Monday, 15 December 2014

Smart Card Fail: “The system could not log you on. You cannot use a smart card to log on because smart card logon is not supported for your user account..."


Issue

Users phone up to report that they cannot log into their smart card-based workstations. They encounter the following message:

“The system could not log you on. You cannot use a smart card to log on because smart card logon is not supported for your user account. Contact your system administrator to ensure that smart card logon is configured for you organisation”
 
 

Fix:

In my experience, the easiest way to fix this issue is to request a new
1] On DC, open an mmc.

2] Go to File > Add/Remove Snap-in > Select Certificates > Add > select Computer account.

3] Expand Certificates (Local Computer), right-click Personal, click All Tasks, then click Request New Certificate.

4] On the Request Certificates step select Domain Controller Authentication
 
5] Next through and Finish
 

Other Options:


Shoudl the above options fail, it's also worth checking the following;

> Does the Certificate Authority have a valid CRL available? Log onto the certificate authority server and check there is a valid CRL available by viewing the properties of the Revoked Certificates. Ensure the expiration date is set to a date in the future:

 [N.B. in the above example all the dates have been deliberately blanked out]
> Check that both "Smart Card Logon" and "Client Authentication" are selected in Application Policies on the "Extensions" tab on the certificate template you're enrolling the smart cards in.

> If the certification authority server is a subordinate, can it contact the parent certificate authority (assuming this is where the CA is getting it's CRL from)?

> Check on the Certification Authority server, are there any errors in the Application event log? If so, are they relevant?

> Check the disk space on the Certification Authority. Bit of a long shot, but always worth a quick look just in case.
 

No comments:

Post a Comment