Поделиться через


Smart card (CAC) Authentication with an External CA and Desktop Validator

Hey Daniel here again. I wanted to share a problem with everyone and a solution that I came across.

Background:

I have a customer that has been using smart card authentication in conjunction with Desktop Validator for years with no issues until they upgraded their domain controllers to Server 2008. The problem was if they rebooted a domain controller they could never predict if smart card authentication was going to work. The results were sporadic at best. Their setup was as follows:

  • Server 2008 64Bit
  • Desktop Validator (DV) - version 4.10.0.344
  • DV is validating against external OCSP Responders
  • External CA

In the above configuration we were seeing where the KDC service was starting before DV thus causing the failures. The easiest way to determine this was by looking at the System log on the domain controller and looking for event id 29.

The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate.

We could also verify that it didn't work by looking in the DV logs and locating the most recent event id of 1.

System Message: Tumbleweed Desktop Validator Service was started.

Once this was located we could look at the following events and see that lsass never made a call to DV to validate any certificates. In order for smart card authentication to work lsass (KDC) must know that it has a valid certificate that can be used for smart card logons.

Resolution:

To make a long story short we were able to get this fixed by forcing DV to start before the KDC. We did this by adding the following registry key to the DV service.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tumbleweed Desktop Validator

Create a new REG_SZ: Group

Data Value: NetBiosGroup

Suggested Reading:

If you are interested in learning more about smart card authentication, KDC and how to control device driver load order please see the following links.

Smart Card Authentication

KDC

How to control device driver load order

Until next time....