So we have AD running with a few 2008R2 Citrix Xenapp 65 servers. We have a trusted domain where we need to get a few users to connecto to those servers.
These users have to use Smartcard and PIN to get through. We got it all to work until they are prompted for their PIN.
Once the users from the trusted domain type the PIN, it takes a few seconds (20 or so) and then we get the error message that:
The System Could Not Log you on, The Kerberos protocol encountered an error while validating the KDC certificate during smart card logon. There is more information in the event log.
I think we need to get an SSL certificate loaded somewhere to get the secure exchange going. right?
The question is, since this is an app server in a different domain from where the users are,
Would we need to load a cert on the app server?
Would we need to load a cert on the DC in that app server domain?
what kind of cert do we need, one issued from the trusted domain?
I am really newbie when it comes to smart cards and cannot figure out the answer with trusted domains.
It is a one way trust.