Smartcard login fails with error message "A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider. 0x800b0112 (-2146762478 CERT_E_UNTRUSTEDCA)"

Assume the following scenario:

  • The company would like to use smartcard logon.
  • The domain controllers are with certificates that can be used for smartcard logon equipped.
  • The users are equipped with certificates that can be used for smartcard logon.
  • The login to the domain via smartcard fails with the following error message:
A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider. 0x800b0112 (-2146762478 CERT_E_UNTRUSTEDCA)
Continue reading „Smartcard-Anmeldung schlägt fehl mit Fehlermeldung „A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider. 0x800b0112 (-2146762478 CERT_E_UNTRUSTEDCA)““

Logon error with Windows Hello for Business: "Contact the system administrator and tell them that the KDC certificate could not be verified."

Assume the following scenario:

  • The company is using Windows Hello for Business.
  • Users receive the following error message when logging in to the client:
Sign-in failed. Contact your system administrator and tell them that the KDC certificate could not be validated. Additional information may be available in the system event log.
Continue reading „Anmeldefehler mit Windows Hello for Business: „Wenden Sie sich an den Systemadministrator, und teilen Sie ihm mit, dass das KDC-Zertifikat nicht überprüft werden konnte.““

About the "Build this from Active Directory information" option for certificate templates

When configuring a certificate template, one must decide on the intended certificate content, i.e., among other things, which identities are confirmed by the certificates and how they are mapped.

In the "Subject Name" tab of the certificate template configuration dialog, you can configure how the identity confirmed by the certificate is mapped.

Continue reading „Zur Option „Build this from Active Directory information“ bei Zertifikatvorlagen“

Details of the event with ID 74 of the source Microsoft-Windows-CertificationAuthority

Event Source:Microsoft-Windows-CertificationAuthority
Event ID:74 (0x4A)
Event log:Application
Event type:Error
Event text (English):Active Directory Certificate Services could not publish a Base CRL for key %1 to the following location on server %4: %2. %3.%5%6
Event text (German):Failed to publish a base certificate revocation list for key %1 at the following location on server "%4": %2. %3.%5%6
Continue reading „Details zum Ereignis mit ID 74 der Quelle Microsoft-Windows-CertificationAuthority“

Details of the event with ID 75 of the source Microsoft-Windows-CertificationAuthority

Event Source:Microsoft-Windows-CertificationAuthority
Event ID:75 (0x4B)
Event log:Application
Event type:Error
Event text (English):Active Directory Certificate Services could not publish a Delta CRL for key %1 to the following location on server %4: %2. %3.%5%6
Event text (German):Failed to publish delta certificate revocation list for key %1 at the following location on server "%4": %2. %3.%5%6
Continue reading „Details zum Ereignis mit ID 75 der Quelle Microsoft-Windows-CertificationAuthority“

Details of the event with ID 65 of the source Microsoft-Windows-CertificationAuthority

Event Source:Microsoft-Windows-CertificationAuthority
Event ID:65 (0x41)
Event log:Application
Event type:Error
Event text (English):Active Directory Certificate Services could not publish a Base CRL for key %1 to the following location: %2. %3.%5%6
Event text (German):No base certificate revocation list could be published for the key %1 at the following location: %2. %3.%5%6
Continue reading „Details zum Ereignis mit ID 65 der Quelle Microsoft-Windows-CertificationAuthority“

Details of the event with ID 66 of the source Microsoft-Windows-CertificationAuthority

Event Source:Microsoft-Windows-CertificationAuthority
Event ID:66 (0x42)
Event log:Application
Event type:Error
Event text (English):Active Directory Certificate Services could not publish a Delta CRL for key %1 to the following location: %2. %3.%5%6
Event text (German):Failed to publish delta certificate revocation list for key %1 at the following location: %2. %3.%5%6
Continue reading „Details zum Ereignis mit ID 66 der Quelle Microsoft-Windows-CertificationAuthority“

Configuring a Certificate Template for Domain Controllers

Even with a certificate template for domain controllers that is supposedly simple to configure, there are a few things to keep in mind.

Continue reading „Konfigurieren einer Zertifikatvorlage für Domänencontroller“

Prevent smartcard logon to the network

Installing Active Directory Certificate Services in the default configuration automatically configures the environment to accept smart card logins from domain controllers.

Therefore, if the use of smart card logins is not desired, it makes sense to disable the functionality so that, in the event the certificate authority is compromised, it can not to jeopardize the Active Directory.

Continue reading „Smartcard Anmeldung im Netzwerk unterbinden“

Certificates for domain controllers do not contain the domain name in the Subject Alternative Name (SAN)

Assume the following scenario:

  • Certificates for domain controllers are issued by an Active Directory integrated certificate authority (Enterprise CA)
  • The certificate template used for this purpose was created by the user
  • The issued certificates contain in the Subject Alternative Name (SAN) only the fully qualified computer name of the respective domain controller, but not the fully qualified name and the NETBIOS name of the domain
Continue reading „Zertifikate für Domänencontroller enthalten nicht den Domänennamen im Subject Alternative Name (SAN)“

Signing in via smart card fails with error message "Signing in with a security device isn't supported for your account."

Assume the following scenario:

  • A user has a Smartcard Logon certificate and logs on to the Active Directory domain with it.
  • The login fails. The following error message is returned to the user's computer:
Signing in with a security device isn't supported for your account. For more info, contact your administrator.
Continue reading „Die Anmeldung via Smartcard schlägt fehl mit Fehlermeldung „Signing in with a security device isn’t supported for your account.““

Logon via smartcard fails with error message "The revocation status of the authentication certificate could not be determined."

Assume the following scenario:

  • A user has a Smartcard Logon certificate and logs on to the Active Directory domain with it.
  • The login fails. The following error message is returned to the user's computer:
The revocation status of the authentication certificate could not be determined.
Continue reading „Die Anmeldung via Smartcard schlägt fehl mit Fehlermeldung „The revocation status of the authentication certificate could not be determined.““

Domain Controller Certificate Templates and Smartcard Logon

In order for domain controllers to process smart card logins, they need certificates that provide this function.

Continue reading „Domänencontroller-Zertifikatvorlagen und Smartcard Anmeldung“

Firewall rules required for Active Directory Certificate Services

Implementing an Active Directory integrated certification authority often requires planning the firewall rules to be created on the network. The following is a list of the required firewall rules and any pitfalls.

Continue reading „Benötigte Firewallregeln für Active Directory Certificate Services“

Overview of the different generations of domain controller certificates

Over the generations of Windows operating systems, various certificate templates for domain controllers have been established. In a current Active Directory directory service, one will find three different templates for this purpose.

  • Domain controller
  • Domain Controller Authentication
  • Kerberos Authentication

Below is a description of each template and a recommendation for configuring domain controller certificate templates.

Continue reading „Übersicht über die verschiedenen Generationen von Domänencontroller-Zertifikaten“