Issue
Users phone up to report that they cannot log into their
smart card-based workstations. They encounter the following message:
“The system could not log you on. You cannot use a smart
card to log on because smart card logon is not supported for your user account.
Contact your system administrator to ensure that smart card logon is configured
for you organisation”
Fix:
In my experience, the easiest way to fix this issue is to request a new
1] On DC, open an mmc.
2] Go to File > Add/Remove
Snap-in > Select Certificates > Add > select Computer account.
3] Expand Certificates
(Local Computer), right-click Personal, click All Tasks,
then click Request New Certificate.
4] On the Request
Certificates step select Domain Controller Authentication
5] Next through and Finish
Other Options:
Shoudl the above options fail, it's also worth checking the following;
> Does the Certificate Authority have a valid CRL available? Log
onto the certificate authority server and check there is a valid CRL available
by viewing the properties of the Revoked Certificates. Ensure the expiration date is set to a date in the future:
[N.B. in the above example all the dates have been deliberately blanked out]
> Check that both "Smart Card Logon" and "Client Authentication" are selected in Application Policies on the "Extensions" tab on the certificate template you're enrolling the smart cards in.
> If the certification authority server is a subordinate, can it contact the parent certificate authority (assuming this is where the CA is getting it's CRL from)?
> Check the disk space on the Certification Authority. Bit of
a long shot, but always worth a quick look just in case.
No comments:
Post a Comment