Re: HELP....smart card certificate was not trusted - logon denied !

barabba72_at_hotmail.com
Date: 07/27/05

Next message: VirendraSharma: "How to restrict CMD.EXE and taskmgr.exe through GPO in windows 200"
Previous message: Danny Sanders: "Re: Can't open domain security policy in AD when primary domain controller is turned off"
In reply to: Brian Komar: "Re: HELP....smart card certificate was not trusted - logon denied !"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: 27 Jul 2005 12:14:02 -0700

Thank you both for your helping me. I really appreciate it.
Tomorrow I will check what you suggest and will post any results.

Regards.

Brian Komar wrote:
> In article <1122479483.985641.177310@f14g2000cwb.googlegroups.com>,
> barabba72@hotmail.com says...
> > Hi all,
> >
> > I have a particular user who cannot logon using his smart card. He was
> > able to use it until yesterday.
> > The terminal server says that "the smart card certificate used for
> > authentication was not trusted".
> >
> > Other users have no problems in logging on to the domain using smart
> > cards.
> >
> > I checked the user's published certificate and it's ok, still valid.
> > the CRL distribution point is also fine and still valid. I already
> > checked Microsoft Knowledge Base 281245.
> >
> > Windows 2000 domain - PKI,
> > Windows 2003 Terminal Server
> > Windows XPE Thin Clients in workgroup
> > ActivCard Gold 2.3.1
> >
> > Anyone has an idea ?
> > Thank you very much for your help.
> >
> >
> Do the following command from both the client computer and the terminal
> services computer. The command requires that you export the smart card
> certificate as a DER or BASE64 file.
>
> certutil -verify -urlfetch <certfile>
>
> The output should provide information as to why the certificate is not
> trusted.
>
> Brian
> --
> ==
> Brian Komar
> MVP - Windows - Security
> http://www.identit.ca/blogs/brian

Next message: VirendraSharma: "How to restrict CMD.EXE and taskmgr.exe through GPO in windows 200"
Previous message: Danny Sanders: "Re: Can't open domain security policy in AD when primary domain controller is turned off"
In reply to: Brian Komar: "Re: HELP....smart card certificate was not trusted - logon denied !"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Re: PKI SC Logon with no UPN.
... "Brian Komar" wrote: ... > the certificate to ... > For details on what is required to issue smart card certs from ... > Note that the SAN must include the UPN ...
(microsoft.public.win2000.security)
Re: EFS and Certificate Services
... MCSE, MCP +I MCP ... "Brian Komar" wrote: ... >> CA's should not be issuing certs to clients. ... > Where are you seeing the second certificate, ...
(microsoft.public.win2000.security)
Re: SSL and Remote Desktop
... "Brian Komar (MVP)" wrote: ... the only option I had to install the CA as is stand alone. ... when I’m in the certificate mmc and I try to request new ...
(microsoft.public.security)
Re: Modify Default User Template in Certificate Server
... have them "submit an advanced certificate request"...... ... "Brian Komar " wrote: ... > template, and then make the modifications to the new version 2 template. ...
(microsoft.public.security)
Re: Problem with smart card login
... > certificate from the smart card the user can still can log in to the ... > Are windows cashing som informatiion somewhere? ... When the user is logging in, are they typing the PIN for the smart card? ... Brian Komar ...
(microsoft.public.win2000.security)