I did fint any suitable forum thread, so I put it here We try to deploy Active Identity software for managing smart-cards. It appeared we have a problem with smart card logon in our environment. The errors while logging with a smart card are the follows: Windows XP: The server authenticating you reported an error (0xC00000BB). You can find further details in the event log. Windows server 2008: The system could not log you on. You cannot use a smart card to log on because smart card login is not supported for your user account. Contact your system administrator to ensure that smart card logon is configured for your organization. There are errors on our domain controllers while logging in with a smart-card: Event Source: KDC Event ID: 19 This event indicates an attempt was made to use smartcard logon, but the KDC is unable to use the PKINIT protocol because it is missing a suitable certificate. We have the following domain hierarchy: Company.local – contains forest domain. Company.local – domain with objects We have three DC on Win2003 and one DC on WIN2008 R2 in the main office. We have R2 schema. We have also many DCs in regional offices Win2003 R2, but they are on the other sites though in the same domain domain. Company.local. We have the following PKI hierarchy: OFFLINE ROOT CA (Win2003 R2 Standard Sp2) ONLINE ENTERPRISE CA’s (both Win2003 and Win2008) The errors appear both while logging in with a smart-card enrolled via Active Identity software and with a smart-card enrolled via standard Microsoft web-enrollment. So the problem is in the smart-card logon itself, not in the Active Identity system or smart-card middleware. Smart-card logon was success in the test domain using Active middleware and smart-cards. We got through the following procedures but couldn’t find any reason for the 19 KDC error, and it makes me very concerned about it: Checked the DC certificates. There were some expired certificates among OK-cetrificates. Besides DC certificates were from different DC. Expired certificates were deleted. DC certificates were reissued from one and the same Enterprise CA. Once we reissued them from Win2003 CA using Domain Controller template, then from Win2008 CA using Kerberos template. The certificates and chains are ok. The “problem” was with DC certificate from Domain Controller template: – certutil -dcinfo gave errors like NOT_VALID_FOR_REQUESTED_USAGE. But then it appeared not to be an issue for as far as I understand it normal Win2003 certutil behavior. Certutil -dcinfo gives error messaging with a certificate issued from the Domain Controller template, because it has no “smart card logon” application police. Nevertheless Domain-Controller-template certificate is ok for smart card logon. Having the same type of DC certificate in the test domain and the same certutil error we have successful smart-card logon there. We tried smart card logon with Kerberos certificate template issued from Win2008 CA. But still no success. Default domain policy is ok about Trusted Root CA. We have other PKI applications and haven’t any chain-verify problems. Enterprise PKI displays it is Ok with CRLs both with Win2003 and Win 2008 Enterprise subordinate CAs. We have our CA’s certs in NTAuth store. It could be seen via Enterprise PKI. I even added our Offline Root CA certificate manually to be on the safe side. We have our CA’s machines in Cert Publishers Group of the domain. We have also our DCs in CERTSVC_DCOM_ACCESS group of each CA. Speaking about smart cards Subject Name/Subject Alternative Name of the certificate contains the user's User Principal Name (UPN) and user can logon to the workstation using a UPN formed username without a smart card Restart of KDC service doesn’t show any errors in the DC event log Checked domain controller for viruses – none. I even tested smart-card logon in the test domain with Kerberos.dll taken from enterprise DC – smart-card logon is OK with that DLL in the test domain. Could it be something wrong with the Domain Policies? What policy settings could prevent from logging on with a smart-card? I looked through Default domain, Default domain controller policies, resultant of applying policies on workstation and on DC and found nothing that cut my eye. But I’m a not a big specialist in group policies. DCDIAG /CheckSecurityError shows nothing bad about KDC. There are some other KDC errors on the DCs besides KDC 19 error mentioned above: Event Source: KDC Event ID: 11 There are multiple accounts with name USER@domain.company.local of type DS_USER_PRINCIPAL_NAME. Event Source: KDC Event ID: 26 While processing an AS request for target service krbtgt, the account USER did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 2). The requested etypes were 18. The accounts available etypes were 23 -133 -128 3 1 -140. 26 KDC error appears for users who never used any smart card for logon. I tried to simulate the KDC error in the test domain. It appeared when I manually deleted DC certificate from DC certificate store. So it seems that KDC in the enterprise environment doesn’t want to “see” Domain Controller certificate in personal domain controller certificate store, whatever certificate placed there… So I’m in stuck. Is there a way I can test the KDC and found out if it doesn’t want to “see” the proper certificate? Some diagnostic utility for KDC could be helpful. Thanks in advance for your advise!

Hi, Based on my research, we can perform the following troubleshooting suggestions to resolved the Event ID 11, 19 and 26 issues. Event ID 11: Remove the duplicate service principal name Event ID 19: Request a new domain controller certificate Event ID 26: Configure an available encryption type For the detailed steps, please refer to the following Microsoft TechNet articles: Event ID 11 — Service Principal Name Configuration http://technet.microsoft.com/en-us/library/cc733945(WS.10).aspx Event ID 19 — KDC Certificate Availability http://technet.microsoft.com/en-us/library/cc733944(WS.10).aspx Event ID 26 — KDC Encryption Type Configuration http://technet.microsoft.com/en-us/library/dd348693(WS.10).aspx Regards,Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi Arthur, we are hosting a similar environment (Windows 2008R2 offline Root CA , Windows 2008R2 Enterprise CA) and we even have a problem with smartcard logon. The problem what we didn't succeed to solve is the following error: The "certutil -dcinfo verify" output states, that "there are no certs in the Ent store (cannot find object or property)..". Every required (root and subordinate) certificate is in the ntauth store as well as locally installed on every domain controller. Domain Controller Authentication certificates are available on every logonserver. The PKI Health tool status is OK. However, the certutil as well as the KDC didn't recognize it. The KDC error message (Event ID 19) is: "This event indicates an attempt was made to use smartcard logon, but the KDC is unable to use the PKINIT protocol because it is missing a suitable certificate.". We even find the KDC logon Event-ID 29 (...smartcard may not function correctly). This error clearly leads to non-functional smartcard logon. We do appreciate any further idea to succeed installing the CA certificates in order to make smartcard logon work. Best Regards

Hi Arthur, we are hosting a similar environment (Windows 2008R2 offline Root CA , Windows 2008R2 Enterprise CA) and we even have a problem with smartcard logon. The problem what we didn't succeed to solve is the following error: The "certutil -dcinfo verify" output states, that "there are no certs in the Ent store (cannot find object or property)..". Every required (root and subordinate) certificate is in the ntauth store as well as locally installed on every domain controller. Domain Controller Authentication certificates are available on every logonserver. The PKI Health tool status is OK. However, the certutil as well as the KDC didn't recognize it. The KDC error message (Event ID 19) is: "This event indicates an attempt was made to use smartcard logon, but the KDC is unable to use the PKINIT protocol because it is missing a suitable certificate.". We even find the KDC logon Event-ID 29 (...smartcard may not function correctly). This error clearly leads to non-functional smartcard logon. We do appreciate any further idea to succeed installing the CA certificates in order to make smartcard logon work. Best Regards By further investigating we found the following points that lead to the non-functional Smartcard logon: # Automatic update of certificates was disabled in GPO. Although every required certificate was in the NTAuth store in ADS, this store was not reflected in the local registry of every domain controller; solved by manual updating (certutil -enterprise -addstore NTAuth [cert]) # As we decided for the SHA-2 world, we didn't recognized that W2003R2 SP2 domain controllers were not able to work with this signature algorythm (today we drive a mixed environment W2K3 and W2008 Servers). Hotfix KB968730 solved this. Regards