Event ID 13 — Kerberos Smart Card Configuration

  • Article

Applies To: Windows Server 2008

The Kerberos client can be configured to use smart card authentication for user accounts on an organization's network.

Event Details

Product: Windows Operating System
ID: 13
Source: Microsoft-Windows-Security-Kerberos
Version: 6.0
Symbolic Name: KERBEVT_CREDMAN_CARD_ERROR
Message: While using your smartcard for the Credential Manager the Kerberos subsystem encountered an error that appears to be from a missing or incorrect smartcard PIN. To remedy, launch the Stored User Names and Passwords control panel applet, and reenter the pin for the credential for %1%2%3.

Resolve

Change the stored PIN

If your personal identification number (PIN) has changed and is stored on the local computer, you must change the stored PIN to the new PIN. You can change the stored PIN by using Stored User Names and Passwords.

To change the stored PIN by using Stored User Names and Passwords:

  1. Click Start, and then click Control Panel.
  2. Double-click User Accounts.
  3. Click Manage User Accounts.
  4. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  5. Click the Advanced tab, and then click Manage Passwords.
  6. In the Stored User Names and Passwords dialog box, click the appropriate user account, and then click Edit.
  7. In the Password box, type the correct PIN, and then click OK.
  8. Click Close.

Verify

To verify that the smart card is working properly, you should reconnect to your organization's network by using smart card authentication. Once you are connected to your organization's network, you should verify that the Kerberos ticket was created sucessfully by using the Klist command-line tool. Klist is used to list all cached Kerberos tickets present on the computer.

Note: Klist.exe is not included with Windows Vista, Windows Server 2003, Windows XP, or Windows 2000. You must download and install the Windows Server Resource Kit before you can use Klist.exe.

To list all cached Kerberos tickets by using Klist:

  1. Log on to the Kerberos client.
  2. Click Start, point to All Programs, click Accessories, and then click Command Prompt.
  3. Type klist tickets, and then press ENTER.
  4. Verify that a cached Kerberos ticket is available.
    • Ensure that the Client field displays the client on which you are running Klist.
    • Ensure that the Server field displays the domain in which you are connecting.
  5. Close the command prompt.

Kerberos Smart Card Configuration

Core Security