Smartcard Logon problem after DC Upgraded to Windows 2003

From: ersin (ersin.gulacti_at_gmail.com)
Date: 09/16/05


Date: 16 Sep 2005 09:10:12 -0700

We have been using Windows smartcard logon functionality using a
third-party CA's certificates. Our DC servers were using Windows 2000
Advanced Server SP4 and our clients were using Windows 2000
Professional SP4. Recently we upgraded our DC servers to Windows 2003
SP1 but client OS didn't change. After this upgrade we are not able to
use smartcard logon.

In our configuration we have a root CA and a sub CA, this sub CA issues
users' certificates.

For troubleshooting I run the following commands

 dsstore -checksc
 Certutil.exe -scinfo

Both commands showed no errors. Then I tried

 Certutil.exe -scinfo -v -urlfetch

In the output of this command I saw the following error:

  ---------------- Certificate CDP ----------------
419.2349.0: 0x80070002 (WIN32: 2)
419.2349.0: 0x80070002 (WIN32: 2)
  Bad Authority Key Id "Base CRL" Time: 0
    [0.0]
ldap:///CN=OurCA,CN=DC1,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=test,DC=net?certificateRevocationList?base?objectclass=cRLDistributionPoint

  Bad Authority Key Id "Base CRL" Time: 0
    [1.0] http://web1.test.net/TESTCA.crl

------------------

After this message I checked the CRL. It has a Authority Key ID but the
sub CA that issues this CRL doesn't have a Subject KeyID in its own
certificate.

What may be the cause of this? Does Windows 2003 have different
certificate handling mechanisms?