Problems with authentication on domain using smart card logon

Question

Dear MS Support,

we're using Smart Card logon as second method of our users to sign into domain based PCs.

After latest Servicing Stack update (KB4586863) and Cumulative update (KB4586786), logon with smart card stopped working with this message: "This smart card could not be used. Additional detail may be available in the system log. Please report this error to your administrator".

We've done several things:

1) Deleted current Smart card driver and reinstalled it - Alcor Micro USB Smart Card reader - didn't helped

2) Tryed to uninstall specified updates using wusa.exe script in Command Prompt in elevated mode and in Power Shell and got reply: "Security Update for Microsoft Windows (KB4586863) is required by your computer and cannot be unninstaled".

3) Tryed to modifiy it using Local Group Policy Editor:

gpedit.smc (Run As Admin) / Computer Configuration / Administrative Templates / Windows Components /Smart Card

and enable feature: Turn on certificate propagation from smart card

Despite this troubleshooting, we haven't find any Microsoft related (TechNet or similar) link or blog where Event ID 5 (after we've searched Event Viewer) was described and resolution for this kind of error.

Endpoints whic experienced this kind of issue are Windows 10 PRO OS, versions 1909, 2004 and 20H2, latest builds.

Domain controllers are on Windows Server 2019 Standard OS version.

We have several PCs that haven't yet got those latests updates, and logon is working just fine on their PCs.

Please provide us help and navigate us what else can we troubleshoot further on since we're out of ideas.

Is the solution for this case to reset PC (installing clean OS version) or is there anything else we can do about this issue?

Thank you in advance for the provided help.

BR,

Dragan

Answer 1

Hi,
Thank you for posting in our forum. According to the situation you described and the corresponding solution you made, it seems that there is no problem, and the solution that our forum can provide is the same.
I may recommend you to seek the help of senior engineers, they can give you more in-depth and professional solutions
reference: https://support.microsoft.com/en-in/hub/4343728/support-for-business
Hope this information can help you
Best wishes
Vicky

Answer 2

Hi,

Just checking in to see if the information provided was helpful.

Please let us know if you would like further assistance.

Best Regards,
Vicky

Answer 3

Hey Dragan!

Did you get around this problem? I am sitting in the same situation, with this event id 5 blocking the logon using a smartcard. I also notice event id 1 and 2 (result 1326) deep down in the event log for Winlogon among the Windows operational logs.

I have tested Windows 1809 with all updates until yesterday(2021-02-18). All other prerequisites for my smart cards are in place. I have the external CA certitificate in both NTAuth and Root containers in AD, as well as a Certificate Revocation List available offline.

I have verified the chain using "certutil -scinfo".

Seems all MVPs from M$ are at a loss for this problem. I have been searching the net for solutions, but its like always, nonsense answers and then a support link.

Answer 4

Just wanted to add my own comments, seeing the same thing as @Anders Haglund with a current up-to-date 20H2 (19042.804) Enterprise version. We're in the process of implementing smart cards and currently stuck, it cannot be a coincidence that we're stuck with the exact same error (even id 5 and event id 1+2 result 1326).

I really wish the the error message was a bit more informative.

I've verified that the third-party root CA is in fact applied to the computer, I can see the thumbprint under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\NTAuth\Certificates and that the CA is in fact under both computer and user certificate store in Trusted Root CA\Certificates. Also the domain has the CA applied.