Smartcard Domain Logon 3rd Party CA works on 1 of 3 DC's

---

• From: Schellhaas <Schellhaas@xxxxxxxxxxxxxxxxxxxxxxxxx>
• Date: Thu, 21 Feb 2008 07:04:00 -0800

---

Hello,

we got an issue here, since implementing a new CA for production smartcard
enrollment we are only able to log in to one DC of 3.
All Dc's got new valid certs, got CA certs, the events logged with KDC and
Kerberos Debug levels are
Failed to check client certificate: 0x3e
KLIN(4030c26) Failed to check pre-auth data: 0x3e
Event log says: client cert not valid , source kdc, event id: 21

The error on Client side is:
with Vista: instance security-kerberos: event id 8
with xp: instance kerberos: eventid 8: server rejected client certificate
used for smartcard logon
.

---

• Prev by Date: Domain authenticating non-domain accounts
• Next by Date: Effect of changing account password when already logged on
• Previous by thread: Domain authenticating non-domain accounts
• Next by thread: Effect of changing account password when already logged on
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: ADFS Proxy Cert issue ... know the command line for requesting a proper client certificate though. ... you would start getting these certs from the CA that you will ... FSP setup better. ... (microsoft.public.windows.server.active_directory) Re: client certificate authentication directory browse into IIS ... basically pulled two certs down, ... my ntfs acls were set appropriately. ... "enable client certificate mapping" box unchecked when I ... >> sit in the same forest, however, that the IIS server sits in so Windows ... (microsoft.public.inetserver.iis.security)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(15)