Ask Learn
Preview
Ask Learn is an AI assistant that can answer questions, clarify concepts, and define terms using trusted Microsoft documentation.
Please sign in to use Ask Learn.
Sign inThis browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
If the certificate has been revoked you will see the following at the bottom of the output:
The smart card logon process includes the following steps:
Troubleshooting Smart Card Logons
Is the smart card reader recognized by the operating system?
Typically, if the reader is recognized by the system, a reader icon will be displayed on the GINA. Logon locally and check the device manager to see if the reader is displayed and is functioning correctly.
To check the smart card reader installation do the following:
If the reader is not displayed in the device manager, or is displayed with an inaccurate make or model name, check with the Card manufacturer and obtain the latest drivers for the OS in use.
Verify that the Smart Card services is running on the client by doing the following:
For more information on troubleshooting hardware issues, please see the following:
The Step-by-Step Guide to Installing and Using a Smart Card Reader is available from the Microsoft website at the following URL https://www.microsoft.com/technet/prodtechnol/windows2000serv/howto/smrtcard.mspx
Is the user prompted for their PIN?
If not, try removing and re-inserting the card.
875506 The PIN dialog box may not be displayed when you use a smart card to log:
https://support.microsoft.com/?id=875506
If the correct CSP for the card is not installed, the following error message may be displayed:
"The card supplied requires drivers that are not present on this system. Please try another card"
If this is the case, contact the card vendor for a valid CSP to install on the workstation for that card. If the correct CSP has been installed and this error message is still displayed, the problem could be resolved by reinstalling the CSP.
If you know what CSP should be used for this card, you can check to see if the CSP is installed by running the following command on the client:
Certutil -csplist
You can test each CSP on the system by running:
Certutil -csptest
Are we using a 3rd party GINA?
When a Smart Card is inserted:
Can the user logon to the workstation using a UPN formed username without a smart card?
Is the issuing CA certificate that issued the smart card certificate published to the NTAuth store in Active Directory?
Certutil -viewstore -enterprise NTAuth
If there are many certificates found in the NTAuth store, you can verify that the one you need is published by comparing the Authority Key Identifier attribute on the Smart Card Certificate with the Subject Key Identifier attribute on the CA Certificate.
Note: After this certificate is published to the NTAuth store, group policy needs to be applied for the setting to take effect.
Related Information:
Can the issuing CA certificate, i.e. the one published to the NTAuth store, be validated?
This certificate:
To check for these conditions:
If the certificate is not trusted because the root certificate is not in the trusted root store, the following will be displayed at the bottom of the output:
Exclude leaf cert:
80 09 43 7e db ad f8 28 b4 41 0a f9 56 b7 1d ed 05 b9 ac 97
Full chain:
68 05 b4 48 50 de 54 10 64 47 15 59 e8 1d fa 8d e4 d6 f8 5a
Issuer: CN=Contoso Issuing CA, O=Contoso, C=US
Subject: CN=DC1.Contoso.net
Serial: 61991547000000000019
Template: SubCA
6c d0 03 08 65 cd fc cd 2a cb a8 a6 d0 5d 01 97 c5 c0 88 40
A certificate chain processed, but terminated in a root certificate
which is not trusted by the trust provider. 0x800b0109 (-2146762487)
------------------------------------
Verifies against UNTRUSTED root
If the certificate has been revoked you will see the following at the bottom of the output:
Full chain:
e8 8f 69 ba 15 8b cc a1 e1 a7 f1 16 29 13 e7 79 e9 88 28 9e
Issuer: CN=Contoso Issuing CA, O=Contoso, C=US
Subject: CN=DC1.Contoso.net
Serial: 18d199a000000000000b
Template: SubCA
a1 34 d1 ac ba 9c 81 31 5c ba 50 f3 7f fa 78 b8 39 e1 61 05
The certificate is revoked. 0x80092010 (-2146885616)------------------------------------
Certificate is REVOKED
Leaf certificate is REVOKED (Reason=2)
If the certificate has expired will see the following at the bottom of the output:
Full chain:
9e 82 92 3d fc be 27 88 76 4b dd e1 31 e3 66 c0 de 76 39 60
Issuer: CN=Contoso Issuing CA, O=Contoso, C=US
Subject: CN=DC1.Contoso.net
Serial: 4c7619e10001002110fd
Template: SubCA
39 b9 9c 41 45 8e 69 10 d2 69 45 01 f6 df 05 e8 e9 e3 4f 61
A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file. 0x800b0101 (-2146762495)------------------------------------
419.3401.0: 0x800b0101 (-2146762495)
Expired certificate
Leaf certificate revocation check passed
If the workstation is unable to connect to the CRL distribution points to perform a revocation check, the following or similar will be displayed in the output (the actual error will vary based on condition):
---------------- Certificate CDP ----------------
Failed "CDP" Time: 0
Error retrieving URL: A connection with the server could not be established 0x80072efd (WIN32: 12029)
https://DC1/CertSrv/Contoso%20Corporate%20Issuing%20CA.crl
Does each Domain Controller have a domain controller certificate?
For a full list of requirements for a 3rd party Domain Controller certificate, view:
291010 Requirements for Domain Controller Certificates from a Third-Party CA
https://support.microsoft.com/?id=291010
Check the authenticating domain controllers for this certificate by using by running:
Certutil -store my
It will return a list of all the certificates installed in the domain controller's certificate store.
================ Certificate 2 ================
Serial Number: 61b40644000000000004
Issuer: CN=Contoso Corporate Issuing CA, O=Contoso, C=US
Subject: CN=RJDC5.Contoso.net
Certificate Template Name: DomainController
Non-root Certificate
Template: DomainController, Domain Controller
Cert Hash(sha1): 82 ab 82 af 73 76 d1 52 40 01 74 71 03 54 b8 39 6d 00 18 72
Key Container = 4c86cf1f699ee86033e502958ca4860d_e699ab56-a413-4766-914d-e6a735c4afdd
Provider = Microsoft RSA SChannel Cryptographic Provider
Private key is NOT exportable
Encryption test passed
Can the Domain Controller certificates be validated?
The Domain Controller certificates:
The easiest way to check for these conditions:
Certutil -verifystore my
If the certificate has been revoked you will see the following at the bottom of the output:
Full chain:
e8 8f 69 ba 15 8b cc a1 e1 a7 f1 16 29 13 e7 79 e9 88 28 9e
Issuer: CN=Contoso Issuing CA, O=Contoso, C=US
Subject: CN=DC1.Contoso.net
Serial: 18d199a000000000000b
Template: Domain Controller
a1 34 d1 ac ba 9c 81 31 5c ba 50 f3 7f fa 78 b8 39 e1 61 05
The certificate is revoked. 0x80092010 (-2146885616)
------------------------------------
Certificate is REVOKED
Leaf certificate is REVOKED (Reason=2)
If the certificate has expired we will see the following at the bottom of the output:
Full chain:
9e 82 92 3d fc be 27 88 76 4b dd e1 31 e3 66 c0 de 76 39 60
Issuer: CN=Contoso Issuing CA, O=Contoso, C=US
Subject: CN=DC1.Contoso.net
Serial: 4c7619e10001002110fd
Template: Domain Controller
39 b9 9c 41 45 8e 69 10 d2 69 45 01 f6 df 05 e8 e9 e3 4f 61
A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file. 0x800b0101 (-2146762495)
------------------------------------
419.3401.0: 0x800b0101 (-2146762495)
Expired certificate
Leaf certificate revocation check passed
Can the certificate on the smart card be validated on the domain controller?
When the KDC receives the user's smart card certificate, it will use the CryptoAPI to build a certificate chain from the user's certificate to verify that it can be trusted.
The certificate:
To verify that the certificate chain can be built on the DC, perform the following:
Export a copy of the smart card certificate; either from the CA, or by running:
Certutil -scinfo
On a workstation with the smart card inserted in the reader.
Open the certificate, go to details, and click the "Copy to file" button. Export the certificate to file, and copy this exported certificate to the authenticating domain controller. At the command prompt, run the following:
Certutil -verify -urlfetch cerexport.cer
If the certificate is not trusted because the root certificate is not in the trusted root store of the DC, the following will be displayed at the bottom of the output:
Full chain:
68 05 b4 48 50 de 54 10 64 47 15 59 e8 1d fa 8d e4 d6 f8 5a
Issuer: CN=Contoso Issuing CA, O=Contoso, C=US
Subject: CN=One User, CN=Users, DC=Contoso, DC=net
Serial: 61991547000000000019
Template: Smart Card
6c d0 03 08 65 cd fc cd 2a cb a8 a6 d0 5d 01 97 c5 c0 88 40
A certificate chain processed, but terminated in a root certificate
which is not trusted by the trust provider. 0x800b0109 (-2146762487)
------------------------------------
Verifies against UNTRUSTED root
If the certificate has been revoked you will see the following at the bottom of the output:
Full chain:
e8 8f 69 ba 15 8b cc a1 e1 a7 f1 16 29 13 e7 79 e9 88 28 9e
Issuer: CN=Contoso Issuing CA, O=Contoso, C=US
Subject: Subject: CN=One User, CN=Users, DC=contoso, DC=net
Serial: 18d199a000000000000b
Template: Smart Card
a1 34 d1 ac ba 9c 81 31 5c ba 50 f3 7f fa 78 b8 39 e1 61 05
The certificate is revoked. 0x80092010 (-2146885616)------------------------------------
Certificate is REVOKED
Leaf certificate is REVOKED (Reason=2)
If the workstation is unable to contact the CRL distribution points to perform a revocation check,
---------------- Certificate CDP ----------------
Failed "CDP" Time: 0
Error retrieving URL: A connection with the server could not be established 0x80072efd (WIN32: 12029)
https://DC1/CertSrv/Contoso%20Corporate%20Issuing%20CA.crl
If the certificate has expired will see the following at the bottom of the output:
Full chain:
9e 82 92 3d fc be 27 88 76 4b dd e1 31 e3 66 c0 de 76 39 60
Issuer: CN=Contoso Issuing CA, O=Contoso, C=US
Subject: CN=One User, CN=Users, DC=contoso, DC=net
Serial: 4c7619e10001002110fd
Template: Smart Card
39 b9 9c 41 45 8e 69 10 d2 69 45 01 f6 df 05 e8 e9 e3 4f 61
A required certificate is not within its validity period when verifying against
the current system clock or the timestamp in the signed file. 0x800b0101 (-2146762495)
------------------------------------
419.3401.0: 0x800b0101 (-2146762495)
Expired certificate
Leaf certificate revocation check passed
Smart Card Related Documents
Smart Cards
https://www.microsoft.com/technet/security/guidance/identitymanagement/scard.mspx
Windows Vista Smart Card Infrastructure
https://www.microsoft.com/downloads/details.aspx?FamilyID=AC201438-3317-44D3-9638-07625FE397B9&displaylang=en
The Secure Access Using Smart Cards Planning Guide
https://www.microsoft.com/downloads/details.aspx?FamilyId=AD196BCE-876B-44E0-9E90-2A0C34446826&displaylang=en
The Smart Card Deployment Cookbook
www.microsoft.com/technet/Security/topics/smrtcard/smrtcdcb/default.mspx
The Smart Card Cryptographic Service Provider Cookbook
https://msdn.microsoft.com/library/en-us/dnscard/html/smartcardcspcook.asp
Anonymous
July 03, 2008
Hi,
Is it possible to know whether the user has logged on "through" a smart card ,outside the GINA layer (from an external application)?
Any information or any pointers to a different forum would be appreciated.
Thanks
Anonymous
February 16, 2009
The comment has been removed
Ask Learn is an AI assistant that can answer questions, clarify concepts, and define terms using trusted Microsoft documentation.
Please sign in to use Ask Learn.
Sign in