This forum has migrated to Microsoft Q&A. Visit Microsoft Q&A to post new questions.

Remove From My Forums

Authenticate to the Domain using a Smart Card

Question
0

Sign in to vote

Hi,

I'm trying to get authenticated using the Smart Card but got the following error messages:

On the Windows XP client, we inserted the PIV card, entered the PIN but received an error message “The system could not log you on. The server authenticating you reported an error (0xC00000BB).”

On the Windows 7 client, we received an error message “The system could not log you on. You cannot use a smart card to log on because smart card logon is not supported for your user account.”

Here is our environment:

-          Domain: Windows 2008 R2

-          Client: Windows XP SP3 and Windows 7

-          Smart Card: USAccess issued PIV card

-          Care Reader: SCR3310

-          Middleware: ActiveClient

Here is what I have already done:

-          Imported the following Entrust certificates from http://sspweb.managed.entrust.com/EMSPKIFSSPCACertificateInformation.html into the Domain under the Trusted Root Certification Authorities

o   Common Policy CA Certificate

o   Common Policy to EMSPKI trust certificate

o   Federal Root CA Expires 06/01/2012

o   Federal SSP CA Expires 05/31/2012

o   Federal Root CA Expires 05/09/2019

o   Federal SSP CA Expires 05/08/2019

-          Added the certificates to the NTAuth store in the Domain

-          Posted Domain controller certificate (issued by NIST internal CA) in the NTAuth store

-          Updated my UPN on the domain to match with the Subject Alternative Name on the card “1300XXXXXXXXX@FEDIDCARD.GOV”

-          Domain policy pushed down the Entrust certificates and Domain Controller certificate to the client computer

-          Made PIV Card certificates available to the Windows via ActiveClient middleware

Am I missing some steps or configuration?

Thank you,

Thursday, January 21, 2010 6:31 PM

All replies

0

Sign in to vote

Hey did you get this figured out ??

We are experiencing the exact same problem....

Thanks

Monday, February 22, 2010 3:06 PM
0

Sign in to vote

I'm attempting to do the same thing. Has anybody been able to get this to work?

Thursday, April 1, 2010 4:22 PM
0

Sign in to vote

Hi

This problem is usually down to one of the following...

1. Your SAM account doesn't match you User Principal Name.
2. One of your DC's is missing a certificate or one of the intermidiate ones is missing / not trusted.

I would also check the smart card mini driver as this could also be causing the issue.

As a first step can you confirm that when logged on with user name & password you can access the smart card properly with the ActivID client & validate the trust chain for the cert it contains.

Secondly confirm that all your DC certs are trusted by validating the entire chain.

Wednesday, April 7, 2010 8:45 PM
0

Sign in to vote

Is client is granted to access the server? Can you check all member groups of a particular client account at server?

Thursday, January 13, 2011 6:16 PM
0

Sign in to vote

We fixed the problem it was actually related to how the certificates were generated for the domain controllers within the domain. You have to use a very specific template. There is a microsoft knowledge base article that helped but we needed to customize for our environment.

Thursday, January 13, 2011 6:43 PM
0

Sign in to vote

Hello,

I know this is old but there does not seem to be anyone with definitive answers.

Our domain uses a Shared Service Provider (VeriSign) for smartcard certificates. We have 2003 domain controllers with domain controller certificates that meet Microsoft criteria. Our clients are a mix of XP Pro SP3 and Windows 7 SP1. We have received the 0xc00000BB message on XP clients and the message indicating smart card logon is not supported for the user account in Windows 7 clients. We have not been able to determine what is causing the failure to logon.

For Windows 7 the message regarding the user account not supporting smartcard logon is only received if we attempt to logon immediately after the CTRL+ALT+DEL is displayed. If we wait a few minutes before attempting to logon, the logon will be successfull. It appears that a driver or process is not loaded causing the problem, but we have not been able to determine what exactly is holding things up.

We cannot find any problems with the domain controller certificates or the templates used to create them. The user samAccountName is the same as the UPN. Although the error is not correct because the user accounts do support smartcard logon it cannot be safely ignored as it is preventing the user from logging on with their smartcard.

Any helpful suggestions would be appreciated as there are many posts online without resolution.

MagikD

Tuesday, August 16, 2011 5:12 PM
0

Sign in to vote

Is your root certificate signed with SHA1 or SHA256?

Are there any certs in the path between the authentication certificate and the root that are SHA256?

Are the domain controllers all 2008R2?

If you look at a client authentication cert on one of the XP machines can it show you the trust relationship all the way to the root certificate?

Tuesday, August 16, 2011 6:27 PM
0

Sign in to vote

All certificates in our PKI are signed using SHA256.

All domain controllers are Windows 2003 Server SP2.

Trust is displayed to a Root CA certificate on both Windows 7 and XP.

Wednesday, August 17, 2011 12:16 PM
0

Sign in to vote

It is my understanding that SHA256 is going to cause problems in your environment (2003 servers)

http://blogs.technet.com/b/pki/archive/2010/09/30/sha2-and-windows.aspx

The situation with the Windows 7 systems doesn't make sence to me at all. Based on the way I understand it the 2007 should still have problems since the domain controllers are 2003.

http://download.microsoft.com/download/C/C/A/CCAEBE04-EB07-4415-9F82-BE33D3E42C60/HSPD-12%20Logical%20Access%20Authentication%20and%20Active%20Directory%20Domains.doc

From the above: Windows XP SP3 and Windows Server 2003 with KB938397 can only perform certificate validation of SHA-256 certificates.

Do you have that patch on your domain controllers?

Wednesday, August 17, 2011 1:52 PM
0

Sign in to vote

Yes, we have the necessary patch on the Windows 2003 SP2 domain controllers.

We are generally able to logon with the smart cards. The problem is experienced intermittently.

My latest idea is that a networking issue is the cause but I have not been able to validate that assertion.

There are not any events in the client event logs regarding any logon attempt failure even though the user receives the message their user account does not support smart card logon.

Thursday, August 18, 2011 11:52 AM
0

Sign in to vote

It could be that the CRL is expired and it can't get a new one. I think I am having that problem on my laptop. I use it infrequently and when it has been off for a while (couple of days) I can't get logged in with my card. The way our wireless is setup I have to log in for it to connect to the wireless network so I can't use my card util I plug it in, or login with username and password get connected to the wireless and then log out again.

Thursday, August 18, 2011 12:01 PM
0

Sign in to vote

We are experiencing this exact issue as well (immediately after boot perhaps every third boot). I've found the error in the Security event log and the corresponding error on the DC. The DC has the kerberos error (event id 675) 0x10 for the user name and 0x19 for the computer account. I can give you the exact errors if you are interested.

Jim

Saturday, August 20, 2011 1:49 AM
0

Sign in to vote

Here's the errors on the DC:

First the computer account error - KDC_ERR_PREAUTH_REQUIRED - 0x19

Followed by the user account error -

Saturday, August 20, 2011 1:53 AM
0

Sign in to vote

KDC_ERR_PADATA_TYPE_NOSUPP - 0x10

KDC_ERR_PREAUTH_REQUIRED - 0x19

Saturday, August 20, 2011 1:54 AM
0

Sign in to vote

Since our domain isn't in 2008 mode, I'm trying out changing the default encryption type to RC4:

http://www.mcbsys.com/techblog/2009/12/windows-7-causes-675-0x19-security-errors-in-windows-2003-domain/

Jim
Jim Riekse

Monday, August 22, 2011 2:28 PM
0

Sign in to vote

The following registry values turns off revocation on the domain controller certificate (on the client end). These registry values may avoid the error, but do not solve the overall issue that the revocation status of the domain controller certificate is not working perfectly especially on boot.

HKLM\SYSTEM\CCS\Control\LSA\Kerberos\Parameters\UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors – DWORD – 1

HKLM\SYSTEM\CCS\Control\LSA\CredSSP\UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors – DWORD – 1

http://blogs.technet.com/b/instan/archive/2008/12/08/requiring-smart-cards-for-logon-avoiding-the-outage-caused-by-expired-crl-s.aspx

Jim Riekse

Monday, September 12, 2011 9:42 PM
0

Sign in to vote

To solve one of the issues related to:

"The system could not log you on. You cannot use a smart card to log on because smart card login is not supported for your user account. Contact your system administrator to ensure that smart card logon is configured for your organization."

On the client side.

Ensure that the Certificate is assigned the Client Authentication function.

You can do this on Internet Explorer:

Tools -> Internet Options -> Content -> Certificates

Then select the certificate

Click the ‘Advanced’ button, this opens the Advanced Options dialog box.

Under ‘Certificate purposes:’ box check:

|X| Client Authentication

Monday, September 26, 2011 4:54 PM
0

Sign in to vote
Hello,

When highlighting the smart card logon certificate, the certificates' intended purposes show as Smart card logon, Client Authentication, Any Purpose.

If the Advanced button is selected the subsequent display shows the Client Authentication is not checked. Where is this information coming from?

If the certificate is intended for all policies/purposes then why would the IE certificates manager not display the same intended purposes?

Also, would this explain the randomness of receiving the message stating the user account does not support smart card logon?

Researching the audit logs, when that message is received regarding the user account not supporting smart card logon, I found the 0xc00000bb error message that relates to samAccountNames or bad domain controller certificates. There is not a problem with users' samAccountNames or the domain controller certificates.

So far, not one person can identify with any certainty why this error message is received randomly.

All requirements for third party certificate authorities are met.

The majority of the time users do not receive the error regarding their user account not supporting smart card logon.

Windows 2003 Server Active Directory domain - full 2003 domain with a mix of Windows XP SP3 and Windows 7 SP1 clients.

MagikD
- Proposed as answer by KenPorter Sunday, February 15, 2015 2:02 AM
- Unproposed as answer by KenPorter Sunday, February 15, 2015 2:02 AM
Wednesday, September 28, 2011 5:58 PM
1

Sign in to vote
If this helps anyone else, I too was recieveing the "signing in with a smart card isn't supported for your account" message on my Windows 8 machine, and found the root cause to be that the DC did not have the Certificate necessary for smart card authentication. For Server 2012, that certificate was called "Kerberos Authentication" (in earlier versions it apparently had other names as well) and once I published it, ensured that auto-enrollment issued it to the DC, then my Smart Cards worked just fine.
- Proposed as answer by Narcoticoo Sunday, February 15, 2015 7:26 AM
Sunday, February 15, 2015 2:08 AM