Re: Problem with a smart card logon in the Domain A and Domain B

From: Miha Pihler (mihap-news_at_atlantis.si)
Date: 08/25/04


Date: Wed, 25 Aug 2004 15:24:20 +0200

Hi,

One options is using certutil. Copy certutil.exe and certadm.dll files to
the client PC (from CA server -- I tested this on Windows XP and it works).

Export public key to the client and save it to pub.cer in e.g. temp folder
together with above files. Run following command

certutil -url pub.cer

GUI comes up and make sure CRLs (from CDP) is selected. Click on Retrieve.
Check under Status column in GUI and in command line windows for any errors.

Mike

<anonymous@discussions.microsoft.com> wrote in message
news:0d6a01c48aa3$34605f90$7d02280a@phx.gbl...
> Hi Mike,
> sorry, but how I check if the client from domain B access
> CRL that is defined in certificate and If it can't reach
> CRL it will deny logon using smart card.
> Do You know a tools for verify CRL client access?
>
> Best regards,
> Ale.
>
>
> >-----Original Message-----
> >Hi,
> >
> >You will need to check few things:
> >* First, does client trust your certificate (does it have
> certificate chain
> >in its certificate store). Does it have information about
> Root CA (and any
> >other subordinate CAs) that may be involved in issuing
> certificate?
> >* Second, can client from domain B access CRL that is
> defined in
> >certificate? If it can't reach CRL it will deny logon
> using smart card.
> >
> >Can you open your certificate (e.g. public key) and under
> details tab look
> >for CRL Distribution Point and check the paths if they
> are accessible.
> >
> >Mike
> >
> >"Ale" <Ale@discussions.microsoft.com> wrote in message
> >news:5B82095A-D740-455E-A848-3425C84990D7@microsoft.com...
> >> Hi,
> >>
> >> we have two Windows 2003 forests (both monodomain
> forest) with a
> >> bidirectional trust between domains.
> >>
> >> Domain A contains users accounts and a Certification
> Authority that issue
> >> smart card logon certificates.
> >> Domain B contains application servers.
> >>
> >> If an user try a smart card logon in the Domain A (from
> a station joined
> >to
> >> Domain A), the logon works.
> >> If an user try a smart card logon in the Domain A (from
> a station joined
> >to
> >> Domain B), the logon fails with a message saying that
> it is impossible to
> >> validate the credentials ! (A normal logon with a
> userId + password
> >works).
> >>
> >> Best regards !
> >
> >
> >.
> >



Relevant Pages

  • Re: Outlook over Internet Issues
    ... The certificate is provided by GoDaddy SSL ... configuration on Server or on the client. ... On the Windows Small Business Server 2003, ... How to Deploy RPC over HTTP for the First Time in Small Business Server ...
    (microsoft.public.windows.server.sbs)
  • Re: Certificate Question
    ... Client can use any cached CRL as long as it is valid. ... The other thing you can do is design your Base and Delta CRL ... Once the client gets new CRL it will not allow use of that certificate ... > I need to revoke a certificate because a user has left the company. ...
    (microsoft.public.windows.server.security)
  • Re: MS CA service and publish CRL and AIA
    ... To have the windows 2000 CA automatically publish CRLs to another location, ... >>servers) as a CDP and AIA extension and check the box> for publishing the CRL ... >>checking the boxes to include the link in issued> certificate and CRL's). ...
    (microsoft.public.win2000.security)
  • Re: Problem with smart card login
    ... > and password if the smart card logon is not available. ... > If you do not want a user to logon with a particular certificate, ... For Windows 2000 it may ... > computer does cache the CRL. ...
    (microsoft.public.win2000.security)
  • Re: L2TP VPN problem/questions
    ... certificate on my client machine from my own internal ... windows 2000 based Enterprise CA. ... Deployment kit docs but they assume your using windows server 2003 which I'm ... So my certificate athority did not give the same options as his ...
    (microsoft.public.isaserver)