA, DC=demo2, DC=internal, DC=jiean-technologies, DC=lan
8c c0 97 5e a3 13 9d a1 5c a2 c1 86 e8 65 ff b0 8b ea f4 a3
Application[0] = 1.3.6.1.5.5.7.3.2Server Authentication
Application[1] = 1.3.6.1.5.5.7.3.1Client Authentication
CertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0
Issuer: CN=demo2CA, DC=demo2, DC=internal, DC=jiean-technologies, DC=lan
NotBefore: 2013/4/11 11:57
NotAfter: 2018/4/11 12:07
Subject: CN=demo2CA, DC=demo2, DC=internal, DC=jiean-technologies, DC=lan
Serial: 781902753c5627b64bd4e45c38b648df
Template: CA
24 43 b0 79 33 8d f4 74 2d 52 df 75 3a 50 73 85 62 25 fb 86
Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
Exclude leaf cert:
33 0e 29 2d 44 b0 f9 5d a8 7d 03 26 52 e0 cf 00 4c bf 66 2d
Full chain:
04 60 4a 63 ea 44 36 5a 8a 3e 43 b5 23 2a ee 8e a6 05 16 3b
------------------------------------
Verified Issuance Policies: None
Verified Application Policies:
1.3.6.1.5.5.7.3.2Server Authentication
1.3.6.1.5.5.7.3.1Client Authentication
1 KDC certs for CTXDC
CertUtil: -DCInfo command completed successfully.