none
Joining a Domain with Smart Card RRS feed

  • Question

  • Hello,

    I know this should be a simple thing to do, but I cannot figure out how to join a new computer to our work domain using my smartcard.  I work at a research lab and we are assigned smart cards for ID.  Each smart card has a PIV Cert on it and a Digital Signature Cert.  The PIV is for normal user login and my admin account (one used to join machines to domain) is linked to the Digital Signature Cert.  Within the domain, both work fine. The GP settings used are "Allow certificates with no extended key usage certificate attribute" and "Allow signature keys valid for Logon"; both are enabled.  We use ActivClient (from HID Global's ActivID series) for our cryptographic software.  We have a standalone CA for your Domain, but the Certs on the smartcard are created in a different forest on a different CA.  As such, none of the keys' UPN nor Subject Alternative Name match our domain.  We have all the keys (that were provided to us, all the way to Root CA Cert) for the other CA imported into our CA.  All DC's have a Domain Controlled Authentication Cert provided by our CA.

    On a new computer, let's call it 'new', I have applied the following registry edits,

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\SmartCardCredentialProvider]
    "AllowCertificatesWithNoEKU"=dword:00000001
    "AllowSignatureOnlyKeys"=dword:00000001

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\SmartCardCredentialProvider]
    "X509HintsNeeded"=dword:00000001

    The first two mimic our GP settings within the domain.  The other allow a domain\user to be supplied with the certificate authentication.  The ActivClient software is installed.  I have imported all the keys given to us from the non-domain CA and the Root Cert from our CA as well as the keys for the DC.  However, I continually these two errors whenever I try to join 'new' to our domain.  They show up in the Event Viewer.

    EventID: 11     Source:  Security-Kerberos

    "The Distinguished Name in the subject field of your smartcard logon certificate does not contain enough information to locate the appropriate domain on an unjoined machine. Please contact you system administrator."

    EventID:   9     Source:  Security-Kerberos

    "The client has failed to validate the Domain Controller certificate for <Correct DC>. The following error was returned from the certificate validation process: The revocation function was unable to check revocation because the revocation server was offline."

    Our local CA, used solely for smartcard authentication at logon, is always online and Certs in neither our (or the non-domain CA) chains are expired.  I believe the second error (EventID: 9) is where everything goes South since it says it connecting to a DC in our domain.  I troubleshooting I have found with this error deals with websites and nothing with a Cert from a smartcard.  As I stated at the top, everything works great within the domain, just not from the outside looking in. I also know permissions are not the problem.  If I set my admin account to use username\password, joining to the domain is flawless.

    All suggestions welcomed.


    • Edited by KnotSure Tuesday, May 3, 2016 7:20 PM
    Tuesday, May 3, 2016 7:15 PM

All replies

  • KnotSure, did you ever get this resolved?  We are looking for the same answer, how do we join system to the domain using a smart card?
    Friday, December 8, 2017 12:43 PM