Third Party Smart Card Log on Issue
Hello all, i am trying to implement smart card logon with a 3rd party ca.I have followed all the MS articles concerning this issue but i still have no success. more specifically: There is a mixed enviroment with domain controllers Windows Server 2003 and Windows Server 2008. A 3rd party ca. all Dcs and user certificates have past the validation tests with certutil tool. Besides Certutil tests what else can i check on both client and server? On my client i have a very generic error : The server authenticating you reported an error (0xC00000BB). You can find further details in the event log. Please report this error to the system administrator. Event Id 537 Kerberos Error Status: 0xc00000bb Sub Status: 0x0 Additionally On the DC side the error in the Event Viewer is : Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 31/8/2011 1:06:24 μμ Event ID: 4771 Task Category: Kerberos Authentication Service Level: Information Keywords: Audit Failure User: N/A Computer: xxxxx Description: Kerberos pre-authentication failed. Account Information: Security ID: xxxx Account Name: xxx Service Information: Service Name: krbtgt/xxxx Network Information: Client Address: ::ffff:xxxx Client Port: 54024 Additional Information: Ticket Options: 0x40810010 Failure Code: 0x10 Pre-Authentication Type: 15 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options and failure codes are defined in RFC 4120. If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present. Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> <EventID>4771</EventID> <Version>0</Version> <Level>0</Level> <Task>14339</Task> <Opcode>0</Opcode> <Keywords>0x8010000000000000</Keywords> <TimeCreated SystemTime="2011-08-31T10:06:24.005067800Z" /> <EventRecordID>21609651</EventRecordID> <Correlation /> <Execution ProcessID="464" ThreadID="1048" /> <Channel>Security</Channel> <Computer>xxxxxx</Computer> <Security /> </System> <EventData> <Data Name="TargetUserName">scuser2</Data> <Data Name="TargetSid">S-1-5-21-2591908458-212278272-4013262670-7639</Data> <Data Name="ServiceName">krbtgt/xxxxx</Data> <Data Name="TicketOptions">0x40810010</Data> <Data Name="Status">0x10</Data> <Data Name="PreAuthType">15</Data> <Data Name="IpAddress">::ffff:xxxxxxxx</Data> <Data Name="IpPort">54024</Data> <Data Name="CertIssuerName"> </Data> <Data Name="CertSerialNumber"> </Data> <Data Name="CertThumbprint"> </Data> </EventData> </Event> Thanks in advance to anyone who can help.
September 1st, 2011 8:16am

0xc00000bb = STATUS_NOT_SUPPORTED ntstatus.h client error Event Id 537 Kerberos Error Status: 0xc00000bb Sub Status: 0x0 server error Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 31/8/2011 1:06:24 μμ Event ID: 4771 Task Category: Kerberos Authentication Service Description: Kerberos pre-authentication failed. Network Information: Client Address: ::ffff:xxxx Client Port: 54024 Additional Information: Ticket Options: 0x40810010 Failure Code: 0x10 Pre-Authentication Type: 15 #define KDC_ERR_PADATA_TYPE_NOSUPP ((KERBERR) 0x10 ) //KDC has no we can do the following 1. The Domain Controller has an expired / does not exist "Domain Controller" Certificate (if if you have the cert installed on the DCs) 2. The Certificate issued to the domain controller does not have the OID for Smart Card logons under the Extended Key Usage (EKU) or is not based off of the "Domain Controller" Certificate Template. double check if you are using the correct type of certificate Guidelines for enabling smart card logon with third-party certification authorities http://support.microsoft.com/kb/281245 Step 5 lists OID for smartcard log in Sumesh P - Microsoft Online Community Support
Free Windows Admin Tool Kit Click here and download it now
September 8th, 2011 3:25pm

any update? Sumesh P - Microsoft Online Community Support
September 12th, 2011 4:05am

This event typically means your DC certs are either expired or incorrectly formatted, in either case you'll need a new DC cert. See http://blogs.technet.com/b/instan/archive/2011/05/17/smartcard-logon-using-certificates-from-a-3rd-party-on-a-domain-controller-and-kdc-event-id-29.aspx
Free Windows Admin Tool Kit Click here and download it now
February 29th, 2012 3:06am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics