This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(102.4, 82%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Hello,
We had a problem with few users signing in via SmartCard.
Infrastructure:
Problem was that a week ago at morning few users had problem signing in. There were an error: Smart card login is not supported for the user account.
It occurred only for users in one location (different city, different DC). After some digging I've found a cause and solution. On this particular DC there were errors about Kerberos and KDC certificate.
Long story short: I've generated new certificate from Kerberos Authentication template and those users can sign in without problems.
My question is - why did that occur? We didn't have this certificate earlier, we don't have them on other DC's.
From the error message it looks like the DC does not have KDC certificate. Since it was recently broken, I would assume that the existing KDC certificate was expired recently.
Hi,
Yes, I know. Like I said, i fixed it with new KDC certificate but it's not my question.
My question is WHY DC's need this certificate? Previously we did not have this certificate on DC's, I had to generate a totally new one.
Hi, I am still not sure on your question. Are you saying your DC did not have a certificate earlier but smartcard was working? If yes, that is not possible. If you want to use smartcard, your KDC service needs to have a certificate. Did you check if there was no cert bind to KDC service in MMC? MMC>add remove snap-in, select KDC service
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(96, 62%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDZ%3C/text%3E%3C/svg%3E)
Hello adv_kd,
Thank you for posting in Q&A forum.
Did these problematic user accounts sign in using Smartcard in the past? If so, maybe Previously you have certificates issued using certificate template "Domain Controller" or "Domain Controller Authentication" on Domain Controllers (you can check it).
If certificates issued using certificate template "Domain Controller" or "Domain Controller Authentication" on Domain Controllers are expired, you need to reissue such certificates.
But now it needs certificates issued using certificate template "Kerberos Authentication" on Domain Controllers. Because certificates issued using "Kerberos Authentication" certificate template provide more purposes (below).
I hope the information above is helpful.
If you have any questions or concerns, please feel free to let us know.
Best Regards,
Daisy Zhou
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Hello,
Thank you for your reply,
Yes, those user were able to use SmartCards earlier! That's why I am wondering what really happened. We have DC per location and this happen only in one particular location on corresponding DC. Users in other location did not have problem at all.
Certs on affected DC did not expire, see screenshot:
Also, this DC had problem with lack of KDC certificate earlier:
I guess it had problem from the beginning (we're using SC since January) but there are no earlier reports than 25.01.
So that's why am wondering what happen now? What caused that those user were unable to sign in using SmartCard? It affected only one location (other DC have the same error codes also 32 and 23, so I guess there will be problem too).
Hello adv_kd,
Good day!
Have you made any change on the DC in this site recently?
Best Regards,
Daisy Zhou
Hello,
No, not really. It happen at Monday at 6AM, so....
Hello adv_kd,
Good day!
Do you use certificate logon and smart logon on non-domain-joined devices?
Best Regards,
Daisy Zhou
Hi,
No, only on domain-joined devices.
Anyone have an idea?