Ever since changing to Windows 11 we have some workstations that now and then try to connect via smart card, but we don't use smart cards

Karbashi

4/10/24, 9:05 PM

Ever since changing to Windows 11 we have some workstations that now and then try to connect via smart card, but we don't use smart cards.

The event occurs with the computer's account, not a user's account, which is also interesting.

Event ID: AUDIT_FAILURE(4771)
Domain: [Domain/Server]
SID: [sid]
Account Name: [computer account (not user account)]
Service Name: krbtgt/[domain]
Client Address: [ip]
Port: [port]
Ticket Options: 0x40810010
Failure Code: 0x10
Pre Auth Type: 16

Ticket Options: 0x40810010 - Forwardable, Renewable, Canonicalize, Renewable-ok

1
Forwardable
(TGT only). Tells the ticket-granting service that it can issue a new TGT—based on the presented TGT—with a different network address based on the presented TGT.

8
Renewable
Used in combination with the End Time and Renew Till fields to cause tickets with long life spans to be renewed at the KDC periodically.

15
Name-canonicalize
To request referrals, the Kerberos client MUST explicitly request the "canonicalize" KDC option for the AS-REQ or TGS-REQ.

27
Renewable-ok
The RENEWABLE-OK option indicates that a renewable ticket will be acceptable if a ticket with the requested life cannot otherwise be provided, in which case a renewable ticket may be issued with a renew-till equal to the requested end time. The value of the renew-till field may still be limited by local limits, or limits selected by the individual principal or server.

Failure Code: 0x10
KDC_ERR_PADATA_TYPE_NOSUPP
KDC has no support for PADATA type (pre-authentication data)
Smart card logon is being attempted and the proper certificate cannot be located. This problem can happen because the wrong certification authority (CA) is being queried or the proper CA cannot be contacted in order to get Domain Controller or Domain Controller Authentication certificates for the domain controller. It can also happen when a domain controller doesn't have a certificate installed for smart cards (Domain Controller or Domain Controller Authentication templates).

Pre Auth Type: 16
PA-PK-AS-REQ
Request sent to KDC in Smart Card authentication scenarios.

I would like to get it to stop, but I have been having difficulty nailing it down. Wanted to see if anyone else has run into something similar and found a solution.

248

1 + 0

windows

certificate

active-directory

Score:0

Server

Mace

4/11/24, 2:03 AM

Maybe Disable in Group Policy Editor

Computer Configuration > Administrative Templates > Windows Components > Smart Card

+ 1

Karbashi

4/11/24, 3:37 PM

Yeah, I was looking into that, thanks

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Ever since changing to Windows 11 we have some workstations that now and then try to connect via smart card, but we don't use smart cards

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.