Setting up smart card authentication to domain

Al Rivers 1 Reputation point
2020-07-28T20:14:17.323+00:00

i have taken over a domain that appears to have had ADFS partially installed and partially set up. the role has long been removed as well as the expired certificates.

I am now trying to implement smart card authentication from a third party CA. I have received the correct server certificates issued by the third party for both the domain controllers. I have installed the RootCA for the third party in the NTAuth store and according to regedit and certutil it is the only one present....now. The ADFS server cert was in there at one time and has since been removed along with the uninstallation of the ADFS server role.

How can I revert all the possible changes this ADFS server may have performed to the domain and get my smart card authentication to the domain working correctly. What should I look for to troubleshoot this issue. The smart cards are used within the desktop to authenticate to a third party application without issue. The certificates on the cards are enrolled with the correct user UPN as well to facilitate the domain login. When a user attempts to authenticate with the smart card instead of standard domain credential login they get the error prompt "Smart card authentication is not set up for this user"

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,839 questions
Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
1,189 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Pierre Audonnet - MSFT 10,166 Reputation points Microsoft Employee
    2020-07-29T13:52:04.05+00:00

    There is no interaction between ADFS and smartcard authentication for Windows.

    You can set up certificate based authentication in ADFS but even that does not impact your abilities to do smartcard on Windows.

    ADFS leaves traces of its installation in AD. Mainly containers which takes minimum space. So doesn't even need to be cleaned up. They are under <domain name>/Program Data/Microsoft/ADFS. You will need to enable the Advanced Features view option in the Users and Computers MMC to see them (and you will need to be a member of Domain admins or the built-in Administrators to see and delete them).

    Unless you mean ADCS? If so tell us :)

    Smartcard authentication requires the domain to have the certificate of the smartcard certificate issuing CA in the NTAuth store (which seems to be the case for you) and the root certificate of the CA that issued that certificate in the RootCA store (which also seems to be the case for you). You can verify that the certificates are in fact really there by using the PKIVIEW.MSC tool. This tool requires you to use the Active Directory Certificate Services administrative tools (with the RSAT on Windows 10 or with the Server Manager by adding the feature).
    14258-image.png
    This tool works to see the AD stores graphically even if you use a third party CA. You can see all the data in other tools such as LDP.EXE or ADSIEDIT.MSC or even DSSITE.MSC but then most of the data is in binary format.

    Smartcard authentication requires the user to have a certificate with the Smart Card Logon EKU.

    Smartcard authentication requires the device to have a smartcard reader :)

    2 people found this answer helpful.