Smartcard Logon problem after DC Upgraded to Windows 2003

From: ersin (ersin.gulacti_at_gmail.com)
Date: 09/16/05


Date: 16 Sep 2005 09:10:12 -0700

We have been using Windows smartcard logon functionality using a
third-party CA's certificates. Our DC servers were using Windows 2000
Advanced Server SP4 and our clients were using Windows 2000
Professional SP4. Recently we upgraded our DC servers to Windows 2003
SP1 but client OS didn't change. After this upgrade we are not able to
use smartcard logon.

In our configuration we have a root CA and a sub CA, this sub CA issues
users' certificates.

For troubleshooting I run the following commands

 dsstore -checksc
 Certutil.exe -scinfo

Both commands showed no errors. Then I tried

 Certutil.exe -scinfo -v -urlfetch

In the output of this command I saw the following error:

  ---------------- Certificate CDP ----------------
419.2349.0: 0x80070002 (WIN32: 2)
419.2349.0: 0x80070002 (WIN32: 2)
  Bad Authority Key Id "Base CRL" Time: 0
    [0.0]
ldap:///CN=OurCA,CN=DC1,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=test,DC=net?certificateRevocationList?base?objectclass=cRLDistributionPoint

  Bad Authority Key Id "Base CRL" Time: 0
    [1.0] http://web1.test.net/TESTCA.crl

------------------

After this message I checked the CRL. It has a Authority Key ID but the
sub CA that issues this CRL doesn't have a Subject KeyID in its own
certificate.

What may be the cause of this? Does Windows 2003 have different
certificate handling mechanisms?



Relevant Pages

  • Re: Domain Time II/alternative software
    ... I took a look at the product brochure. ... As the intervals between sending packets are set bia the GUI, I assume the servers and clients use simple RPC protocols and don't include the fance adaptive NTPv4 algorithms. ... All in all, if I were running an empire with 30,000 servers and clients and PCs, I might really rather like to have this product running on the Windows domains. ...
    (comp.protocols.time.ntp)
  • Re: Restrict Dynamic Updates
    ... If the clients do own the A/PTR records and can directly update AD/DNS, ... BIND/DNS server to minimize the exposure of the AD/DNS servers to the ... in the near future from the Windows platform is Windows ... ISP/external DNS servers. ...
    (microsoft.public.windows.server.dns)
  • [NT] Windows File Protection Arbitrary Certificate Chain Vulnerability
    ... Beyond Security would like to welcome Tiscali World Online ... Windows File Protection will trust any digital signature whose certificate ... chain is rooted at any one of the Trusted Root Certification Authorities. ... chains but also as valid Root CA's for code signing certificates. ...
    (Securiteam)
  • Re: Some Users Can Only Access Network Shares With the Everyone Permission
    ... Microsoft MVP [Windows] ... The users on these clients ... | can only access network shares from one of our servers where the share ... | Our network has 3 Windows 2000 servers, one of which is the Domain ...
    (microsoft.public.win2000.general)
  • Re: [Full-disclosure] Question for the Windows pros
    ... all the *services* would be servers - such as the Computer Browsing service - but does that service allow clients to access it? ... What services running on Windows allow clients to access them? ... Unfortunately, in the context of my problem, the users must have this right. ...
    (Full-Disclosure)