Third Party Smart Card Log on Issue
Hello all,
i am trying to implement smart card logon with a 3rd party ca.I have followed all the MS articles concerning this issue but i still have no success.
more specifically:
There is a mixed enviroment with domain controllers Windows Server 2003 and Windows Server 2008.
A 3rd party ca. all Dcs and user certificates have past the validation tests with certutil tool.
Besides Certutil tests what else can i check on both client and server?
On my client i have a very generic error :
The server authenticating you reported an error (0xC00000BB). You can find further details in the event log. Please report this error to the system administrator.
Event Id 537
Kerberos Error
Status:
0xc00000bb
Sub Status:
0x0
Additionally On the DC side the error in the Event Viewer is :
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 31/8/2011 1:06:24 μμ
Event ID: 4771
Task Category: Kerberos Authentication Service
Level: Information
Keywords: Audit Failure
User: N/A
Computer: xxxxx
Description:
Kerberos pre-authentication failed.
Account Information:
Security ID: xxxx
Account Name: xxx
Service Information:
Service Name: krbtgt/xxxx
Network Information:
Client Address: ::ffff:xxxx
Client Port: 54024
Additional Information:
Ticket Options: 0x40810010
Failure Code: 0x10
Pre-Authentication Type: 15
Certificate Information:
Certificate Issuer Name:
Certificate Serial Number:
Certificate Thumbprint:
Certificate information is only provided if a certificate was used for pre-authentication.
Pre-authentication types, ticket options and failure codes are defined in RFC 4120.
If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4771</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14339</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2011-08-31T10:06:24.005067800Z" />
<EventRecordID>21609651</EventRecordID>
<Correlation />
<Execution ProcessID="464" ThreadID="1048" />
<Channel>Security</Channel>
<Computer>xxxxxx</Computer>
<Security />
</System>
<EventData>
<Data Name="TargetUserName">scuser2</Data>
<Data Name="TargetSid">S-1-5-21-2591908458-212278272-4013262670-7639</Data>
<Data Name="ServiceName">krbtgt/xxxxx</Data>
<Data Name="TicketOptions">0x40810010</Data>
<Data Name="Status">0x10</Data>
<Data Name="PreAuthType">15</Data>
<Data Name="IpAddress">::ffff:xxxxxxxx</Data>
<Data Name="IpPort">54024</Data>
<Data Name="CertIssuerName">
</Data>
<Data Name="CertSerialNumber">
</Data>
<Data Name="CertThumbprint">
</Data>
</EventData>
</Event>
Thanks in advance to anyone who can help.
September 1st, 2011 8:16am
0xc00000bb = STATUS_NOT_SUPPORTED ntstatus.h
client error
Event Id 537
Kerberos Error
Status: 0xc00000bb
Sub Status: 0x0
server error
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 31/8/2011 1:06:24 μμ
Event ID: 4771
Task Category: Kerberos Authentication Service
Description: Kerberos pre-authentication failed.
Network Information:
Client Address: ::ffff:xxxx
Client Port: 54024
Additional Information:
Ticket Options: 0x40810010
Failure Code: 0x10
Pre-Authentication Type: 15
#define KDC_ERR_PADATA_TYPE_NOSUPP ((KERBERR) 0x10 ) //KDC has no
we can do the following
1. The Domain Controller has an expired / does not exist "Domain Controller" Certificate (if if you have the cert installed on the DCs)
2. The Certificate issued to the domain controller does not have the OID for Smart Card logons under the Extended Key Usage (EKU) or is not based off of the "Domain Controller" Certificate Template.
double check if you are using the correct type of certificate
Guidelines for enabling smart card logon with third-party certification authorities
http://support.microsoft.com/kb/281245
Step 5 lists OID for smartcard log in
Sumesh P - Microsoft Online Community Support
Free Windows Admin Tool Kit Click here and download it now
September 8th, 2011 3:25pm
any update?
Sumesh P - Microsoft Online Community Support
September 12th, 2011 4:05am
This event typically means your DC certs are either expired or incorrectly formatted, in either case you'll need a new DC cert.
See
http://blogs.technet.com/b/instan/archive/2011/05/17/smartcard-logon-using-certificates-from-a-3rd-party-on-a-domain-controller-and-kdc-event-id-29.aspx
Free Windows Admin Tool Kit Click here and download it now
February 29th, 2012 3:06am