Re: Problem with a smart card logon in the Domain A and Domain B

From: Miha Pihler (mihap-news_at_atlantis.si)
Date: 08/25/04


Date: Wed, 25 Aug 2004 15:24:20 +0200

Hi,

One options is using certutil. Copy certutil.exe and certadm.dll files to
the client PC (from CA server -- I tested this on Windows XP and it works).

Export public key to the client and save it to pub.cer in e.g. temp folder
together with above files. Run following command

certutil -url pub.cer

GUI comes up and make sure CRLs (from CDP) is selected. Click on Retrieve.
Check under Status column in GUI and in command line windows for any errors.

Mike

<anonymous@discussions.microsoft.com> wrote in message
news:0d6a01c48aa3$34605f90$7d02280a@phx.gbl...
> Hi Mike,
> sorry, but how I check if the client from domain B access
> CRL that is defined in certificate and If it can't reach
> CRL it will deny logon using smart card.
> Do You know a tools for verify CRL client access?
>
> Best regards,
> Ale.
>
>
> >-----Original Message-----
> >Hi,
> >
> >You will need to check few things:
> >* First, does client trust your certificate (does it have
> certificate chain
> >in its certificate store). Does it have information about
> Root CA (and any
> >other subordinate CAs) that may be involved in issuing
> certificate?
> >* Second, can client from domain B access CRL that is
> defined in
> >certificate? If it can't reach CRL it will deny logon
> using smart card.
> >
> >Can you open your certificate (e.g. public key) and under
> details tab look
> >for CRL Distribution Point and check the paths if they
> are accessible.
> >
> >Mike
> >
> >"Ale" <Ale@discussions.microsoft.com> wrote in message
> >news:5B82095A-D740-455E-A848-3425C84990D7@microsoft.com...
> >> Hi,
> >>
> >> we have two Windows 2003 forests (both monodomain
> forest) with a
> >> bidirectional trust between domains.
> >>
> >> Domain A contains users accounts and a Certification
> Authority that issue
> >> smart card logon certificates.
> >> Domain B contains application servers.
> >>
> >> If an user try a smart card logon in the Domain A (from
> a station joined
> >to
> >> Domain A), the logon works.
> >> If an user try a smart card logon in the Domain A (from
> a station joined
> >to
> >> Domain B), the logon fails with a message saying that
> it is impossible to
> >> validate the credentials ! (A normal logon with a
> userId + password
> >works).
> >>
> >> Best regards !
> >
> >
> >.
> >