HELP....smart card certificate was not trusted - logon den..

Archived from groups: microsoft.public.win2000.security (More info?)

Hi all,

I have a particular user who cannot logon using his smart card. He was
able to use it until yesterday.
The terminal server says that "the smart card certificate used for
authentication was not trusted".

Other users have no problems in logging on to the domain using smart
cards.

I checked the user's published certificate and it's ok, still valid.
the CRL distribution point is also fine and still valid. I already
checked Microsoft Knowledge Base 281245.

Windows 2000 domain - PKI,
Windows 2003 Terminal Server
Windows XPE Thin Clients in workgroup
ActivCard Gold 2.3.1

Anyone has an idea ?
Thank you very much for your help.
3 answers Last reply
More about help smart card certificate trusted logon
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    Thank you both for your helping me. I really appreciate it.
    Tomorrow I will check what you suggest and will post any results.

    Regards.

    Brian Komar wrote:
    > In article <1122479483.985641.177310@f14g2000cwb.googlegroups.com>,
    > barabba72@hotmail.com says...
    > > Hi all,
    > >
    > > I have a particular user who cannot logon using his smart card. He was
    > > able to use it until yesterday.
    > > The terminal server says that "the smart card certificate used for
    > > authentication was not trusted".
    > >
    > > Other users have no problems in logging on to the domain using smart
    > > cards.
    > >
    > > I checked the user's published certificate and it's ok, still valid.
    > > the CRL distribution point is also fine and still valid. I already
    > > checked Microsoft Knowledge Base 281245.
    > >
    > > Windows 2000 domain - PKI,
    > > Windows 2003 Terminal Server
    > > Windows XPE Thin Clients in workgroup
    > > ActivCard Gold 2.3.1
    > >
    > > Anyone has an idea ?
    > > Thank you very much for your help.
    > >
    > >
    > Do the following command from both the client computer and the terminal
    > services computer. The command requires that you export the smart card
    > certificate as a DER or BASE64 file.
    >
    > certutil -verify -urlfetch <certfile>
    >
    > The output should provide information as to why the certificate is not
    > trusted.
    >
    > Brian
    > --
    > ==
    > Brian Komar
    > MVP - Windows - Security
    > http://www.identit.ca/blogs/brian
  2. Archived from groups: microsoft.public.win2000.security (More info?)

    In article <1122479483.985641.177310@f14g2000cwb.googlegroups.com>,
    barabba72@hotmail.com says...
    > Hi all,
    >
    > I have a particular user who cannot logon using his smart card. He was
    > able to use it until yesterday.
    > The terminal server says that "the smart card certificate used for
    > authentication was not trusted".
    >
    > Other users have no problems in logging on to the domain using smart
    > cards.
    >
    > I checked the user's published certificate and it's ok, still valid.
    > the CRL distribution point is also fine and still valid. I already
    > checked Microsoft Knowledge Base 281245.
    >
    > Windows 2000 domain - PKI,
    > Windows 2003 Terminal Server
    > Windows XPE Thin Clients in workgroup
    > ActivCard Gold 2.3.1
    >
    > Anyone has an idea ?
    > Thank you very much for your help.
    >
    >
    Do the following command from both the client computer and the terminal
    services computer. The command requires that you export the smart card
    certificate as a DER or BASE64 file.

    certutil -verify -urlfetch <certfile>

    The output should provide information as to why the certificate is not
    trusted.

    Brian
    --
    ==
    Brian Komar
    MVP - Windows - Security
    http://www.identit.ca/blogs/brian
  3. Archived from groups: microsoft.public.win2000.security (More info?)

    Hi,

    Can you run PKI Health tool (it is in Windows Server 2003 Resource Kit
    Tools) on this computer? It might give you an idea what could be wrong
    (maybe it can't reach CRL or CRL is out of date etc...).

    Can this user logon to any other PC in domain?

    --
    Mike
    Microsoft MVP - Windows Security

    <barabba72@hotmail.com> wrote in message
    news:1122479483.985641.177310@f14g2000cwb.googlegroups.com...
    > Hi all,
    >
    > I have a particular user who cannot logon using his smart card. He was
    > able to use it until yesterday.
    > The terminal server says that "the smart card certificate used for
    > authentication was not trusted".
    >
    > Other users have no problems in logging on to the domain using smart
    > cards.
    >
    > I checked the user's published certificate and it's ok, still valid.
    > the CRL distribution point is also fine and still valid. I already
    > checked Microsoft Knowledge Base 281245.
    >
    > Windows 2000 domain - PKI,
    > Windows 2003 Terminal Server
    > Windows XPE Thin Clients in workgroup
    > ActivCard Gold 2.3.1
    >
    > Anyone has an idea ?
    > Thank you very much for your help.
    >
Ask a new question

Read More

Microsoft Certificate Windows