Windows 10 Smartcard Login versus Windows 7 Smartcard Login

waltforbes
waltforbes used Ask the Experts™
on
Points of My Scenario:
1. I am admin of 2 newly deployed virtual machines: one Windows 7 Enterprise, and one Windows 10 Enterprise
2. I was successful to configure smartcard logon for the Windows 7 computer, but the same steps (drivers installation and certificate import) are not working for the Windows 10 Enterprise computer.
3. For each computer, both the driver installation (smartcard reader and smartcard) and the certificate import are successful.
4. For both Windows versions (7 and 10 Enterprise), the root CA certificate was [successfully] imported into the Trusted Root Certification Authorities store
5. However, when attempting to login to Windows 10 with smartcard, I get the following error, "An untrusted certification authority was detected while processing the domain controller certificate used for authentication. Additional information may be available in the system event log. Please contact your administrator."

QUESTION: What additional configuration is required on Windows 10 Enterprise so that it accepts the smartcard login just like its Windows 7 Enterprise counterpart?

PS: I can login to BOTH Windows 10 and Windows 7 with local and domain user accounts that don't require smartcards.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Kyle SantosSoftware Test Analyst I at Dassault Systemes

Commented:
Hi,

I am following up on your question.  Do you still need help?

If you solved the problem on your own, would you please post the solution here in case others have the same problem?

Regards,

Kyle Santos
Customer Relations
waltforbesSenior IT Specialist

Author

Commented:
Hi Kyle: yes - I still need help. Thank you for following up.

Kind regards,
Walt
btanExec Consultant
Distinguished Expert 2018

Commented:
Maybe can take a look at some steps to check on validity
https://www.experts-exchange.com/questions/28922626/How-to-fix.html#a41442586
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

ChrisLead Infrastructure Architect

Commented:
there shouldn't be any differences. As long as the right smart card polices/service are enabled and the drivers to support to smart card are installed.
I've had issues with smart card mini drivers.

what make/mode are you using?
waltforbesSenior IT Specialist

Author

Commented:
@Chris: I am using OMNIKEY 3121.

@btan: Computer's date and time matches all domain controllers (central NTP server used); Expiration is in 2027 and certificate is trusted.
ChrisLead Infrastructure Architect
Commented:
is it a single tier CA?

can the windows 10 do the CRL checks?

have you checked the status of the smart card and compared between them certutil -v -scinfo
waltforbesSenior IT Specialist

Author

Commented:
Hi Chris:
1. It is a single tier CA
2. [Question]: How can I determine if the Windows 10 can do the CRL checks?
3. I have ran "certutil -v -scinfo" successfully, and it correctly reports the smartcard details.
Exec Consultant
Distinguished Expert 2018
Commented:
Some guidance from Microsoft support
Another thing to do is to export the cert from the smart card (public key only) to a file and then run certutil -verify -urlfetch against it on both the client and the DC.  Make sure you're not having trouble checking the CRL or chaining up to the roots.
Does your card chain up to the Common Policy Root CA?

If yes, on your domain controller, find the certificate for the CA in the trusted root store, look at the properties of it, and go to the details tab.  You'll see a button at the bottom labeled "Edit Properties"

If you click that button, there will be a list of Certificate Purposes - by default the Smart Card Logon purpose may be disabled.  If it is, enable it, and then close all the dialog boxes and check to see if it works or not.
 I looked at that usage and it was NOT enabled.  I then tested another card (same issuer, same cert chain) and it worked immediately.  (I still haven't changed the cert usage on the domain controller)

I then deleted the AD account mapped to my original test card, recreated - and it worked as well.  
https://social.technet.microsoft.com/Forums/sharepoint/en-US/63679b59-5148-4c97-bc2b-4978d51b7c43/smart-card-login-untrusted-certificate-authority-error?forum=w7itprosecurity
ChrisLead Infrastructure Architect
Commented:
as btan has said about
certutil -verify -urlfetch will be able to to help you do this for you

Its worth checking via a web browser as well, if you look at the certificate then you can find what the CRL points areCRL LocationScreenshot is of the experts exchange cert, your internal CA may be configured with AD as well as an HTTP point

if you do certutil -url \filename.cer you will get a GUI to check tis
CRl Check GUI
btanExec Consultant
Distinguished Expert 2018

Commented:
For author advice
btanExec Consultant
Distinguished Expert 2018

Commented:
No further inputs received

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial