On a computer that is running Windows Server 2008 R2, you use a certificate-based logon method to authenticate requests for access to one or more of the following kinds of service:
Notes This issue occurs when you have an Online Certificate Status Protocol (OCSP) URL in the OCSP extension on the server-side certificate.
You may experience the following two issues:
- Wireless authentication
- Virtual private network (VPN)
- Smart Card-based authentication
Notes This issue occurs when you have an Online Certificate Status Protocol (OCSP) URL in the OCSP extension on the server-side certificate.
You may experience the following two issues:
- Event ID 29 may be logged in the System log on a domain controller. This event indicates that the currently-selected domain controller certificate is invalid and therefore blocks smart card logon. However, you may experience this issue without this event being logged.
- A middle tier server accepts certificate based authentication and then needs to acquire a handle to the incoming credentials for impersonation. The likely scenarios for this are, but are not limited to:
- Internet Information Server (IIS) server
- VPN server
- Data Access Server (DAS) server
- NPS server
Example event 29: - Log Name: System
Source: Microsoft-Windows-Kerberos-Key-Distribution-Center
Event ID: 29
Task Category: None
Level: Warning
Keywords: Classic
Description:
The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate.