Re: Windows 2003 Kerberos error Event ID #8

From: dave (dave_at_discussions.microsoft.com)
Date: 02/23/05 

Date: Wed, 23 Feb 2005 04:43:10 -0800

The certificate is valid and the CRLS are uptodate. This is an iintermittent
problem. The user can logon sometimes. It always seems to be a CRL from the
same CA. We have loaded the CRLs into the registry to expidate processing.
The CRL is huge (over 6M) but other sites are not having the same problem. I
have verified that the CRLs are valid and not expired using the certificates
mmc. I was hoping the error bytes would give me some information.

The error message on the domain controller is KDC 21 "The client certificate
for the user xxxxxxxxx\xxxxxx is not valid, and resulted in a failed
smartcard logon".

I agree it looks like a problem with the CRL but sometimes the user can
logon at 6:30am but not at 8:30.

"Steven L Umbach" wrote:

> The link below is for general kerberos troubleshooting but the problem seems
> to be related to the smart card. Possibly the certificate has expired, was
> revoked, or the private key is corrupted. In if this is happening with all
> smart card users then there is a problem with wrong certificate type or
> inability to locate the CRL or CA certificate, etc. Check Event Viewer on
> both computers for any helpful info. --- Steve
>
> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerberr.mspx
>
> "Kerberos Error #8" <Kerberos Error #8 @discussions.microsoft.com> wrote in
> message news:06B784D8-1AE7-4D46-85A9-A96606DF585B@microsoft.com...
> >I am getting the following message "The Domain Controller rejected the
> >client
> > certificate used for smartcard logon. The error data contains the
> > information returned from the certificate validation process." The error
> > data bytes are 13 20 09 80.
> > Where can I find out what the error data bytes mean
>
>
>

Relevant Pages

  • Re: Problem with smart card login
    ... > and password if the smart card logon is not available. ... > If you do not want a user to logon with a particular certificate, ... For Windows 2000 it may ... > computer does cache the CRL. ...
    (microsoft.public.win2000.security)
  • Re: Problem with smart card login
    ... a user may be able to logon with username ... and password if the smart card logon is not available. ... If you do not want a user to logon with a particular certificate, ... computer does cache the CRL. ...
    (microsoft.public.win2000.security)
  • Re: Thawte Digital Certificate Revocation List Issue
    ... > I am new to digital certificates and cannot get the Thawte certificate ... It's been awhile since I played with the Thawte certificates. ... Microsoft requires the cert ... CRL so Outlook doesn't know where to get ...
    (microsoft.public.security)
  • Re: Newbie wants to learn about PKI Server 2003......
    ... 2003 PKI Certificate Security", and have been lurking here for a bit. ... We will implement a 2 tier heirarchy, with the Root CA being offline. ... All clients that attempt revocation checking will first attempt to retrieve the CRL from the ... level below a self-signed cert, so applications that are 3280 compliant would never check the ...
    (microsoft.public.windows.server.security)
  • Re: Offline Smart Card Logon
    ... smartcard logon, when performed offline, DOES NOT perform a revocation check ... > that those mobile clients are NOT connected to any network. ... > expired CRL in their cache. ... >> want to check validity of issued certificate if you will exchange signed ...
    (microsoft.public.windows.server.security)