Remote desktop connection, error message: Username does not exist (smartcard login) & certificate chain check fails

Question

Good day,

I have an error on my Windows Server 2019 with the smartcard login with a YubiKey.

I am trying to logon to the remote desktop server with a certificate created from a template, the certificate is correct and valid so far. If I check the certificate within the domain of the remote desktop server, the certificate chain check is successful, but outside the domain it is not.

I get the following error message:

"The specified username does not exist. Verify the username and try to log in again. If the problem persists, contact the system administrator or technical support."

If I manually enter the credentials that are on the smart card, the login works.

My guess is that my computer cannot reach the server that issued the certificate and thus the certificate chain check cannot work either, but I am not sure. How to establish communication between the two is unknown to me.

If more information is needed just ask, I will add it then.

Article from Yubico about installation and configuration:

https://support.yubico.com/hc/en-us/articles/360015654560-Deploying-the-YubiKey-Minidriver-to-Workstations-and-Servers

https://support.yubico.com/hc/en-us/articles/360015654500-Setting-up-Windows-Server-for-YubiKey-PIV-Authentication

https://support.yubico.com/hc/en-us/articles/360015668979-Setting-up-Smart-Card-Login-for-User-Self-Enrollment

Thanks in advance

(The text is also available in German)

Answer 1

Hi Moe

could you try this:

1. Verify Smart Card Configuration:

• Ensure that the smart card reader is properly connected to the server and functioning correctly.
• Check if the YubiKey is recognized by the system. You can do this by checking the Device Manager for any issues or errors related to the smart card reader or YubiKey.

1. Certificate Configuration:

• Make sure the certificate used for smartcard login is correctly installed on the server.
• Verify that the certificate template used to issue the certificate allows for smartcard logon and has the appropriate settings (e.g., key usage, enhanced key usage).
• Check if the certificate is issued by a trusted certification authority (CA) that is recognized outside the domain. If not, ensure that the CA's root or intermediate certificate is installed on the external systems where the certificate chain check fails.

1. Network Connectivity and DNS:

• Confirm that the server has network connectivity to the external systems where the certificate chain check fails.
• Ensure that DNS is configured correctly, both internally and externally, so that the server can resolve the domain and certificate authority (CA) names.

1. Certificate Revocation Checking:

• In some cases, certificate revocation checking can cause issues with smartcard logon. Try disabling certificate revocation checking temporarily to see if it resolves the problem. This can be done via Group Policy or by modifying the registry.

1. Verify User Account and Mapping:

• Double-check that the user account being used for smartcard logon exists and is correctly mapped to the certificate in Active Directory.
• Ensure that the user account has the necessary permissions to log on using smartcard authentication.

1. Check Event Viewer:

• Review the Event Viewer logs on the server for any related error messages or warnings that might provide more insight into the issue.