Difficulties to use smart card login with Azure AD

Question

Difficulties to use smart card login with Azure AD

Syla, Lukas 1

I'm trying to test CBA using smart cards on windows login. According to this article (https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-certificate-based-authentication-smartcard), there are no further actions on windows' side required. When I try to sign in with the smart card linked to my Azure AD account, the login window says "No valid certificates found on this smart card. Please try another smart card or contact your administrator". However, the same smart card works with the web login to Azure.

The machine is a Windows 10 Pro VM which is Azure AD joined. CBA works on web login. A virtual smart card is used for this procedure. The certificates are enabled for smart card login and the certificate chain is intact. What other causes could this issue have?

Marilee Turscak-MSFT 37,206 Reputation points Microsoft Employee Moderator

2022-12-16T21:15:56.127+00:00

Also, do you have a hard requirement/business reason for opting for the virtual smart card? I'm not as familiar with those but it would have to have been fully provisioned on the PC before it can be used. One of the engineers on my team was doing some testing based on your requirement, and Windows does not even have the option for smartcard sign-in until the physical smartcard is inserted into the device. There may be some limitations around using these for this scenario.

1 answer

Your answer

Marilee Turscak-MSFT 37,206 Reputation points Microsoft Employee Moderator

2022-12-16T21:15:56.127+00:00

Also, do you have a hard requirement/business reason for opting for the virtual smart card? I'm not as familiar with those but it would have to have been fully provisioned on the PC before it can be used. One of the engineers on my team was doing some testing based on your requirement, and Windows does not even have the option for smartcard sign-in until the physical smartcard is inserted into the device. There may be some limitations around using these for this scenario.

Answer 1

Marilee Turscak-MSFT 37,206 Microsoft Employee Moderator

Hi @Syla, Lukas

There are a few things you could do to diagnose the cause of this error. Do you see any other errors such as AADSTS50017 in addition to the "No valid certificates" error? If so, there should be more details indicating the root cause of the issue.

1) Please check the Azure event logs to see if there are any sign-in events related to this error.

2) Please confirm that you have met all of the requirements for the CBA configuration and followed each of the steps. https://learn.microsoft.com/en-us/azure/active-directory/authentication/how-to-certificate-based-authentication#steps-to-configure-and-test-azure-ad-cba

3) Make sure that all of the prerequisites are met:

Disable TLS inspection on the certauth endpoint to make sure the client certificate request succeeds as part of the TLS handshake.
Azure has a requirement to know the full certificate chain so it can validate user certificates, so the root certificate needs to be added.
The user must have access to a user certificate (issued from a trusted Public Key Infrastructure configured on the tenant) intended for client authentication to authenticate against Azure AD.
- Each CA should have a certificate revocation list (CRL) that can be referenced from internet-facing URLs. If the trusted CA doesn't have a CRL configured, Azure AD won't perform any CRL checking, revocation of user certificates won't work, and authentication won't be blocked.
- If CBA is enabled on the tenant, all users will see the link to Use a certificate or smart card on the password page. However, only the users in scope for CBA will be able to authenticate successfully against an application that uses Azure AD as their Identity provider (IdP).

I've also reached out to the product team to check for additional information about your scenario. I'll get back with what they say, though having the event logs would make this easier to troubleshoot.

-
If the information helped you or was relevant to you, please Accept the answer. This will help us as well as others in the community who might be researching similar issues.

Syla, Lukas 1 Reputation point

2022-12-21T07:40:14.467+00:00

Hello Marilee,
thank you for your suggestions. However, it seems like Azure doesn't even get the login connection via smart card. As I mentioned, when I click on the Smart Card login symbol on Windows login, the error message is presented. Nothing further happens and no logging inside of Azure. There seems to be a problem on Windows' side.

I also got a physical smart card which is not writable. I can't use it as Windows login either, since Windows is missing drivers when I already installed them. So I guess the smart card isn't "passed through" in a correct manner to the VM.

As for the systems (and tenant): They are all testwise so it acts like a kind of playground.

Also the CA and sub CA seem to be added correctly to Azure since weblogin works like a charm. Normal password login on the domain also isn't a problem from windows itself.

As a next step, I tried to activate debugging using this guide (https://learn.microsoft.com/en-us/windows/security/identity-protection/smart-cards/smart-card-debugging-information), but tracelog.exe isn't recognized on my Windows 10 Pro.
Jon Andrews 0 Reputation points

2023-06-01T21:44:25.76+00:00

Hi Lukas, did you find a solution to this issue? We have a similar configuration that we are testing however, the login error we see is "Your credentials could not be verified". We can see the user certificate on the Smartcard at login time on the VM, enter the pin but the login fails for some reason after that point.
LalliSR 1 Reputation point

2023-11-16T08:36:37.3+00:00

Hi Jon,
Did you get a solution to this? I came across a similar issue and cannot find where it fails.
Christoph Weste 0 Reputation points

2025-03-03T15:46:24.07+00:00

Hey Guys, is there a solution to this problem? 2 Years later and still the same problem. I just deployed CBA and all was fine login to the webservices works without any problem. But if I try to logon to my Entra ID joined i got the error "Your credentials could not be verified" Maybe Someone had a solution for this ?

greetings

C

Share via

Difficulties to use smart card login with Azure AD

1 answer

Your answer