I have a domain controller. When I booted it up and typed in my username and password it gave me an error. It said that I needed a smart card to login. Idon't use smart cards.I think I accidentaly enabled this policy. How can I disable this policy? I don't remember my directory services restore password either.

If you have found a solution for this, please forward it to me as I am faced with the same issue. dmn007@msn.com Thanks DMN007

I never found a solution. I searched all over and made a few posts on other forums. So I reinstalled. I'm not in a live windows server environment. I am in a server 2003 class in college. You'll probaly have to rebuild from backups. Good luck.

i ACTUALLY WROTE A SECURITY POLICY FOR THIS AND DISABLED IT FROM THE DOMAIN CONTROLLER.

Hello, How do you logs look? Do you get that dumb sh** "Event 29, Kerberos-Key-Distribution-Center" warning in your System Log. Its the only freaking warning of ALL my DCs, and I really don't want to see it anymore. Everyone says to ignore it... I say NO! I want it to go away. ;) Not that big of a request. Should we generate some self signed cert for 20 years of an expiration? If so, how? What OIDs are needed? what other attributes are needed for the DC cert? HELP! Please. :)

As you specified, smart cards are required to logon. This is due to a Group Policy Object that requires their use to open a session on your domain. Only two methods are available to disable this GPO (Group Policy Object): 1- To restore a backup that was made before the implementation of the strategy. 2- To use a user account in the domain that is able to remove the applied policies. Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. Best regards.

DmN007, What type of policy did you create? Modify the default domain policy? Did you create a new GPO and apply to the DC OU? Do you have any specific information so that I can implement the same? :) Thanks!

Hello Malek, Nothing was implemented specifically for smart cards. This is a default feature (ugh) of Windows server 2008, which generates warning logs in our system logs on all DCs. very annoying. otherwise, my logs would be 100% clean (all informational events). So I need to find out what the easiest option would be (i.e.: find particular policy forcing this & modify, create a new GPO that disables this "smart card" check, regedit, install a cert on the DCs to shutup the warning, etc.) Some of those options may not even be possible, just thinking out loud. ;) Suggestions? (and please don't say to ignore the event ;)). Thanks!

You should disable the GPO that forces the users to use smart cards. The problem, as I have understood, is that you don't have an account which is able to modify the existing GPO. Installing CAs to issue certificates is not possible because it needs an administrator account. The register entries are unable to modify because only administrators are able to modify them. A solution is to restore a performed backup before the appearance of the problem. If you've got an administrator account which was not affected by this GPO strategy, you can use it to solve your problem because in this case the modification of the wrong GPO is feasable. Check if you've got an administrative account which was not affected by this GPO strategy. Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. Best regards.

lol. I don't recall metioning that I don't have Admin access. ;) Which I do. What GPO enables this by default. So there weren't any changes to "cause" this. So there is not need to restore the System State or roll back to the old W2K DCs (god forbid). :) There we NOT any changes to cause this warning. We migrated from W2K Domain to a W2K8 Domain (still in W2K FFL & DFL). Are you assuming there is a GPO that requires Smart Card Logons? If enabled by default, why would Micro$oft require this? Wierd. Maybe 5% of companies out there would ever utilize this feature (just a guess), why enable by default? More specifics please, avoid generalizing. :) Thanks! PS. Many other people have experienced this same scenario, but all threads some to a dead end. So i'm not the only one experiencing this. Even the MS KB will say just to ignore it. That's seems ridiculous.

The Smart Card Logons are not enabled by default. This is an article about the management of the Smart Card Use. The link is the following: http://technet.microsoft.com/en-us/library/cc757921(WS.10).aspx I think there is GPO requiring the use of smart cards. You can check your GPOs and see if this option is enabled (It should be disabled or not defined) Computer Configuration>Policies>Windows Settings>Local Policies>Security Options>Interactive logon: Require smart cards Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. Best regards.

Just to clarify, this is only happening on the DCs System Event Log: The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate. This happens 3-4 times every day on every W2K8R2 DC. This is in our production domain, and 2 x test domains. which were freshly built with Windows 2000 server (W2K domain) then migrated to Windows 2008R2 DCs. This error does NOT occur in the W2K DCs logs. This IS looking for a cert by default. It may not be enabled for the client-side, but sure as heck is trying to associate a certificate for smart card logon on the W2K8R2 DCs. Hope this clarifies.

The problem is clear. Smart cards authentication is enabled on the most of your domain controllers. To enable that on these domain controllers, we should use GPOs. Have you checked that this option Computer Configuration>Policies>Windows Settings>Local Policies>Security Options>Interactive logon: Require smart cards is not enabled on the Default Domain Controllers Policy GPO? It is the most probably GPO causing the problem. Check it and tell the state of this option. Best regards

Already checked the Default Domain Controllers Policy and it shows that item as "Not configured" as the defaults should be. :) Thanks.

The infected domain controllers are in the Domain controllers OU? Best regards.

lol. I wouldn't say "Infection", that sounds a bit vulgar. ;) But of course the DCs are in the Domain Controllers OU. Thanks

Any expert ideas? Someone who has possibly implemented a solution to this before? Someone who know the logistic of how the Smart Card cetificates work? Should I just create a self-signed cert and toss it on each DC? If there an easier way (perhaps some GPO setting that someone knows about).

anyone?

Funny. Even with a clean build, and a fresh domain, it is the ONLY "Warning" in the System log. Ok. Is it just me, or does this sound extremely stupid by design. Why the heck would you start with a clean log and just poop on it by a "required" warning event? Or am I just missing something. I would guess MAYBE 1% of the country might use smart cards in their AD environment... why not just have this not shown unless smart cards were ENABLED in AD? Ugh.