Smart Card Logon and Authentication

If the certificate has been revoked you will see the following at the bottom of the output:

The smart card logon process includes the following steps:

1. After the user inserts a smart card, the Windows logon service (WINLOGON) dispatches this event to the GINA.
2. The user is prompted to enter a PIN (rather than a username and password).
3. The GINA sends the PIN to the Local Security Authority (LSA).
   Note: There is no logon domain information required, because the user is logged on with a User Principal Name (UPN) which is embedded in the subject name field of the certificate.
4. The LSA uses the PIN to access the smart card and extract the certificate with the user's public key.
5. The Kerberos security service provider sends the signed user's certificate with the user's private key to the KDC.
6. The KDC compares the UPN in the certificate with the UPN on the user object in the directory. The KDC also verifies the signature on the certificate to ensure that it was issued by a CA that's trusted in the Active Directory forest, such as an Enterprise CA.
7. The KDC encrypts the logon session key and the TGT for the ticket granting service with the public key from the client certificate. This step ensures that only the client with the appropriate private key can decrypt the logon session key.
8. The client decrypts the logon session key and presents the TGT to the ticket granting service. After this process is complete, all other communication in Kerberos uses symmetric encryption.

Troubleshooting Smart Card Logons

Is the smart card reader recognized by the operating system?

Typically, if the reader is recognized by the system, a reader icon will be displayed on the GINA. Logon locally and check the device manager to see if the reader is displayed and is functioning correctly.

To check the smart card reader installation do the following:

1. Click Start
2. Select Control Panel
3. Select System
4. Select Hardware
5. Select Device Manager
6. Expand Smart Card Readers

If the reader is not displayed in the device manager, or is displayed with an inaccurate make or model name, check with the Card manufacturer and obtain the latest drivers for the OS in use.

Verify that the Smart Card services is running on the client by doing the following:

1. Click Start
2. Select Run
3. Type Services.msc
4. Verify that the Smart Card Service is set to Automatic or Manual.

For more information on troubleshooting hardware issues, please see the following:

The Step-by-Step Guide to Installing and Using a Smart Card Reader is available from the Microsoft website at the following URL https://www.microsoft.com/technet/prodtechnol/windows2000serv/howto/smrtcard.mspx

Is the user prompted for their PIN?
If not, try removing and re-inserting the card.

875506 The PIN dialog box may not be displayed when you use a smart card to log:
https://support.microsoft.com/?id=875506

If the correct CSP for the card is not installed, the following error message may be displayed:
"The card supplied requires drivers that are not present on this system. Please try another card"

If this is the case, contact the card vendor for a valid CSP to install on the workstation for that card. If the correct CSP has been installed and this error message is still displayed, the problem could be resolved by reinstalling the CSP.

If you know what CSP should be used for this card, you can check to see if the CSP is installed by running the following command on the client:
Certutil -csplist

You can test each CSP on the system by running:
Certutil -csptest

Are we using a 3rd party GINA?

• Check to see if the customer is using a 3rd party GINA by looking at the GINADLL value at:
  HKLM\Software\Microsoft\Windows NT\Current Version\Winlogon

When a Smart Card is inserted:

• The Winlogon process is notified, and Winlogon changes the display of the loaded GINA to show a place to insert a PIN.
• Custom GINAs may handle this request incorrectly. If the GINADLL value in the registry is defined and set to anything other than MSGINA.DLL, change the value to MSGINA.DLL and restart the workstation.
• For more information, please see the following:
  843541 Your computer stops responding when you use a smart card to log on to
  https://support.microsoft.com/?id=843541

Can the user logon to the workstation using a UPN formed username without a smart card?

• The Subject Name/Subject Alternative Name of the certificate must contain the user's User Principal Name (UPN).
• The authenticating KDC uses the UPN to authenticate the user.
• Logons using UPNs require that a Global Catalog Server is available to the client.
• If no Global Catalog Servers are advertising, or one cannot be located because of a DNS lookup failure, UPN logon will fail.

Is the issuing CA certificate that issued the smart card certificate published to the NTAuth store in Active Directory?

• The issuing CA certificate must be published to the NTAuth store and replicated to all domain controllers in the domain.
• Typically, a Windows 2000 or 2003 Enterprise CA will automatically publish this certificate to the NTAuth store.
• A standalone CA certificate or 3rd party CA certificate will always need to be manually published.
• You can view the contents of this store by using PKIView.msc from the Windows 2003 Resource kit or by using the certutil command line tool.
• In PKIView.msc, right click on Enterprise PKI, select Manage AD Containers, and then go to the NTAuthCertificates tab to view any certificates which are published.
• Use Certutil at the command prompt with the following syntax (without quotes):

Certutil -viewstore -enterprise NTAuth

If there are many certificates found in the NTAuth store, you can verify that the one you need is published by comparing the Authority Key Identifier attribute on the Smart Card Certificate with the Subject Key Identifier attribute on the CA Certificate.

• Note: PKIView displays the information that is actually stored in the Active Directory.
• Note: Certutil -viewstore -enterprise NTAuth queries the following registry key on the local machine:
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates

Note: After this certificate is published to the NTAuth store, group policy needs to be applied for the setting to take effect.

Related Information:

• 295663 How to import third-party certification authority (CA) certificates into
  https://support.microsoft.com/?id=295663
• 310732 "The Handle Is Invalid" Error Message When You Log On with a Smart Card
  https://support.microsoft.com/?id=310732
• 281245 Guidelines for Enabling Smart Card Logon with Third-Party Certification
  https://support.microsoft.com/?id=281245

Can the issuing CA certificate, i.e. the one published to the NTAuth store, be validated?

This certificate:

• Must be trusted
• Must not be expired
• Must not be revoked
• Revocation checking against this certificate must not fail.

To check for these conditions:

• Open the certificate, click on the details tab, and select "Copy to file" to export the certificate (DER format is fine). At the command prompt, run:
  Certutil -verify -urlfetch cerexport.cer

If the certificate is not trusted because the root certificate is not in the trusted root store, the following will be displayed at the bottom of the output:

Exclude leaf cert:
80 09 43 7e db ad f8 28 b4 41 0a f9 56 b7 1d ed 05 b9 ac 97
Full chain:
68 05 b4 48 50 de 54 10 64 47 15 59 e8 1d fa 8d e4 d6 f8 5a
Issuer: CN=Contoso Issuing CA, O=Contoso, C=US
Subject: CN=DC1.Contoso.net
Serial: 61991547000000000019
Template: SubCA
6c d0 03 08 65 cd fc cd 2a cb a8 a6 d0 5d 01 97 c5 c0 88 40
A certificate chain processed, but terminated in a root certificate
which is not trusted by the trust provider. 0x800b0109 (-2146762487)
------------------------------------
Verifies against UNTRUSTED root

If the certificate has been revoked you will see the following at the bottom of the output:

Full chain:
e8 8f 69 ba 15 8b cc a1 e1 a7 f1 16 29 13 e7 79 e9 88 28 9e
Issuer: CN=Contoso Issuing CA, O=Contoso, C=US
Subject: CN=DC1.Contoso.net
Serial: 18d199a000000000000b
Template: SubCA
a1 34 d1 ac ba 9c 81 31 5c ba 50 f3 7f fa 78 b8 39 e1 61 05
The certificate is revoked. 0x80092010 (-2146885616)

------------------------------------
Certificate is REVOKED
Leaf certificate is REVOKED (Reason=2)

If the certificate has expired will see the following at the bottom of the output:

Full chain:
9e 82 92 3d fc be 27 88 76 4b dd e1 31 e3 66 c0 de 76 39 60
Issuer: CN=Contoso Issuing CA, O=Contoso, C=US
Subject: CN=DC1.Contoso.net
Serial: 4c7619e10001002110fd
Template: SubCA
39 b9 9c 41 45 8e 69 10 d2 69 45 01 f6 df 05 e8 e9 e3 4f 61
A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file. 0x800b0101 (-2146762495)

------------------------------------
419.3401.0: 0x800b0101 (-2146762495)
Expired certificate
Leaf certificate revocation check passed

If the workstation is unable to connect to the CRL distribution points to perform a revocation check, the following or similar will be displayed in the output (the actual error will vary based on condition):

---------------- Certificate CDP ----------------
Failed "CDP" Time: 0
Error retrieving URL: A connection with the server could not be established 0x80072efd (WIN32: 12029)
https://DC1/CertSrv/Contoso%20Corporate%20Issuing%20CA.crl

Does each Domain Controller have a domain controller certificate?

• Each domain controller in the domain needs a valid Domain Controller certificate.
• If a standalone CA or 3rd Party CA is being used, Domain Controller certificates will need to be manually requested and installed.

For a full list of requirements for a 3rd party Domain Controller certificate, view:
291010 Requirements for Domain Controller Certificates from a Third-Party CA
https://support.microsoft.com/?id=291010

• Check the authenticating domain controllers for this certificate by using by running:
  Certutil -store my

  It will return a list of all the certificates installed in the domain controller's certificate store.

================ Certificate 2 ================
Serial Number: 61b40644000000000004
Issuer: CN=Contoso Corporate Issuing CA, O=Contoso, C=US
Subject: CN=RJDC5.Contoso.net
Certificate Template Name: DomainController
Non-root Certificate
Template: DomainController, Domain Controller
Cert Hash(sha1): 82 ab 82 af 73 76 d1 52 40 01 74 71 03 54 b8 39 6d 00 18 72
Key Container = 4c86cf1f699ee86033e502958ca4860d_e699ab56-a413-4766-914d-e6a735c4afdd
Provider = Microsoft RSA SChannel Cryptographic Provider
Private key is NOT exportable
Encryption test passed

Can the Domain Controller certificates be validated?

The Domain Controller certificates:

• Must not be expired
• Must not be revoked
• Revocation checking must not fail.

The easiest way to check for these conditions:
Certutil -verifystore my

If the certificate has been revoked you will see the following at the bottom of the output:

Full chain:
e8 8f 69 ba 15 8b cc a1 e1 a7 f1 16 29 13 e7 79 e9 88 28 9e
Issuer: CN=Contoso Issuing CA, O=Contoso, C=US
Subject: CN=DC1.Contoso.net
Serial: 18d199a000000000000b
Template: Domain Controller
a1 34 d1 ac ba 9c 81 31 5c ba 50 f3 7f fa 78 b8 39 e1 61 05
The certificate is revoked. 0x80092010 (-2146885616)
------------------------------------
Certificate is REVOKED
Leaf certificate is REVOKED (Reason=2)

If the certificate has expired we will see the following at the bottom of the output:

Full chain:
9e 82 92 3d fc be 27 88 76 4b dd e1 31 e3 66 c0 de 76 39 60
Issuer: CN=Contoso Issuing CA, O=Contoso, C=US
Subject: CN=DC1.Contoso.net
Serial: 4c7619e10001002110fd
Template: Domain Controller
39 b9 9c 41 45 8e 69 10 d2 69 45 01 f6 df 05 e8 e9 e3 4f 61
A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file. 0x800b0101 (-2146762495)
------------------------------------
419.3401.0: 0x800b0101 (-2146762495)
Expired certificate
Leaf certificate revocation check passed

Can the certificate on the smart card be validated on the domain controller?

When the KDC receives the user's smart card certificate, it will use the CryptoAPI to build a certificate chain from the user's certificate to verify that it can be trusted.

The certificate:

• Must have been issued by a trusted CA
• Must not be expired
• Revocation checking against this certificate must not fail.

To verify that the certificate chain can be built on the DC, perform the following:

Export a copy of the smart card certificate; either from the CA, or by running:
Certutil -scinfo

On a workstation with the smart card inserted in the reader.

Open the certificate, go to details, and click the "Copy to file" button. Export the certificate to file, and copy this exported certificate to the authenticating domain controller. At the command prompt, run the following:

Certutil -verify -urlfetch cerexport.cer

If the certificate is not trusted because the root certificate is not in the trusted root store of the DC, the following will be displayed at the bottom of the output:

Full chain:
68 05 b4 48 50 de 54 10 64 47 15 59 e8 1d fa 8d e4 d6 f8 5a
Issuer: CN=Contoso Issuing CA, O=Contoso, C=US
Subject: CN=One User, CN=Users, DC=Contoso, DC=net
Serial: 61991547000000000019
Template: Smart Card
6c d0 03 08 65 cd fc cd 2a cb a8 a6 d0 5d 01 97 c5 c0 88 40
A certificate chain processed, but terminated in a root certificate
which is not trusted by the trust provider. 0x800b0109 (-2146762487)
------------------------------------
Verifies against UNTRUSTED root

If the certificate has been revoked you will see the following at the bottom of the output:

Full chain:
e8 8f 69 ba 15 8b cc a1 e1 a7 f1 16 29 13 e7 79 e9 88 28 9e
Issuer: CN=Contoso Issuing CA, O=Contoso, C=US
Subject: Subject: CN=One User, CN=Users, DC=contoso, DC=net
Serial: 18d199a000000000000b
Template: Smart Card
a1 34 d1 ac ba 9c 81 31 5c ba 50 f3 7f fa 78 b8 39 e1 61 05
The certificate is revoked. 0x80092010 (-2146885616)

------------------------------------
Certificate is REVOKED
Leaf certificate is REVOKED (Reason=2)
If the workstation is unable to contact the CRL distribution points to perform a revocation check,
---------------- Certificate CDP ----------------
Failed "CDP" Time: 0
Error retrieving URL: A connection with the server could not be established 0x80072efd (WIN32: 12029)
https://DC1/CertSrv/Contoso%20Corporate%20Issuing%20CA.crl

If the certificate has expired will see the following at the bottom of the output:

Full chain:
9e 82 92 3d fc be 27 88 76 4b dd e1 31 e3 66 c0 de 76 39 60
Issuer: CN=Contoso Issuing CA, O=Contoso, C=US
Subject: CN=One User, CN=Users, DC=contoso, DC=net
Serial: 4c7619e10001002110fd
Template: Smart Card
39 b9 9c 41 45 8e 69 10 d2 69 45 01 f6 df 05 e8 e9 e3 4f 61
A required certificate is not within its validity period when verifying against
the current system clock or the timestamp in the signed file. 0x800b0101 (-2146762495)
------------------------------------
419.3401.0: 0x800b0101 (-2146762495)
Expired certificate
Leaf certificate revocation check passed

Smart Card Related Documents

Smart Cards
https://www.microsoft.com/technet/security/guidance/identitymanagement/scard.mspx

Windows Vista Smart Card Infrastructure
https://www.microsoft.com/downloads/details.aspx?FamilyID=AC201438-3317-44D3-9638-07625FE397B9&displaylang=en

The Secure Access Using Smart Cards Planning Guide
https://www.microsoft.com/downloads/details.aspx?FamilyId=AD196BCE-876B-44E0-9E90-2A0C34446826&displaylang=en

The Smart Card Deployment Cookbook
www.microsoft.com/technet/Security/topics/smrtcard/smrtcdcb/default.mspx

The Smart Card Cryptographic Service Provider Cookbook
https://msdn.microsoft.com/library/en-us/dnscard/html/smartcardcspcook.asp