Smartcard Logon certificate request from TP5 CA fails with CERTSRV_E_KEY_ATTESTATION RRS feed

  • Question

  • I copied the built-in Smartcard Logon certificate template, and modified it as described in http://blogs.technet.com/b/pki/archive/2014/07/15/setting-up-tpm-protected-certificates-using-a-microsoft-certificate-authority-part-2-virtual-smart-cards.aspx, except the settings on the Compatibility tab had to be Windows Server Technical Preview in order to make the settings on the Key Attestation tab available.

    The Smarcard is a virtual Smartcard, created according to the instructions in the above-mentioned link.

    I had this working under TP4, so I wonder if there has been any change in TP5 that would affect this.


    Thursday, May 5, 2016 1:28 PM

All replies

  • Hi,

    Please check the event log on the CA server and clients and post the original event log here. It is helpful for further troubleshooting.

    Best Regards,

    Steven Lee Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Thursday, May 12, 2016 9:07 AM
  • We haven't changed anything between TP4 and TP5. 

    CA was not able to do TPM key attestation. Hence, you would have to look up why it wasn't able to do so. Did you earlier had chosen attestation preferred  ? And now it might have been attestation required which might be leading to failure as CA can't attest.

    OCSP Tester

    Thursday, May 12, 2016 6:27 PM
  • Thanks for your reply. I tried to use one certificate template for both virtual smart card logon and TPM endorsement key attestation.  That's what wasn't working.  When I use separate certificate templates for each purpose everything works.
    It seems like a virtual smart card logon certificate needs the Microsoft Smart Card Key Storage Provider, and a TPM endorsement key attestation certificate needs the Microsoft Platform Crypto Provider.
    Friday, May 13, 2016 3:36 PM