Smart Card Support for TLS Client Authentication Enhanced Key Usage

  • Article

Applies To: Windows 7, Windows Server 2008 R2

Symptom

In a Windows Server 2008 R2-based or Windows Server 2008-based domain that is using Active Directory Domain Services (AD DS), you enable a client computer to use smart card authentication to log on to the domain. However, when users try to log on to the domain from a Windows Vista-based, Windows Server 2008-based, or Windows 7-based client computer, the logon process may fail.

Cause

This issue occurs if the smart card certificate does not contain Microsoft enhanced key usage (EKU). You receive the following error message: "No valid certificates found. Check that the card is inserted."

Resolution

To be able to authenticate smart card logon with the EKU for the Transport Layer Security (TLS) client authentication feature, all domain controllers must be running Windows Server 2008 with hotfix 959887 or Windows Server 2008 R2. For more information, see article 959887 in the Microsoft Knowledge Base (https://go.microsoft.com/fwlink/?LinkId=160495). Domain controllers running versions of Windows earlier than Windows Server 2008 with hotfix 959887 cannot use a certificate with the EKU. If hotfix 955558 is installed on the client computer but hotfix 959887 is not installed on the domain controller, you receive the following error message: "Your credentials could not be verified."

To be able to select the smart card from the logon screen, all client computers must be running one of the following operating systems: