Troubleshoot ADCS Domain Controller login issues
idemeum utilizes virtual smart cards for user login, therefore Domain Controller must be properly set up with certificate templates, and domain controller certificates should not be expired
Potential issues
If you try to access a workstation with idemeum mobile application or RFID badge, and logging screen is spinning, flashing, or timing out, it could be a misconfiguration of the Microsoft Certificate Services.
- Access
Windows Event Viewer
on the workstation where you can not login (to launch the Event Viewer, just hitStart
, typeEvent Viewer
into the search box, and then click the result) - Go to
Windows Logs
->Security
and look for the following errors
The request is Not Supported
Reported authentication failure. Status=0xC00000BB
- The following error may be seen in Kerberos event logs on the Workstation when attempting to launch
0x10 - KDC_ERR_PADATA_TYPE_NOSUPP: KDC has no support for padata
typeSmart card logon is being attempted and the proper certificate cannot be located. This can happen because the wrong certification authority (CA) is being queried or the proper CA cannot be contacted.
❗
Known Error Codes: Status=0xC00000BB or 0x10 - KDC_ERR_PADATA_TYPE_NOSUPP
Resolution
The following requirements must be met for successful user authentication with RFID badge.
- idemeum certificate templates must be configured on domain controller
- The Domain Controller certificate must be configured for smart card users; this is a setting in the Domain Controller Authentication certificate template
- The Domain Controller Authentication certificate must exist on all the domain controllers; if not, you must enroll a new certificate
1. Check idemeum certificate templates
- Access your domain controller, then launch
Run
application and launchmmc
console
- Click
File
->Add/Remove Snap-in...
and then then chooseCertificate templates
- Click
Ok
- Now expand the certificate templates and make sure you have
Idemeum enrollment agent
andIdemeum Windows
templates present
❗
If the templates are missing, please follow the configuration guide for how to set up ADCS properly.
2. Check Domain Controller Authentication certificate template
- Access your domain controller, then launch
Run
application and launchmmc
console
- Click
File
->Add/Remove Snap-in...
and then then chooseCertificate templates
- Click
Ok
- Now search for and double click the
Domain Controller Authentication
certificate template - Navigate to
Extensions
and make sureSmart card logon
is enabled
- If
Smart card logon
is not enabled, clickEdit
and thenAdd
to add Smart Card Logon authentication to Application policies
3. Check Domain Controller Authentication Certificate
- Access your domain controller, then launch
Run
application and launchmmc
console
- Click
File
->Add/Remove Snap-in...
and then then chooseCertificates
- Click
Ok
- Choose
Computer account
- Choose
Local computer
and then clickFinish
- Click
Ok
- Expand
Certificates (Local Computer)
- Right-click
Personal
, then expandAll Tasks > Request New Certificate
- Click
Next
- Choose
Active Directory Enrollment Policy
and clickNext
- Select
Domain Controller Authentication
and clickEnroll
- Click
Finish
❗
Please check Microsoft guidelines for certificate renewal