Quantcast
Channel: Security forum
Viewing all articles
Browse latest Browse all 12072

windows smart card logon and kdc certificate (2008R2)

$
0
0

dear, 

we are trying to implement a smartcard logon on 2008r2 dc and ca. Environment:

Domain controller - windows server 2008 R2

CA - windows server 2008 R2

testing server - windows server 2008 R2

when using smartcard logon, a message pops up "The system could not log you on. You cannot use a smart card to log on because smart card logon is not supported for your user account. Contact your system administrator to ensure that smart card logon is configured for your organization.".

The domain controller has an error message : "Event 19: This event indicates an attempt was made to use smartcard logon, but the KDC is unable to use the PKINIT protocol because it is missing a suitable certificate",

when using "net stop kdc && net start kdc" there is a warning : "event 29 : The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate."

There were 2 dead CAs in the environment, we deleted them manually by following the instructions in http://support.microsoft.com/kb/555151; We tried to renew the domain controller certification with the instructions in http://technet.microsoft.com/en-us/library/cc734096.aspxhttp://technet.microsoft.com/en-us/library/cc733944(v=ws.10).aspx, the result of "certutil -dcinfo verify" seemed to be correct, but the event 19 and 29 are still there. 

How could we resolve this problem? Thanks in advance 

The output of "certutil -dcinfo verify" is :

0: CTXDC

*** Testing DC[0]: CTXDC
**  Enterprise Root Certificates for DC CTXDC 

Certificate 0:
Serial Number: 781902753c5627b64bd4e45c38b648df
Issuer: CN=demo2CA, DC=demo2, DC=internal, DC=jiean-technologies, DC=lan
 NotBefore: 2013/4/11 11:57
 NotAfter: 2018/4/11 12:07
Subject: CN=demo2CA, DC=demo2, DC=internal, DC=jiean-technologies, DC=lan
Certificate Template Name: CA
CA Version: V0.0
Signature matches Public Key
Root Certificate: Subject matches Issuer
Template: CA, Root Certification Authority
Cert Hash(sha1): 24 43 b0 79 33 8d f4 74 2d 52 df 75 3a 50 73 85 62 25 fb 86

**  KDC certificate for DC CTXDC 
certificate 0:
Serial Number: 611648d2000000000030
Issuer: CN=demo2CA, DC=demo2, DC=internal, DC=jiean-technologies, DC=lan
 NotBefore: 2013/4/21 12:05
 NotAfter: 2014/4/21 12:05
Subject: CN=CTXDC.demo2.internal.jiean-technologies.lan
Certificate Template Name: DomainController
Non-root Certificate
template: DomainController, domain controller
Cert Hash(sha1): e5 e5 5f 80 b0 cd 7f b5 3d 86 51 3e f3 70 d0 8e 39 48 45 cd

dwFlags = CA_VERIFY_FLAGS_NT_AUTH (0x10)
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
Application[0] = 1.3.6.1.5.5.7.3.1Server Authentication
Application[1] = 1.3.6.1.5.5.7.3.2Client Authentication
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_NT_AUTH
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwRevocationFreshnessTime: 10 Hours, 36 Minutes, 16 Seconds

SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwRevocationFreshnessTime: 10 Hours, 36 Minutes, 16 Seconds

CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0
  Issuer: CN=demo2CA, DC=demo2, DC=internal, DC=jiean-technologies, DC=lan
  NotBefore: 2013/4/21 12:05
  NotAfter: 2014/4/21 12:05
  Subject: CN=CTXDC.demo2.internal.jiean-technologies.lan
  Serial: 611648d2000000000030
  SubjectAltName: Other Name:DS object GUID=04 10 f1 68 15 d4 e6 4a 8c 40 80 c6 15 16 1d 26 49 4d, DNS Name=CTXDC.demo2.internal.jiean-technologies.lan
  Template: DomainController
  e5 e5 5f 80 b0 cd 7f b5 3d 86 51 3e f3 70 d0 8e 39 48 45 cd
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    CRL 54:
    Issuer: CN=demo2CA, DC=demo2, DC=internal, DC=jiean-technologies, DC=lan
    52 95 06 73 26 3a 6a 22 a3 6f d7 6e b2 f3 4c 3d 02 9b 7e 54
    Delta CRL 55:
    Issuer: CN=demo2CA, DC=demo2, DC=internal, DC=jiean-technologies, DC=lan
    8c c0 97 5e a3 13 9d a1 5c a2 c1 86 e8 65 ff b0 8b ea f4 a3
  Application[0] = 1.3.6.1.5.5.7.3.2Server Authentication
  Application[1] = 1.3.6.1.5.5.7.3.1Client Authentication

CertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0
  Issuer: CN=demo2CA, DC=demo2, DC=internal, DC=jiean-technologies, DC=lan
  NotBefore: 2013/4/11 11:57
  NotAfter: 2018/4/11 12:07
  Subject: CN=demo2CA, DC=demo2, DC=internal, DC=jiean-technologies, DC=lan
  Serial: 781902753c5627b64bd4e45c38b648df
  Template: CA
  24 43 b0 79 33 8d f4 74 2d 52 df 75 3a 50 73 85 62 25 fb 86
  Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
  Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)

Exclude leaf cert:
  33 0e 29 2d 44 b0 f9 5d a8 7d 03 26 52 e0 cf 00 4c bf 66 2d
Full chain:
  04 60 4a 63 ea 44 36 5a 8a 3e 43 b5 23 2a ee 8e a6 05 16 3b
------------------------------------
Verified Issuance Policies: None
Verified Application Policies:
    1.3.6.1.5.5.7.3.2Server Authentication
    1.3.6.1.5.5.7.3.1Client Authentication
1 KDC certs for CTXDC

CertUtil: -DCInfo command completed successfully.


Viewing all articles
Browse latest Browse all 12072

Trending Articles



<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>