none
Smartcard logon not supported for your user account

    Question

  • Can someone tell me what policy has changed here:  I have used the smartcard and its certificate to logon on windows 7 and DC is windows 2008R2.  I was testing revoke (hold) and unrevoke of one user cert.  After unrevoked, the CRL is republished but Windows will not login with this cert nor with other cert that is NOT revoked anymore.  It comes up with error "you cannot login.  Smartcard login is not supported for your user account".  I have searched every Policy and cannot find what has changed.  I also deleted the CRL cache from windows 7 at the user account to no avail.  Any suggestion?  
    Tuesday, March 13, 2012 12:00 AM

Answers

  • I re-installed the child DC and the childCA after removing the AD-CS, AD-DS roles from the child server.

    The new child domain worked.  I have revoked a cert (hold) and un-revoked it, clearing the crl cache in both DC and client each time, and it tests successfully. 

    I guess a corruption somewhere must have caused the child domain controller to lose its mind before.


    • Edited by p66272 Friday, March 23, 2012 6:45 PM
    • Marked as answer by p66272 Friday, March 23, 2012 6:45 PM
    Friday, March 23, 2012 6:44 PM

All replies

  • Hi,

    Thanks for posting here.

    For this issue, you may consider refer to the following article. Hope it helps.

    Requiring Smart Cards for logon – what happens when CRL publication fails
    http://blogs.technet.com/b/instan/archive/2008/12/08/requiring-smart-cards-for-logon-avoiding-the-outage-caused-by-expired-crl-s.aspx


    Best Regards,
    Aiden


    Aiden Cao

    TechNet Community Support

    Thursday, March 15, 2012 2:51 AM
    Moderator
  • aa) not that the client workstation would check the CRL. Actually, DCs check the client's certificate for validity against CRL. So if you deleted the caches on the client, it does not have effect. You need to purge caches on all the DCs.

    a) CRL has some validity period. When a CRL client downloads the CRL, it caches it for the duration of the validity period and does not touch the CRL Distribution Point anymore

    b) if a CRL client has already downloaded a valid CRL, it will not re-download it even after you re-publish a new CRL. This means, that re-publishing CRL works only for CRL clients that have not yet obtained the previous CRL

    c) yes, you are right, you can delete the CRL cache. But how did you do it? Every user has a CRL cache. The system has CRL cache. Network Service has its own separate CRL cache. There is now way how to delete all the system caches at once. There are also two caches - on disk and in memory caches. You would need to delete the disk caches for each user identity (user, system, network service, whatever...) by using:

    certutil -urlcache * delete

    and then restart the computer, or delete also the in memory cache by using the follwoing command for each user identity (your user, System, Network Service, whatever...):

    certutil -setreg chain\ChainCacheResyncFiletime @now

    d) this problem with deleting the caches means, that you are never sure, whether the cache has been really refreshed. rather wait for the CRL to expire normally to be sure to continue testing.

    All in all, I would wait for the normal CRL expiration to be sure it is really recached, and maybe shortened the interval during the testing period.

    ondrej.

    Thursday, March 15, 2012 6:57 AM
  • I know you both say something about CRL.  I monitored the network communication with wireshark, and find Kerberos error was the reason for not login.  KDC_ERR_PADATA_TYPE_NOSUPP.  I went in search of this and another article mentioned to enable DES, etc since AES is default in Win2008R2.  I did, but the problem is not resolved yet. 

    Only one cert was revoked in this test yet all smartcard certs are now not able to login.  That is why I went after the KDC error.  Still waiting for the solution.

    Thursday, March 15, 2012 7:37 PM
  • seems to me like your DC does not have a valid DC certificate. Are you sure the DC computer has got a DC certificate with Smart Card Logon usage in the Enhanced Key Usage field? If yes, please restart KDC service on the DC and look into the System and Application event log whether you don't find any errors stating that something is wrong with its certificate.

    Another issue with the same error would be NTAuth certificates. Do you have the IssuingCA's certificate installed in the NTAuth store in the AD? Did you touch or modify the NTAuth store with the Enterprise PKI console?

    Once, I had the same problem problem. It was that the Enterprise PKI console (Windows 2008 R2) corrupted the AD store. Although it displayed the certificate as installed correctly and everything seemed ok, the DC was not willing to accept the certificate and I received the same errors. So did you do anything with the Enterprise PKI console? If yes, I would try to remove the NTAuth certificates and re-published them by using CERTUTIL - this repair worked for me then.

    ondrej.

    Thursday, March 15, 2012 10:11 PM
  • Narrowing it down.  I realize I can use smartcard logon if the user account is on parent DC.  But all accounts on CHild DC are getting the "user account not setup for smartcard logon".  (Both parent and child DCs are win2008 R2).  I also notice the "users" object in the child DC does NOT have "security" in its "properties".  Is this new in Windows2008R2? Some policy configuration someone needs to tell me.  Evidently something is different  between Child-DC of Win2008R2 compared to Child DC in windows2003 which worked before.  Any info will help.
    Tuesday, March 20, 2012 12:36 AM
  • I re-installed the child DC and the childCA after removing the AD-CS, AD-DS roles from the child server.

    The new child domain worked.  I have revoked a cert (hold) and un-revoked it, clearing the crl cache in both DC and client each time, and it tests successfully. 

    I guess a corruption somewhere must have caused the child domain controller to lose its mind before.


    • Edited by p66272 Friday, March 23, 2012 6:45 PM
    • Marked as answer by p66272 Friday, March 23, 2012 6:45 PM
    Friday, March 23, 2012 6:44 PM