Support for smart card logon with the Enhanced Key Usage for Transport Layer Security Client Authentication

  • Article

Applies To: Windows 7, Windows Server 2008 R2

Support for smart card logon with the Extended Key Usage for Transport Layer Security Client Authentication

This article applies to the following operating systems:

  • Windows Vista®, SP1, SP2

  • Windows 7®

  • Windows Server® 2008

  • Windows Server® 2008 R2

Symptoms

In a Windows Server 2008 R2-based or Windows Server 2008-based domain that is using the directory service provided by Active Directory, it is possible to enable a client computer to use smart card authentication with TLS Client Authentication certificates to log on to the domain. However, when you try to log on to the domain from a computer running Windows Vista, Windows Server 2008, or Windows 7, the logon process may fail.

Cause

This issue occurs if the smart card certificate does not contain a supported Extended Key Usage (EKU). You receive the error message: No valid certificates found. Check that the card is inserted.

Resolution

To be able to authenticate smart card logon with EKU for Transport Layer Security (TLS) Client Authentication feature, all domain controllers must be Windows Server 2008 with hotfix 959887 or Windows Server 2008 R2. For more information, see Microsoft Knowledge Base Article 959887 (https://go.microsoft.com/fwlink/?LinkId=160495). Down-level domain controllers cannot use a certificate with the EKU. If the hotfix 955558 is installed on the client but the hotfix 959887 is not installed on the domain controller, you receive the error message Your credentials could not be verified.

To be able to select the smart card from the logon screen, all client computers must be running one of the following operating systems: