Hi,I'm trying to get authenticated using the Smart Card but got the following error messages: On the Windows XP client, we inserted the PIV card, entered the PIN but received an error message “The system could not log you on. The server authenticating you reported an error (0xC00000BB).” On the Windows 7 client, we received an error message “The system could not log you on. You cannot use a smart card to log on because smart card logon is not supported for your user account.” Here is our environment: - Domain: Windows 2008 R2 - Client: Windows XP SP3 and Windows 7 - Smart Card: USAccess issued PIV card - Care Reader: SCR3310 - Middleware: ActiveClient Here is what I have already done: - Imported the following Entrust certificates from http://sspweb.managed.entrust.com/EMSPKIFSSPCACertificateInformation.html into the Domain under the Trusted Root Certification Authorities o Common Policy CA Certificate o Common Policy to EMSPKI trust certificate o Federal Root CA Expires 06/01/2012 o Federal SSP CA Expires 05/31/2012 o Federal Root CA Expires 05/09/2019 o Federal SSP CA Expires 05/08/2019 - Added the certificates to the NTAuth store in the Domain - Posted Domain controller certificate (issued by NIST internal CA) in the NTAuth store - Updated my UPN on the domain to match with the Subject Alternative Name on the card “1300XXXXXXXXX@FEDIDCARD.GOV” - Domain policy pushed down the Entrust certificates and Domain Controller certificate to the client computer - Made PIV Card certificates available to the Windows via ActiveClient middleware Am I missing some steps or configuration? Thank you,

Hey did you get this figured out ?? We are experiencing the exact same problem.... Thanks

I'm attempting to do the same thing. Has anybody been able to get this to work?

Hi This problem is usually down to one of the following... 1. Your SAM account doesn't match you User Principal Name.2. One of your DC's is missing a certificate or one of the intermidiate ones is missing / not trusted. I would also check the smart card mini driver as this could also be causing the issue. As a first step can you confirm that when logged on with user name & password you can access the smart card properly with the ActivID client & validate the trust chain for the cert it contains. Secondly confirm that all your DC certs are trusted by validating the entire chain.

Is client is granted to access the server? Can you check all member groups of a particular client account at server?

We fixed the problem it was actually related to how the certificates were generated for the domain controllers within the domain. You have to use a very specific template. There is a microsoft knowledge base article that helped but we needed to customize for our environment.