Problems enabling smart card login on windows 2000

From: Matthias (Matthias_at_discussions.microsoft.com)
Date: 07/20/04 

Date: Tue, 20 Jul 2004 08:44:01 -0700

After installing a windows 2000 server and a windows 2000 professional system from scratch
following the numerous step-by-step guides and How Tos - such as
- Installing a Windows 2000 Server as a Domain Controller
- Installing a Windows 2000 Professional Workstation and Connecting It to a Domain
- Managing the Active Directory
- Setting up a Certificate Authority
- Advanced Certificate Management
- End User Certificate Management
- Setting Up Certification Authority Trust for a Domain
- Installing and Using a Smart Card Reader
- Publish a Certificate Revocation List in Windows 2000
- ...

...we still have problems with smart card login!

Among others the server is running the following services
- Active Directory
- Certificate Services (with enterprise root CA)
- DNS server
- IIS with certificate service web pages
- Kerberos Key Distribution
- Smart Card

We initialized our smart card for a test user.
The smart card contains the key pair and the corresponding certificate issued by the enterprise CA installed on the server.

Trying to login with inserting the card and entering the PIN (the card reader's LED indicates activity) we finally get this message:

"The system could not log you on. Your credentials could not be verified."

as described in
http://www.microsoft.com/technet/prodtechnol/windows2000serv/howto/smrtcard.mspx

The causes noted there ("domain controller unavailable" or "invalid CRL") seems not to be the answer, since we get the same error trying to log in into the server (=domain controller =CA, =Active Directory)!

Enabling kerberos auditing there is the following error in the system log:

The function LogonUser received a Kerberos Error Message:
         on logon session huber@unknown.local
 Client Time:
 Server Time: 14:12:38.0000 7/20/2004 (null)
 Error Code: 0x3e KDC_ERR_CLIENT_NOT_TRUSTED
 Client Realm:
 Client Name:
 Server Realm: UNKNOWN.LOCAL
 Server Name: krbtgt/UNKNOWN.LOCAL
 Target Name: krbtgt/UNKNOWN.LOCAL@UNKNOWN.LOCAL
 Error Text:
 File:
 Line:
 Error Data is in record data.
 0000: 03a10530 010202

Searching for "KDC_ERR_CLIENT_NOT_TRUSTED" (google, msdn,...) provides no results.

Any help?!

Thanks!
Matthias

Relevant Pages

  • Re: Need help configuring Wireless Connection profile
    ... and I can only use the intel OR windows utility, not both at the same time. ... Windows authentication for all users,4129,LRG\ryanv,4149,Wireless WPA2 ... SMALL BUSINESS SERVER: ... STEP #1 Install Certificate Services ...
    (microsoft.public.windowsxp.general)
  • Cannot sync Windows mobile with sbs2003 server
    ... Windows Mobile OS to the SBS2003 server at work so that he can read e-mails. ... What certificate do Microsoft recommend here, and where can this be bought? ...
    (microsoft.public.pocketpc)
  • Re: Dell PowerEdge 2450 & Win2k3 server
    ... The other thing you can do is try to run just one CPU and see if one of the ... Enterprise server sp1. ... I get this error after the windows setup process. ... Tried installing with the PERC and also tried installing using the ...
    (microsoft.public.windows.server.general)
  • Re: Windows Advanced Server 2000 PKI
    ... following as a rough guideline for installing a Windows 2000 Enterprise or ... - install or reconfigure your DHCP server accordingly ... Join Windows 2000 member server to new domain and install Enterprise or ... > We would like to setup PKI having server2 as the> certificate authority. ...
    (microsoft.public.win2000.security)
  • Re: Time learning openSUSE
    ... should think about when talking to Windows admins ... I must honestly say I have had more downtime on the Linux server then on ... installing Linux on Bill Gates PC. ...
    (alt.os.linux.suse)