Solved

Smartcard authentication error and trusted domain Kerberos error

Posted on 2013-11-05
2
5,809 Views
Last Modified: 2013-12-13
So we have AD running with a few 2008R2 Citrix Xenapp 65 servers. We have a trusted domain where we need to get a few users to connecto to those servers.

These users have to use Smartcard and PIN to get through. We got it all to work until they are prompted for their PIN.

Once the users from the trusted domain type the PIN, it takes a few seconds (20 or so) and then we get the error message that:

The System Could Not Log you on, The Kerberos protocol encountered an error while validating the KDC certificate during smart card logon. There is more information in the event log.

I think we need to get an SSL certificate loaded somewhere to get the secure exchange going. right?

The question is, since this is an app server in a different domain from where the users are,

Would we need to load a cert on the app server?
Would we need to load a cert on the DC in that app server domain?
what kind of cert do we need, one issued from the trusted domain?

I am really newbie when it comes to smart cards and cannot figure out the answer with trusted domains.
It is a one way trust.
smartcarderror.png
0
Comment
Question by:onlinerack
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 26

Accepted Solution

by:
Tony Johncock earned 500 total points
ID: 39623715
You're right -  in the first instance you need to hook into a Certification Authority such as an MS PKI.

From http://support.citrix.com/proddocs/topic/xenapp65-sec/ps-sec-smart-cards-xa6.html :

Citrix continues to test smart cards to address compatibility with XenApp, using certificates from common certificate authorities such as those supported by Microsoft. If you have any concerns regarding your certificate authority and compatibility with XenApp, contact your local Citrix representative.

I must confess I've never integrated it with a trusted domain but I would presume that you would need to edit the certificates such that they have an accessible CRL published.

There are some step-by-step instructions that might help you here: http://support.citrix.com/article/CTX129096
0
 
LVL 5

Author Closing Comment

by:onlinerack
ID: 39717796
The issue is much more complicated to be posted here to come up with a solution.
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
For anyone that has accidentally used newSID with Server 2008 R2 (like I did) and hasn't been able to get the server running again because you were unlucky (as I was) and had no backups - I was able to get things working by doing a Registry Hive rec…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question