Event ID 21 — Kerberos Smart Card Authentication

Applies To: Windows Server 2008

Kerberos authentication can be accomplished by using smart card authentication.

Event Details

Product: Windows Operating System
ID: 21
Source: Microsoft-Windows-Kerberos-Key-Distribution-Center
Version: 6.0
Symbolic Name: KDCEVENT_INVALID_CLIENT_CERTIFICATE
Message: The client certificate for the user %1\%2 is not valid, and resulted in a failed smartcard logon. Please contact the user for more information about the certificate they're attempting to use for smartcard logon. The chain status was : %3

Resolve

Reissue a smart card logon certificate

When logging on to a computer or a virtual private network (VPN) by using a smart card, the client certificate must be valid. If the client certificate is not valid, the smart card logon will fail. To resolve this issue, you must reissue the smart card logon certificate.

Note: The user who has a smart card logon certificate that is no longer valid is identified in the event log message.

To perform this procedure, you must be an enrollment agent for the domain, or you must have been delegated the appropriate authority.

To reissue a smart card logon certificate:

  1. In a Web browser, navigate to the certification authority (CA) that issues smart card certificates for your organization.
  2. Click Request a certificate, and then click Advanced certificate request.
  3. Click Request a certificate for a smart card on behalf of another user using the smart card certificate enrollment station. If you are prompted to accept the smart card signing certificate, click Yes.
  4. On the Smart Card Certificate Enrollment Station Web page, in Certificate Template, click Smart Card Logon.
  5. In Certification Authority, click the name of the CA you want to issue the smart card certificate.
  6. In Cryptographic Service Provider, select the cryptographic service provider (CSP) of the smart card's manufacturer.
  7. In Administrator Signing Certificate, click the Enrollment Agent certificate that will sign the enrollment request.
  8. In User To Enroll, click Select User, select the appropriate user account, and then click Enroll.
  9. When prompted, insert the smart card into the smart card reader on your computer, and then click OK.
  10. Enter the personal identification number (PIN) for the smart card.
  11. Click Yes, confirming that you want to replace the existing credentials on the smart card.

Verify

To verify that the certificate on the smart card is valid, log on to a computer by using smart card authentication. If authentication is successful, the certificate on the smart card is working properly.

Kerberos Smart Card Authentication

Core Security