We're attempting to enroll for certificates using a TPM chip on a laptop - it fails when autoenrollment is involved but works when done manually via the MMC. According to http://msdn.microsoft.com/en-us/library/bb905527.aspx on the Smart Card Resource Manager service: “ By default, the...

From Julio: I recently installed a new server running Windows 2008 R2 (as a DC) and the related computers running Windows 7 Pro. The computers are joined to the domain. In a computer, which is shared by two users (userA and UserB), I see the following event on the Event Viewer while userA was logged...

RPC Packet-level Authentication is by default turned on in Windows 2012 CA's. This can also be turned on in W2k8+ but defaults to off there. ..... From http://technet.microsoft.com/library/hh831373 When a certificate request is received by a certification authority (CA), encryption...

We're logging on with smartcards to our laptops but we've recently discovered that you're also able to perform cached logons on to the laptops using a username/password combination even if you've only ever logged on using smartcards! This is by design, smartcard logons generate a secondary logon that...

On August 14th October 14th an update will be released that will by default affect chain validation for public keys that are 1023 bits or less - please read http://blogs.technet.com/b/pki/archive/2012/06/12/rsa-keys-under-1024-bits-are-blocked.aspx and http://blogs.technet.com/b/pki/archive/2012/07/13...

After copying the default Smartcard Logon or Smartcard User certificate template on a Windows 2008 R2 CA server, the template may not show up as selectable during Enroll on Behalf Of operations such as EOBO smartcard enrollment. Clicking 'Show all templates' you may see the following error message...

Now that I've switched roles within Microsoft I will also be posting occasionally on the Swedish PFE Platforms blog on http://blogs.technet.com/pfesweplat . Posted http://blogs.technet.com/b/pfesweplat/archive/2012/05/08/controlling-csp-selection-during-autoenrollment-through-the-pkidefaultcsps-attribute...

Available Updates for Remote Desktop Services (Terminal Services) in Windows Server 2008 R2 http://support.microsoft.com/kb/2601888 Latest BaseCSP.DLL (as of April 2012): You may wait for up to 30 seconds when you use a smart card to unlock a computer that is running Windows 7 or Windows Server...

A new hotfix for Cryptnet.dll on Windows Server 2008 R2 has been released which covers a scenario which could cause a Domain Controller (or any service doing frequent revocation checking of certificates, such as NPS or ISA Server) to get into a state where revocation checks started failing. The revocation...

We want to implement a smartcard solution but we're not ready for an implementation internally. We considered implementing a standalone CA to avoid making changes to the Configuration partition but as it isn't able to issue smartcard certificates we're now considering a 3rd party solution instead. ...

We're getting event ID 16944 events logged on our DC's every time a user logs on with a smartcard that was issued by a 3rd party CA. We're not seeing any other issues and the smartcard logon succeeds but we are concerned about *why* we are seeing this event. This is an informative event only (i.e...

Our current S/MIME certificate based on the User template allows users to both encrypt and sign email, I have however been tasked with making sure our S/MIME certificates comply with our organizational requirements for non-repudiation. The current certificate based on the User template is being archived...

For a DC to be able to service smartcard logons the DC must have a valid and suitable certificate present in the personal store of the computer account. This is typically autoenrolled for whenever a Windows CA server has been installed into the AD environment. The KDC service on W2k8 R2 monitors the...

This is typically related to the CRL's of the issuing CA or Root CA having expired in their current CDP location. To resolve it check that all CA's are able to publish base CRL's and Delta CRL's to the locations defined on the OCSP Responders cert for that configuration. Another scenario is if...

A customer put the following questions to one of my colleagues: On a lot of our Windows 7 clients we've noticed they periodically try to download a CAB file from Windows Update , but as our workstations are required to access the Internet via Proxy and they aren't able to authenticate against it the...

I got the following escalation the other week: We’re getting Event ID 29 on our new W2k8 R2 DC’s – our W2k3 DC’s in the same domain that do not get any error use Domain Controller Authentication certificates from the same SubCA and running certutil –verify –urlfetch...

CAPI2 events are logged to Application Logs\Microsoft\Windows\CAPI 2\Operational. However, CAPI2 logging is off by default due to performance reasons. To enable CAPI2 Operational logging, wevtutil.exe sl Microsoft-Windows-CAPI2/Operational /e: true To clear the log so we only get the...

I had a very interesting escalation last week: We want to require our users to log on to our Windows 7 workstations with smartcards when they are connected to the corporate network but we also want to allow them to logon using their previous username/password combination when offline. This isn't working...

Following up on a previous post about Credential Roaming (aka DIMS): http://blogs.technet.com/b/instan/archive/2009/05/26/considerations-for-implementing-credential-roaming.aspx With a recent DCR to Windows 7 & W2k8 R2 ( http://support.microsoft.com/kb/2520487 ) it is now possible to filter out...

Consider the following disaster recovery scenario: The CA has become temporarily unavailable, the current CRL and Delta CRL have expired and revocation checking is failing which is preventing smartcard logons. You have the private/public key pair of the CA certificate available and...

I was looking at the Windows Server 2008 R2 KDC architecture with my colleague Jan earlier today concerning an issue when using smart cards with 3rd party domain controller certificates. Our customer that Jan was working with had requested and received a certificate for their DC from Verisign but...

We resolved the following case recently: On our W2k8 R2 Domain Controllers, autoenrollment is not working even if all the permissions are correct and the CA’s are allowed to issue the correct templates. The funny thing is that if we open the Certificates MMC snap-in, right-click the Certificates...

In that case, check out the Test Lab Guide: Base Configuration documentation: http://www.microsoft.com/downloads/en/details.aspx?FamilyID=ab6c61af-9c34-4692-815c-4396b482d31b&displayLang=en

The way smartcard redirection works is that there is a code snipped in Winscard.dll that is only invoked at the point in time when it loads. If Winscard is being loaded in a Terminal Session - all calls to that specific instance of Winscard are redirected to Winscard.dll on the host initiating...

Last month we finally closed two bugs that I've been engaged in on and off for well over a year and released two related hotfixes in the February hotfix release batch. In late 2009, our Professional Support team got the following case from one of our ISV Partners (an established provider of security...