Troubleshoot ADCS Domain Controller login issues

Potential issues

If you try to access a workstation with idemeum mobile application or RFID badge, and logging screen is spinning, flashing, or timing out, it could be a misconfiguration of the Microsoft Certificate Services.

• Access Windows Event Viewer on the workstation where you can not login (to launch the Event Viewer, just hit Start, type Event Viewer into the search box, and then click the result)
• Go to Windows Logs -> Security and look for the following errors

The request is Not Supported

Reported authentication failure. Status=0xC00000BB

• The following error may be seen in Kerberos event logs on the Workstation when attempting to launch

0x10 - KDC_ERR_PADATA_TYPE_NOSUPP: KDC has no support for padata 

typeSmart card logon is being attempted and the proper certificate cannot be located. This can happen because the wrong certification authority (CA) is being queried or the proper CA cannot be contacted.

Resolution

The following requirements must be met for successful user authentication with RFID badge.

1. idemeum certificate templates must be configured on domain controller
2. The Domain Controller certificate must be configured for smart card users; this is a setting in the Domain Controller Authentication certificate template
3. The Domain Controller Authentication certificate must exist on all the domain controllers; if not, you must enroll a new certificate

1. Check idemeum certificate templates

• Access your domain controller, then launch Run application and launch mmc console

• Click File -> Add/Remove Snap-in... and then then choose Certificate templates
• Click Ok
• Now expand the certificate templates and make sure you have Idemeum enrollment agent and Idemeum Windows templates present

2. Check Domain Controller Authentication certificate template

• Access your domain controller, then launch Run application and launch mmc console

• Click File -> Add/Remove Snap-in... and then then choose Certificate templates
• Click Ok
• Now search for and double click the Domain Controller Authentication certificate template
• Navigate to Extensions and make sure Smart card logon is enabled

• If Smart card logon is not enabled, click Edit and then Add to add Smart Card Logon authentication to Application policies

3. Check Domain Controller Authentication Certificate

• Access your domain controller, then launch Run application and launch mmc console

• Click File -> Add/Remove Snap-in... and then then choose Certificates
• Click Ok
• Choose Computer account

• Choose Local computer and then click Finish

• Click Ok
• Expand Certificates (Local Computer)
• Right-click Personal, then expand All Tasks > Request New Certificate

• Click Next
• Choose Active Directory Enrollment Policy and click Next

• Select Domain Controller Authentication and click Enroll

• Click Finish