SmartCard login not supported for user account

adv_kd 70 Reputation points
2024-05-06T12:38:15.84+00:00

Hello,
We had a problem with few users signing in via SmartCard.

Infrastructure:

  • local DC's (few of them, one DC per site)
  • PKI used to generate certificates
  • Root and sub CA

Problem was that a week ago at morning few users had problem signing in. There were an error: Smart card login is not supported for the user account.

It occurred only for users in one location (different city, different DC). After some digging I've found a cause and solution. On this particular DC there were errors about Kerberos and KDC certificate.

User's imageUser's image

Long story short: I've generated new certificate from Kerberos Authentication template and those users can sign in without problems.

My question is - why did that occur? We didn't have this certificate earlier, we don't have them on other DC's.

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,001 questions
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. MukeshAgarwal-MSFTE 0 Reputation points
    2024-05-06T18:43:09.2133333+00:00

    From the error message it looks like the DC does not have KDC certificate. Since it was recently broken, I would assume that the existing KDC certificate was expired recently.


  2. Daisy Zhou 19,276 Reputation points Microsoft Vendor
    2024-05-07T08:17:16.1033333+00:00

    Hello adv_kd,

    Thank you for posting in Q&A forum.

    Did these problematic user accounts sign in using Smartcard in the past? If so, maybe Previously you have certificates issued using certificate template "Domain Controller" or "Domain Controller Authentication" on Domain Controllers (you can check it).

    If certificates issued using certificate template "Domain Controller" or "Domain Controller Authentication" on Domain Controllers are expired, you need to reissue such certificates.

    But now it needs certificates issued using certificate template "Kerberos Authentication" on Domain Controllers. Because certificates issued using "Kerberos Authentication" certificate template provide more purposes (below).

    User's image

    I hope the information above is helpful.

    If you have any questions or concerns, please feel free to let us know.

    Best Regards,

    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.


  3. adv_kd 70 Reputation points
    2024-05-09T07:46:08.9133333+00:00

    Anyone have an idea?

    0 comments No comments