Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

You cannot use a smart card certificate to log on to a domain from a Windows Vista-based client computer


View products that this article applies to.

Symptoms

In a Windows 2008-based domain that is using the Active Directory directory service, you enable a client computer to use smart card authentication to log on to the domain. However, when you try to log on to the domain from a Windows Vista-based client computer, the logon process may fail, and you may receive the following error message:
No valid certificates found.
Check that the card is inserted
This issue occurs if the smart card certificate does not contain Microsoft Extended Key Usage (EKU). Additionally, if you have installed the hotfix that is mentioned in Microsoft Knowledge Base article 955558 on the client computer, you may receive the following error message:
Your credentials could not be verified.
This issue occurs because the Kerberos Key Distribution Center (KDC) cannot validate the certificate chain if the correct EKU is not present.

↑ Back to the top


Cause

The issue occurs because the Kerberos Key Distribution Center (KDC) does not accept the client authentication EKU as expected.

During the client-side certificate verification, the KDC server checks the client EKU. If the client authentication EKU is neither the Microsoft smart card EKU nor the Public Key Cryptography for the Initial Authentication (PKINIT) client Authentication EKU, as defined in the PKINIT RFC 4556, authentication fails.

↑ Back to the top


Resolution

Hotfix information

A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing the problem described in this article. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix.

If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix.

Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site: Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.


Important Windows Vista and Windows Server 2008 hotfixes are included in the same packages. However, only one of these products may be listed on the “Hotfix Request” page. To request the hotfix package that applies to both Windows Vista and Windows Server 2008, just select the product that is listed on the page.

Prerequisites

To apply this hotfix, install the hotfix on the Windows Server 2008-based KDC server to resolve this problem.

Note The hotfix that is described by this Microsoft Knowledge Base article only fixes the server side. You must also install the hotfix that is described in 955558 on the client computer.

Restart requirement

You have to restart the computer after you apply this hotfix.

Hotfix replacement information

This hotfix does not replace any other previously released hotfixes.

File information

The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.

Windows Vista and Windows Server 2008 file information notes

The MANIFEST files (.manifest) and MUM files (.mum) installed for each environment are listed separately. MUM and MANIFEST files, and the associated security catalog (.cat) files, are important to maintaining the state of the updated component. The security catalog files (attributes not listed) are signed with a Microsoft digital signature.
For all supported x86-based versions of Windows Server 2008
File nameFile versionFile sizeDateTimePlatform
Kdcsvc.dll6.0.6001.22307311,29612-Nov-200805:28x86
Kdcsvc.mofNot Applicable5,30018-Dec-200721:27Not Applicable
For all supported x64-based versions of Windows Server 2008
File nameFile versionFile sizeDateTimePlatform
Kdcsvc.dll6.0.6001.22307404,99212-Nov-200806:03x64
Kdcsvc.mofNot Applicable5,30018-Dec-200721:27Not Applicable

↑ Back to the top


Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

↑ Back to the top


References

For more information, click the following article numbers to view the articles in the Microsoft Knowledge Base:
291010 Requirements for domain controller certificates from a third-party CA


955558 You cannot use a smart card certificate to log on to a domain from a Windows Vista-based or a Windows Server 2008-based client computer

↑ Back to the top


More Information

For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:
824684 Description of the standard terminology that is used to describe Microsoft software updates

Additional file information for Windows Server 2008

Additional files for all supported x86-based versions of Windows Server 2008
File namePackage_for_kb959887_sc_0~31bf3856ad364e35~x86~~6.0.1.0.mum
File versionNot Applicable
File size1,430
Date (UTC)12-Nov-2008
Time (UTC)21:18
File namePackage_for_kb959887_sc~31bf3856ad364e35~x86~~6.0.1.0.mum
File versionNot Applicable
File size1,422
Date (UTC)12-Nov-2008
Time (UTC)21:18
File namePackage_for_kb959887_server_0~31bf3856ad364e35~x86~~6.0.1.0.mum
File versionNot Applicable
File size1,427
Date (UTC)12-Nov-2008
Time (UTC)21:18
File namePackage_for_kb959887_server~31bf3856ad364e35~x86~~6.0.1.0.mum
File versionNot Applicable
File size1,430
Date (UTC)12-Nov-2008
Time (UTC)21:18
File nameX86_3b4614c27e93e72d332d54b56ce7e9da_31bf3856ad364e35_6.0.6001.22307_none_a64617cf4e815743.manifest
File versionNot Applicable
File size720
Date (UTC)12-Nov-2008
Time (UTC)21:18
File nameX86_microsoft-windows-k..distribution-center_31bf3856ad364e35_6.0.6001.22307_none_8c486aedad582e65.manifest
File versionNot Applicable
File size42,276
Date (UTC)12-Nov-2008
Time (UTC)08:25
Additional files for all supported x64-based versions of Windows Server 2008
File nameAmd64_3929ca5251e14310415056ae12fb5733_31bf3856ad364e35_6.0.6001.22307_none_202c1cc021041400.manifest
File versionNot Applicable
File size724
Date (UTC)12-Nov-2008
Time (UTC)21:18
File nameAmd64_microsoft-windows-k..distribution-center_31bf3856ad364e35_6.0.6001.22307_none_e867067165b59f9b.manifest
File versionNot Applicable
File size42,320
Date (UTC)12-Nov-2008
Time (UTC)08:56
File namePackage_for_kb959887_sc_0~31bf3856ad364e35~amd64~~6.0.1.0.mum
File versionNot Applicable
File size1,438
Date (UTC)12-Nov-2008
Time (UTC)21:18
File namePackage_for_kb959887_sc~31bf3856ad364e35~amd64~~6.0.1.0.mum
File versionNot Applicable
File size1,430
Date (UTC)12-Nov-2008
Time (UTC)21:18
File namePackage_for_kb959887_server_0~31bf3856ad364e35~amd64~~6.0.1.0.mum
File versionNot Applicable
File size1,435
Date (UTC)12-Nov-2008
Time (UTC)21:18
File namePackage_for_kb959887_server~31bf3856ad364e35~amd64~~6.0.1.0.mum
File versionNot Applicable
File size1,438
Date (UTC)12-Nov-2008
Time (UTC)21:18
The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products.

↑ Back to the top


Keywords: kb, kbsurveynew, kbautohotfix, kbexpertiseadvanced, kbfix, kbqfe, kbhotfixserver

↑ Back to the top

Article Info
Article ID : 959887
Revision : 1
Created on : 1/7/2017
Published on : 10/8/2011
Exists online : False
Views : 248