3

I'm standing up a test lab.

Using AD CS, I've deployed a smartcard logon cert to an HID Crescendo C1150. When I attempt to log on to a WIN7 workstation with the smartcard, I'm greeted with:

The system could not log you on. The domain specified is not available. Please try again later.

The machine is wired into a lab switch. If I logon with username:password, I can verify that the workstation has network connectivity and can reach the domain controller.

Any insights would be appreciated.

The_Glidd
  • 31
  • 1
  • 1
  • 2
  • What Active Directory configuration have you performed to enable smart card authentication? – Greg Askew Dec 16 '15 at 19:03
  • None. The guides I've looked at don't mention AD DS configurations. To this point, I've basically published a template in AD CS, then performed web enrollment from the client machine. Of possible note, on AD DS, if the _Users > > Account > Account Options > Smart card is required for interactive logon box_ is checked, there is no change in behavior. – The_Glidd Dec 16 '15 at 19:27
  • Are you sure it's not just using cached credentials for the username/password logon? I'd try creating a new user on the domain and logging in with that. That error really does mean that it can't find the DC. Is your DNS on the client pointing to the DC? – bobmagoo Dec 17 '15 at 17:29
  • No. At some point, while fiddling around with the ipv4 settings, I removed my static setting to the DNS server. Once I set the DNS, everything is working as expected. Thanks for the helpful advice, everyone. Now I'm kicking myself! – The_Glidd Dec 17 '15 at 21:26

2 Answers2

3

The problem is that the domain specified in the authencation certificate is invalid or inaccessble. Open client certificate (in certificate manager), switch to Details tab and scroll down to Subject Alternative Names certificate extension. Check for User Principal Name. It contains logon user name and authoritative domain for your user account. Client workstation attempts to contact specified domain to validate your credentials and fails.

Crypt32
  • 6,414
  • 1
  • 13
  • 32
  • Yes, this was part of my thinking as well. Under SAN I see: Other Name: Principal Name=xxxxx@yyyy.zzz This is analogous to my enterprise login card, except the lab card doesn't contain an OID followed by a blob of hex. Is the missing OID influencing things? – The_Glidd Dec 16 '15 at 20:03
  • what kind of OID? – Crypt32 Dec 16 '15 at 20:04
  • On the production card, I see; Other Name: 2.16.x.x.etc = ff dd bb etc. – The_Glidd Dec 16 '15 at 20:06
  • no, OID is irrelevant. Smart card authentication uses only User Principal Name choice. – Crypt32 Dec 16 '15 at 20:09
0

If your UPN is correct next step is to check your event log. The reason for almost all logon errors is logged there. It either is in the security category or under applications -> windows -> CAPI. Depending on the error you get valuable information either at the client or at the domain controller.

Smartcard authentication has a lot of moving parts and sadly the error messages displayed in logon UI are quite unspecific.

Markus Müller
  • 131
  • 3