Assume the following scenario:
- A user has a Smartcard Logon certificate and logs on to the Active Directory domain with it.
- The login fails. The following error message is returned to the user's computer:
Signing in with a security device isn't supported for your account. For more info, contact your administrator.
In German, the message reads:
SmartCard login is not supported for their account.
Corresponding events should also be logged on the corresponding authenticating domain controller:
- Details of the event with ID 19 of the source Microsoft-Windows-Kerberos-Key-Distribution-Center
- Details of the event with ID 29 of the source Microsoft-Windows-Kerberos-Key-Distribution-Center
This event indicates an attempt was made to use smartcard logon, but the KDC is unable to use the PKINIT protocol because it is missing a suitable certificate.
The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate.
Possible causes
Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem, has already proven itself in countless companies around the world and is available under a free license. It can downloaded via GitHub and can be used free of charge. Professional maintenance is also offered.
The error occurs among other things then,
- if the domain controllers do not have any certificates that can be used for smartcard logon (for example, because the necessary Extended Key Usages are not included).
- There are no Revocation status information via the domain controller certificate of the authenticating domain controller, for example, because the server on which the revocation list distribution points are located cannot be reached by the authenticating domain controller (offline or through a Firewall blocked), or because the revocation list distribution points are reachable but the blacklists have expired.
Problems with the revocation list distribution points (availability and up-to-dateness of the revocation lists) can affect any certificate in the certificate chain being checked, for example even if the revocation list of a certification authority in the chain has expired (classically the root certification authority whose revocation list renewal was missed).
If the master certification authority's revocation list should have expired is a common consequential error, that subordinate Certification Authorities no longer start, as these check the validity of their own certificate authority certificate when the service is started.
4 thoughts on “Die Anmeldung via Smartcard schlägt fehl mit Fehlermeldung „Signing in with a security device isn’t supported for your account.“”
Comments are closed.