Howdy everyone,

So...I've grabbed up some Gemalto .NET 2.0 smart cards to hopefully use as A.D. authentication and other various requirements. So, what I've done is on my PKI

Requested an Enrollment Agent cert

Duplicated the template Smartcard Logon and set accordingly:
* Purpose: Signature and smartcard login
* Cryptography: Must use one of the following: Microsoft Base Smart Card Crypto Provider
* Issuance: Requires 1 signature, Application Policy/Certificate Request Agent

I'm able to successfully get a cert and confirmed with the certutil scinfo command.

When I try to RDP to a server or workstation I get the following message

Remote Desktop Connection
An authentication error has occurred
The function requested is not supported

Remote computer: *computer name*

When logging in directly onto a machine (after PIN verification):

Signing in with a smart card isn't supported for your account

I have Domain Controller certs on my DC's (combination of 2008 R2 and 2012) that include purposes of  Client/Server/Smart Card Logon

I'm obviously forgetting something?

Thanks

• Edited by CompNerd84 Wednesday, August 26, 2015 3:33 PM formatting

Hi,

I have Domain Controller certs on my DC's (combination of 2008 R2 and 2012) that include purposes of  Client/Server/Smart Card Logon

Please re-enroll certificates for Domain Controllers from Domain Controller Authentication template to see whether it works.

I'm able to successfully get a cert and confirmed with the certutil scinfo command.

In addition, please ensure that private key is installed in the smart card.

More information for you:

Smartcard Logon not enabled

https://social.technet.microsoft.com/Forums/windowsserver/en-US/ee52cb8f-c3cd-437f-9fc8-6884dd335394/smartcard-logon-not-enabled?forum=winserversecurity

Best Regards,

Amy

Try this:

http://www.networksteve.com/forum/topic.php/Smartcard_Logon_not_enabled/?TopicId=4610&Posts=4

Hi,

I have Domain Controller certs on my DC's (combination of 2008 R2 and 2012) that include purposes of  Client/Server/Smart Card Logon

Please re-enroll certificates for Domain Controllers from Domain Controller Authentication template to see whether it works.

I'm able to successfully get a cert and confirmed with the certutil scinfo command.

In addition, please ensure that private key is installed in the smart card.

More information for you:

Smartcard Logon not enabled

https://social.technet.microsoft.com/Forums/windowsserver/en-US/ee52cb8f-c3cd-437f-9fc8-6884dd335394/smartcard-logon-not-enabled?forum=winserversecurity

Best Regards,

Hi,

Please also try to enroll certificate for Domain Controllers from Kerberros Authentication template to see what happens.

If the issue persists, I suggest you contact your smart card vendor support to ensure that all requirements from their side are met.

Best Regards,

Amy

I'd just like to update this thread, for anyone else out there.

First, it seems I was issuing the smart card cert incorrectly (go figure, learning on the go here!). Instead of "Enroll on behalf" I was just directly selecting the smart card template and issuing a cert with my Enrollment Cert (which found my Enrollment Cert).

That being said, when I tried to "Enroll on behalf" it wasn't finding my Enrollment Certificate. After a few emails back and forth to Microsoft support, we did the following:

* Had to add my Root, INT and CA (.cer) into the NTAuthCertificates store through the Enterprise PKI (right click on it and choose Manage AD Containers). For some reason these certificates weren't in there (except for an older CA cer). I'm blaming the person who set up our PKI...because he's now my boss so I blame him for a lot things on this network (jokingly of course...haha)

* I still wasn't able to select an Enrollment Cert when I used "Enroll on behalf". MS suggested it was potentially the issuing client machine not receiving the update and to delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\AutoEnrollment

* run gpupdate /force

I was trying to issue on my own machine, so this is where I did the above. After this, I was able to select an Enrollment cert and issue a smart card certificate.

Hopefully this helps out someone in the future! Thanks to the people who helped, as it seems I was leading you down the wrong path.

• Marked as answer by Amy Wang_Microsoft contingent staff, Moderator 5 hours 5 minutes ago

Hi,

Glad to hear that the issue is resolved and thank you for sharing with us!

You solution is very beneficial to others who have similar issues.

Please feel free to let us know if there are any further requirements.

Best Regards,

Amy