Windows 10 Smartcard Login versus Windows 7 Smartcard Login

Points of My Scenario:
1. I am admin of 2 newly deployed virtual machines: one Windows 7 Enterprise, and one Windows 10 Enterprise
2. I was successful to configure smartcard logon for the Windows 7 computer, but the same steps (drivers installation and certificate import) are not working for the Windows 10 Enterprise computer.
3. For each computer, both the driver installation (smartcard reader and smartcard) and the certificate import are successful.
4. For both Windows versions (7 and 10 Enterprise), the root CA certificate was [successfully] imported into the Trusted Root Certification Authorities store
5. However, when attempting to login to Windows 10 with smartcard, I get the following error, "An untrusted certification authority was detected while processing the domain controller certificate used for authentication. Additional information may be available in the system event log. Please contact your administrator."

QUESTION: What additional configuration is required on Windows 10 Enterprise so that it accepts the smartcard login just like its Windows 7 Enterprise counterpart?

PS: I can login to BOTH Windows 10 and Windows 7 with local and domain user accounts that don't require smartcards.
waltforbesSenior IT SpecialistAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Kyle SantosQuality AssuranceCommented:

I am following up on your question.  Do you still need help?

If you solved the problem on your own, would you please post the solution here in case others have the same problem?


Kyle Santos
Customer Relations
waltforbesSenior IT SpecialistAuthor Commented:
Hi Kyle: yes - I still need help. Thank you for following up.

Kind regards,
btanExec ConsultantCommented:
Maybe can take a look at some steps to check on validity
Acronis True Image 2019 just released!

Create a reliable backup. Make sure you always have dependable copies of your data so you can restore your entire system or individual files.

ChrisSenior Technical ArchitectCommented:
there shouldn't be any differences. As long as the right smart card polices/service are enabled and the drivers to support to smart card are installed.
I've had issues with smart card mini drivers.

what make/mode are you using?
waltforbesSenior IT SpecialistAuthor Commented:
@Chris: I am using OMNIKEY 3121.

@btan: Computer's date and time matches all domain controllers (central NTP server used); Expiration is in 2027 and certificate is trusted.
ChrisSenior Technical ArchitectCommented:
is it a single tier CA?

can the windows 10 do the CRL checks?

have you checked the status of the smart card and compared between them certutil -v -scinfo
waltforbesSenior IT SpecialistAuthor Commented:
Hi Chris:
1. It is a single tier CA
2. [Question]: How can I determine if the Windows 10 can do the CRL checks?
3. I have ran "certutil -v -scinfo" successfully, and it correctly reports the smartcard details.
btanExec ConsultantCommented:
Some guidance from Microsoft support
Another thing to do is to export the cert from the smart card (public key only) to a file and then run certutil -verify -urlfetch against it on both the client and the DC.  Make sure you're not having trouble checking the CRL or chaining up to the roots.
Does your card chain up to the Common Policy Root CA?

If yes, on your domain controller, find the certificate for the CA in the trusted root store, look at the properties of it, and go to the details tab.  You'll see a button at the bottom labeled "Edit Properties"

If you click that button, there will be a list of Certificate Purposes - by default the Smart Card Logon purpose may be disabled.  If it is, enable it, and then close all the dialog boxes and check to see if it works or not.
 I looked at that usage and it was NOT enabled.  I then tested another card (same issuer, same cert chain) and it worked immediately.  (I still haven't changed the cert usage on the domain controller)

I then deleted the AD account mapped to my original test card, recreated - and it worked as well.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ChrisSenior Technical ArchitectCommented:
as btan has said about
certutil -verify -urlfetch will be able to to help you do this for you

Its worth checking via a web browser as well, if you look at the certificate then you can find what the CRL points areCRL LocationScreenshot is of the experts exchange cert, your internal CA may be configured with AD as well as an HTTP point

if you do certutil -url \filename.cer you will get a GUI to check tis
CRl Check GUI
btanExec ConsultantCommented:
For author advice
btanExec ConsultantCommented:
No further inputs received
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 10

From novice to tech pro — start learning today.