W2K3 Smartcard Logon with third party CA

[mcblack]

Hi @all,

I have a bit of a problem with smartcard logon to my Windows AD-Server.

I've read the KB article and did all the needed stuff the mention in there :

http://support.microsoft.com/kb/281245

On the Client everything seems to work. When I put in my smartcard I am prompted for the PIN. But authentication fails with "your certificate is not trusted" .

If I do a "certutil -verify -ulfetch c:\msw-aia.cer" (exported certificate from the smartcard) on the client I'm getting this output :

Code:

C:\Users\msw.INTERNAL\Desktop>certutil -verify -urlfetch msw-aia.cer
Aussteller:
    E=kundenservice@nwe.de
    CN=Network Engineering GmbH CA
    O=Network Engineering GmbH
    L=Speyer
    S=RLP
    C=DE
Antragsteller:
    CN=User_MSw
    O=Network Engineering GmbH
    L=Speyer
    S=RLP
    C=DE
Zertifikatseriennummer: 01

dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwRevocationFreshnessTime: 44 Minutes, 7 Seconds

SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwRevocationFreshnessTime: 44 Minutes, 7 Seconds

CertContext[0][0]: dwInfoStatus=101 dwErrorStatus=0
  Issuer: E=kundenservice@nwe.de, CN=Network Engineering GmbH CA, O=Network Engi
neering GmbH, L=Speyer, S=RLP, C=DE
  NotBefore: 24.02.2010 17:29
  NotAfter: 22.02.2020 17:29
  Subject: CN=User_MSw, O=Network Engineering GmbH, L=Speyer, S=RLP, C=DE
  Serial: 01
  SubjectAltName: Anderer Name:Prinzipalname=msw@internal.nwe.de
  4d 30 52 1c 7e 3e 93 cd bf c2 50 c3 f6 33 22 07 c9 5b 6c d3
  Element.dwInfoStatus = CERT_TRUST_HAS_EXACT_MATCH_ISSUER (0x1)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ----------------  Zertifikat abrufen  ----------------
  Überprüft "Zertifikat (0)" Zeit: 0
    [0.0] http://www.nwe.de/ca.crt

  ----------------  Zertifikat abrufen  ----------------
  Überprüft "Basissperrliste" Zeit: 0
    [0.0] http://www.nwe.de/crl.pem

  Überprüft "Basissperrliste" Zeit: 0
    [1.0] http://www.nwe.de/crl.pem

  ----------------  Basissperrliste veraltet  ----------------
  Keine URLs "Keine" Zeit: 0
  ----------------  Zertifikat-OCSP  ----------------
  Keine URLs "Keine" Zeit: 0
  --------------------------------
    CRL (null):
    Issuer: E=kundenservice@nwe.de, CN=Network Engineering GmbH CA, O=Network En
gineering GmbH, L=Speyer, S=RLP, C=DE
    1c d9 b5 64 f3 de 8c 11 74 3c 0c 68 d6 c5 c8 b6 3a 9a 7f 9f
  Application[0] = 1.3.6.1.5.5.7.3.2 Clientauthentifizierung
  Application[1] = 1.3.6.1.4.1.311.20.2.2 Smartcard-Anmeldung
  Application[2] = 1.3.6.1.5.5.7.3.4 Sichere E-Mail

CertContext[0][1]: dwInfoStatus=109 dwErrorStatus=0
  Issuer: E=kundenservice@nwe.de, CN=Network Engineering GmbH CA, O=Network Engi
neering GmbH, L=Speyer, S=RLP, C=DE
  NotBefore: 22.02.2010 16:00
  NotAfter: 20.02.2020 16:00
  Subject: E=kundenservice@nwe.de, CN=Network Engineering GmbH CA, O=Network Eng
ineering GmbH, L=Speyer, S=RLP, C=DE
  Serial: aea879435286f374
  fa cb 15 81 54 f7 55 93 b8 55 ad c2 8a 5b 4a 7f fd 70 e0 8e
  Element.dwInfoStatus = CERT_TRUST_HAS_EXACT_MATCH_ISSUER (0x1)
  Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ----------------  Zertifikat abrufen  ----------------
  Keine URLs "Keine" Zeit: 0
  ----------------  Zertifikat abrufen  ----------------
  Überprüft "Basissperrliste" Zeit: 0
    [0.0] http://www.nwe.de/crl.pem

  Überprüft "Basissperrliste" Zeit: 0
    [1.0] http://www.nwe.de/crl.pem

  ----------------  Zertifikat-OCSP  ----------------
  Keine URLs "Keine" Zeit: 0
  --------------------------------

Exclude leaf cert:
  d9 ad 67 92 51 f7 37 50 6a 64 d8 4c aa 68 9c 22 8a 1b de cb
Full chain:
  5b 02 29 57 4e 17 90 4f c4 7b 07 9b e2 0b 12 24 a4 bf 3a 5d
------------------------------------
Verfizierte Ausstellungsrichtlinien: Kein
Verfizierte Anwendungsrichtlinien:
    1.3.6.1.5.5.7.3.2 Clientauthentifizierung
    1.3.6.1.4.1.311.20.2.2 Smartcard-Anmeldung
    1.3.6.1.5.5.7.3.4 Sichere E-Mail
Sperrstatussüberprüfung des untergeordneten Zertifikats erfolgreich abgeschlosse
n.
CertUtil: -verify-Befehl wurde erfolgreich ausgeführt.

C:\Users\msw.INTERNAL\Desktop>

This way I'm not getting any error message.

If I do the same thing on my W2k3 Domain-Controller with all the steps mentioned in the KB-article successfully done I get :

Code:

C:\Dokumente und Einstellungen\mswadmin>certutil -verify -urlfetch c:\msw-aia.ce
r
Aussteller:
    E=kundenservice@nwe.de
    CN=Network Engineering GmbH CA
    O=Network Engineering GmbH
    L=Speyer
    S=RLP
    C=DE
Antragsteller:
    CN=User_MSw
    O=Network Engineering GmbH
    L=Speyer
    S=RLP
    C=DE
Zertifikatseriennummer: 01

dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwErrorStatus = CERT_TRUST_IS_NOT_SIGNATURE_VALID (0x8)
ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_NOT_SIGNATURE_VALID (0x8)
SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)

CertContext[0][0]: dwInfoStatus=1 dwErrorStatus=1000048
  Issuer: E=kundenservice@nwe.de, CN=Network Engineering GmbH CA, O=Network Engi
neering GmbH, L=Speyer, S=RLP, C=DE
  Subject: CN=User_MSw, O=Network Engineering GmbH, L=Speyer, S=RLP, C=DE
  Serial: 01
  4d 30 52 1c 7e 3e 93 cd bf c2 50 c3 f6 33 22 07 c9 5b 6c d3
  Element.dwInfoStatus = CERT_TRUST_HAS_EXACT_MATCH_ISSUER (0x1)
  Element.dwErrorStatus = CERT_TRUST_IS_NOT_SIGNATURE_VALID (0x8)
  Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
  Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
  ----------------  Zertifikat abrufen  ----------------
  Falscher Aussteller "Zertifikat (0)" Zeit: 0
    [0.0] http://www.nwe.de/ca.crt

  ----------------  Zertifikat abrufen  ----------------
  Falscher Aussteller "Basissperrliste" Zeit: 0
    [0.0] http://www.nwe.de/crl.pem

  Falscher Aussteller "Basissperrliste" Zeit: 0
    [1.0] http://www.nwe.de/crl.pem

  --------------------------------
  Application[0] = 1.3.6.1.5.5.7.3.2 Clientauthentifizierung
  Application[1] = 1.3.6.1.4.1.311.20.2.2 Smartcard-Anmeldung
  Application[2] = 1.3.6.1.5.5.7.3.4 Sichere E-Mail

CertContext[0][1]: dwInfoStatus=109 dwErrorStatus=0
  Issuer: E=kundenservice@nwe.de, CN=Network Engineering GmbH CA, O=Network Engi
neering GmbH, L=Speyer, S=RLP, C=DE
  Subject: E=kundenservice@nwe.de, CN=Network Engineering GmbH CA, O=Network Eng
ineering GmbH, L=Speyer, S=RLP, C=DE
  Serial: aea879435286f374
  fa cb 15 81 54 f7 55 93 b8 55 ad c2 8a 5b 4a 7f fd 70 e0 8e
  Element.dwInfoStatus = CERT_TRUST_HAS_EXACT_MATCH_ISSUER (0x1)
  Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ----------------  Zertifikat abrufen  ----------------
  Keine URLs "Keine" Zeit: 0
  ----------------  Zertifikat abrufen  ----------------
  Falscher Aussteller "Basissperrliste" Zeit: 0
    [0.0] http://www.nwe.de/crl.pem

  Falscher Aussteller "Basissperrliste" Zeit: 0
    [1.0] http://www.nwe.de/crl.pem

  --------------------------------

Exclude leaf cert:
  4d 30 52 1c 7e 3e 93 cd bf c2 50 c3 f6 33 22 07 c9 5b 6c d3
Full chain:
  0f 20 cb 79 6a de 18 84 6b 98 22 5f 34 f6 f9 10 86 e3 e8 c2
  Issuer: E=kundenservice@nwe.de, CN=Network Engineering GmbH CA, O=Network Engi
neering GmbH, L=Speyer, S=RLP, C=DE
  Subject: CN=User_MSw, O=Network Engineering GmbH, L=Speyer, S=RLP, C=DE
  Serial: 01
  4d 30 52 1c 7e 3e 93 cd bf c2 50 c3 f6 33 22 07 c9 5b 6c d3
Die Signatur des Zertifikats konnte nicht bestätigt werden. 0x80096004 (-2146869
244)
------------------------------------
CertUtil: -verify-Befehl ist fehlgeschlagen: 0x80096004 (-2146869244)
CertUtil: Die Signatur des Zertifikats konnte nicht bestätigt werden.

C:\Dokumente und Einstellungen\mswadmin>

Which actually says "Certificate Signature invalid" .

Any help would be great on that since I don't know where I could debug more.

Best regards

Marcus

[Mohegan]

Smart Card Authentication Active Directory necessitate that the workstations Smart Card, Active Directory domain controllers and Active Directory are configured appropriately. Active Directory has to trust a certification authority in the direction of authenticate users based resting on the CA certificates. In cooperation workstations through smartcard and domain controllers have to be configured through certificates configured correctly. As through some PKI implementation, every parties have to trust the root CA to which the issuing CA chains. Both domain controllers and workstations rely on this smart card root.