How to enable smartcard logon for DOD CAC user's on non-DOD Domain

Question

Hi all,

I am running into an issue with being able to have external DOD users use their CACs to sign into computers on my domain. I have the DOD root and intermediate certificates installed on the clients and servers involved. For their user accounts, the UPN is the UPN specified on their CAC certificates. However, when they attempt to sign in, they receive "Unable to verify credentials."

Please help if you have knowledge on smart card infrastructure and PKI. Thank you.

Answer 1

Hi Confused_Jima,

Thank you for posting in the Microsoft Community Forums.

Here are some steps you can take to troubleshoot the issue:

1. Check Certificate Chain: Ensure that the certificates installed on both client and server machines form a complete certificate chain, including the root and intermediate certificates.
2. Verify UPN Matching: Double-check that the User Principal Name (UPN) specified in the user's Common Access Card (CAC) certificate matches the UPN configured for their user account in your domain.
3. Certificate Revocation Lists (CRLs): Ensure that the Certificate Revocation Lists (CRLs) are accessible and up-to-date for the installed certificates. Sometimes, connectivity issues or outdated CRLs can cause authentication failures.
4. Verify Certificate Usage: Confirm that the certificates are intended for client authentication (Client Authentication EKU) and are not expired or revoked.
5. Check Group Policy Settings: Review any Group Policy settings related to certificate authentication and ensure they are configured correctly.
6. Event Logs: Check the event logs on both the client and server machines for any relevant error messages or warnings that might provide additional clues about the authentication failure.
7. Network Connectivity: Ensure that there are no network connectivity issues between the client and server machines that could be preventing successful authentication.

Best regards

Neuvi Jiang