none
W2012R2 - A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider.

    Question

  • Hi all.

    I have stanalone offline RootCA, and enterprise domain SubCA on DC on Windows 2012 server. I have Windows 2003 Terminal Server, users logon to TS via smart cards - and this work fine.

    Now I added Windows server 2012 as "Terminal Server".
    Now I added Windows server 2012 R2 as "Terminal Server".

    I configured both servers identically.

    Users can logon via smart card to Windows Server 2012.

    Users CAN NOT logon via smart card to Windows Server 2012 R2.
     When user trying to logon via smart card, they have information:

    "An untrusted cartification authority was detected while processing the domain controller certificate used for authentication. Additional information..."

    I run a certutil.exe -scinfo on both Windows 2012/2012R2 servers.
    I found differences in the (~) same place in the output log.

    On Windows 2012:

    Exclude leaf cert:
       b4 44 8f fb fb b4 5f 03 39 76 dc cc e8 da 02 e0 d0 cc b6 32
     Full chain:
       c8 3d 07 12 ea 4d 0e 5a 8c 50 fc 56 2e 51 f1 68 6a 26 90 77
     ------------------------------------
    Verified Issuance Policies: None
    Verified Application Policies:
         1.3.6.1.5.5.7.3.2 Client Authentication
         1.3.6.1.4.1.311.20.2.2 Smart Card Logon


     On Windows 2012 R2:

     Exclude leaf cert:
       78 7e 6c 60 3f 20 c6 f6 e8 74 c8 36 e3 d3 88 ac 12 60 41 32
     Full chain:
       b8 a9 fa 6c db 07 cd 32 86 17 8c 88 02 ba d0 4b 8c ac 2d 58
       Issuer: CN=XXX CA, OU=Certification Services, O=XX, C=XX
       NotBefore: 2013-11-22 12:42
       NotAfter: 2014-11-22 12:42
       Subject: CN=XX Test, OU=XX, OU=UXX, DC=XX, DC=com
       Serial: 7a0084f
       SubjectAltName: Other Name:Principal Name=XX@XX
       Template: Smartcard Logon Behalf 2048
       1d 2a bb dc 2a 9c 70 0d b5 35 47 44 ee 61 60 ab 71 97 66 ff
     A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider. 0x800b0112 (-2146762478)


    I run a certutil -verify xx.cer on both Servers 2012/2012R2 and on both servers have the ~exact same thing.

    Windows 2012:
    Exclude leaf cert:
       f6 0e 96 da c7 08 9a 78 12 97 a6 b6 22 df 57 9d e7 03 41 df
     Full chain:
       f0 fb 19 66 e8 6c 4f ea b4 d5 ea 6d 5e 38 54 07 b0 9f 52 96
     ------------------------------------
    Verified Issuance Policies: None
    Verified Application Policies:
         1.3.6.1.4.1.311.20.2.2 Smart Card Logon
         1.3.6.1.5.5.7.3.2 Client Authentication
    Leaf certificate revocation check passed

    Windows 2012 R2:
    Exclude leaf cert:
       84 18 5b 9d 06 61 60 73 c6 37 80 f4 25 33 c4 d3 5e ef 4a 93
     Full chain:
       63 8e 9e 37 78 c9 93 bb 4d da f4 e3 4b 7e 2b 14 49 28 0f 5d
     ------------------------------------
    Verified Issuance Policies: None
    Verified Application Policies:
         1.3.6.1.4.1.311.20.2.2 Smart Card Logon
         1.3.6.1.5.5.7.3.2 Client Authentication
    Leaf certificate revocation check passed


    Whether Windows 2012R2 is not trying to build a certificate path, treating smart card logon certificate as (Sub)CA certificate?

     

    ___________________________________________________
    Previous and probably wrong idea:

    The only thing that comes to my mind is my SubCA.
    I have two CA Certyficates:
    Certyficate #0 (expired)
    Certyficate #1 <- valid.

    I guess that all Windows before Windows 2012 R2 build certyficafion chain from valid (second #1) certyficate. Windows 2012 R2 take first and we have:
    "A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider.
    [ value]  800B0112 "


    This is a bug or feature?
    How I can fix this without removal Certificate #0 from my SubCA?

     

    Best regards
    Jacek Marek
    MCSA Windows Server 2012

    Friday, April 04, 2014 6:12 AM

Answers

  • Thanks for advice!

    I did export HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\NTAuth\Certificates from Windows server 2012, and import to Windows 2012 R2. Now I can logon via smart card to Windows 2012 R2.

    Later I check it out on a test version of the Windows 2012 R2, whether it is a repeatable error.

    Bast regards

    JM

    • Marked as answer by Jacek Marek Friday, April 04, 2014 9:59 AM
    Friday, April 04, 2014 9:58 AM

All replies

  • Run the following command on the R2 server and make sure that the CA that
    issued the smart card and the domain controller certificate is listed:

    certutil -viewstore -user -enterprise NTAuth
    Friday, April 04, 2014 7:46 AM
  • Thanks for advice.

    certutil -viewstore -user -enterprise NTAuth

    All computers are in the AD Domain:
    Windows 2003: root, sub certificate
    Windows 2012: root, sub certificate
    Windows 7: root, sub certyficate
    Windows 8: root, sub certyficate
    Windows 2012R2: no certificate avaiable

    I checked local computer certificate store (on Windows 2012/2012R2) and I have sub, root certificate in TRCA\registry and \TRCA\enterprise, ICA\registry and \ICA\enterprise and I have root CA, sub CA certificate on both.

    Friday, April 04, 2014 8:47 AM

  • Windows 2012R2: no certificate avaiable



    This is your problem with smart card logon. Now you need to figure out why
    this server is not getting the certs in the NTAuth store.

    Check the event viewer for any certificate/autoenrollment errors. From an
    administrative command prompt try running:

    gpupdate /force
    certutil -pulse
    • Edited by Paul Adare Friday, April 04, 2014 8:58 AM
    Friday, April 04, 2014 8:56 AM
  • Thanks for advice!

    I did export HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\NTAuth\Certificates from Windows server 2012, and import to Windows 2012 R2. Now I can logon via smart card to Windows 2012 R2.

    Later I check it out on a test version of the Windows 2012 R2, whether it is a repeatable error.

    Bast regards

    JM

    • Marked as answer by Jacek Marek Friday, April 04, 2014 9:59 AM
    Friday, April 04, 2014 9:58 AM
  • Hi,

    Glad to hear that the issue is solved!

    Thank you very much for your sharing!

    Please feel free to let us know if you encounter any issues in the future.

    Best Regards,

    Amy

    Tuesday, April 15, 2014 7:45 AM
    Moderator