Hy, I was able to configure Active Directory on Windows Server 2008 and accomplish Smart Card Logon from a Windows 7 client, using the configurations provided in http://support.microsoft.com/kb/281245/en-us The question is that in this environment, the certificate in the Smart Card has the UPN property defined in the SubjectAlternativeName, but that is not needed for Windows Vista or Windows 7 as stated in: http://technet.microsoft.com/en-us/library/ff404289%28v=ws.10%29.aspx "SSL/TLS can map certificates that do not have SAN, and the mapping is done by using the AltSecID attributes on client accounts. The X509 AltSecID used by SSL/TLS client authentication is of the form "X509: <I>"<Issuer Name>"<S>"<Subject Name>. The <Issuer Name> and <Subject Name> are taken from the client certificate, with '\r' and '\n' replaced with ','." I was trying to accomplish Smart Card Logon with this (mapping the Issuer Name and Subject from the certificate in the Active Directory), but always with no success and worst the error reports nothing useful: "The system could not log you on. An error occurred trying to use this smart card. You can find further details in the event log. Please report this error to the system administrator." Right now I have two accounts for testing purposes and two smart cards with one certificate each, one whit UPN propertie set in the certificate (works) and other without UPN propertie set in the certificate, but with Issuer Name and Subject Name mapped in Active Directory as refered above (do not work). I really would appreciate any additional help. Regards,

How are you defining the certificate mapping? I do not know if you are using the Active Directory Users and Computers MMC snap-in or doing it by setting the attribute other way? I just configured it using the steps below and it just works fine: Start the Active Directory Users and Computers snap-in, right-click your domain, and then click Advanced Options on the View menu.Open the Users container or the organizational unit where the user account resides, right-click the user account, and then click Name Mapping.Click Add to link the user's certificate to the Active Directory user account.Click the folder where the user certificate was saved, click the user's certificate, and then click Open.Click to select the Use Subject for alternate security identity check box.Click OK to accept the mapped certificate.Click OK to close the Identity Mapping dialog box. Please note that if the certificate includes any EKU it must as well include the smart card logon OID! If the certificate does not include any EKU, you need to enable the "Allow certificates with no extended key usage certificate attribute" policy. Please note that the above assumes that the issuing CA is trusted in the NTAuth store in AD and the whole chain is trusted and provides accessible certificate revocation information. /Hasain

Hy and Thank you in advance, I performed the mapping of the user and the Certificate DN as you have said, but just in case, I have deleted the user, created a new one and executed the Name Mapping again (just in case), but with no success, no SmartCard logon for that SmartCard... I was making some additional checks, and now the error is different (not sure if it is positive or not), but not that useful: "The system could no log you on. The domain specified is not available. Please try again later." I really would like to perform some additional debug, to help me and help you in the assist, but dont know how, in AD there is no error concerning this, maybe because the client computer does not reach it... Do I need to specify the AD name somewhere in the certificate? I think this dont make much sense, but have to ask. The certificate in the SmartCard that contains UPN was issue by the same CA, and since it works, I can assume that the CA is trusted in the NTAuth of the AD and since it is self signed, it is the only one in the chain, is this assumption OK? Additionally I performed some checks in both SmartCards, using the client computer with a local account, "certutil -scinfo -urlfetch", the output was OK for both SmartCards, both accomplished the check of the CRL and both could validate the chain. How can continue to solve this problem? Best regards,

I forgot to say that, both SmartCards have the EKU smart card logon OID. Regards,

Hy, Anyone has something anything to help? Hasain any idea? Regards,

What OS version are you running on your DC's? Please consider enabling Kerberos event logging http://support.microsoft.com/kb/262177 and observe any errors or notifications during the logon /Hasain

The OS running in the Active Directory is Server 2008. The client uses Windows 7. I'll check Kerberos event logging for errors. Regards,

Hy, I have enabled Kerberos event logging. In the mean time, I found something might not be ok. In the client computer I found the following error: "The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has succesfully processed. If you do not see a success message for several hours, then contact your administrator." I executed the command: gpupdate /force manually The cliente coumputer is able to perform User Policy update, however fails the Computer policy update with error: "Computer policy could not be updated successfully. The following errors were encountered: The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has succesfully processed. If you do not see a success message for several hours, then contact your administrator." How is this possible? How can the client computer updates one Policy and not the other? Could this be related? Regards,

Hy, Good news. I've made some intensive debug and changed some DNS things.. also fixed some GPO configurations and now I can logon with SmartCard Logon by mapping the certificate DN, with one only constrain, the Policy "Allow user name hint" must be enabled and the user name must be entered for the login, after the SmartCard password. Without this I wasn't able to successfully logon. Do you know if it is possible to accomplish the logon without the need to type the user name in the textbox? Regards,

Using user name hinting is not required in my test environment where KDC's are running WS 2008 R2. I am setting up a test environment with WS 2008 to verify this! /Hasain

Hy, If I dont provide de user name in the User name Hint text box, I get the error "The system could not log you on. Your credentials could not be verified". I think this may be because the AD dont know which user to verify the match of the DN. Providing the User name in the text box, solves this, but if the system could do this automatically would be perfect. Thank you in advance. Regards,