Re: Windows 2003 Kerberos error Event ID #8
From: Steven Umbach (n9rou_at_n0spam-comcast.net)
Date: 02/24/05
- Next message: Steven Umbach: "Re: auditing on win2003"
- Previous message: Jeff Cochran: "Re: Now that SHA-1 is cracked..."
- In reply to: dave: "Re: Windows 2003 Kerberos error Event ID #8"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 23 Feb 2005 23:44:03 -0600
Hmm. That does sound strange. It might be worthwhile to issue the user a new
smart card to see if that could possibly fix the problem if it is isolated to
that one user. --- Steve
"dave" <dave@discussions.microsoft.com> wrote in message
news:B99A764A-C9E8-4A20-9915-93A4BF9F34B6@microsoft.com...
> The certificate is valid and the CRLS are uptodate. This is an iintermittent
> problem. The user can logon sometimes. It always seems to be a CRL from the
> same CA. We have loaded the CRLs into the registry to expidate processing.
> The CRL is huge (over 6M) but other sites are not having the same problem. I
> have verified that the CRLs are valid and not expired using the certificates
> mmc. I was hoping the error bytes would give me some information.
>
> The error message on the domain controller is KDC 21 "The client certificate
> for the user xxxxxxxxx\xxxxxx is not valid, and resulted in a failed
> smartcard logon".
>
> I agree it looks like a problem with the CRL but sometimes the user can
> logon at 6:30am but not at 8:30.
>
> "Steven L Umbach" wrote:
>
> > The link below is for general kerberos troubleshooting but the problem seems
> > to be related to the smart card. Possibly the certificate has expired, was
> > revoked, or the private key is corrupted. In if this is happening with all
> > smart card users then there is a problem with wrong certificate type or
> > inability to locate the CRL or CA certificate, etc. Check Event Viewer on
> > both computers for any helpful info. --- Steve
> >
> >
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerberr.mspx
> >
> > "Kerberos Error #8" <Kerberos Error #8 @discussions.microsoft.com> wrote in
> > message news:06B784D8-1AE7-4D46-85A9-A96606DF585B@microsoft.com...
> > >I am getting the following message "The Domain Controller rejected the
> > >client
> > > certificate used for smartcard logon. The error data contains the
> > > information returned from the certificate validation process." The error
> > > data bytes are 13 20 09 80.
> > > Where can I find out what the error data bytes mean
> >
> >
> >
- Next message: Steven Umbach: "Re: auditing on win2003"
- Previous message: Jeff Cochran: "Re: Now that SHA-1 is cracked..."
- In reply to: dave: "Re: Windows 2003 Kerberos error Event ID #8"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
