"Signing in with a smart card isn't supported for your account"

duct_tape_coder

9/1/24, 6:41 PM

We ran into an issue today where suddenly none of our users could log into their workstations using Smart Cards. The error occurred with a fresh logon or after a 'switch user' but not when logging on after locking the workstation.

Users were able to work around the issue by disconnecting the network cable, authenticating, and then reconnecting the cable.

We went through the usual suspects:

Verified the user account was not locked/disabled/expired and that the UPN was set correctly
The smart cards were still good and had valid certificate information on then.
The smart card middleware was correctly installed, running, and working.
Valid/unexpired CRLs were available to Workstations and DCs
Made sure that time on the workstations and domain controllers were synchronized properly
Domain controllers were online, correctly replicating AD DS and SYSVOL, and no significant errors in the logs

1 + 0

active-directory

smartcard

ssl-certificate

Score:0

Server

duct_tape_coder

9/1/24, 6:41 PM

In the end our issue turned out to be expired Kerberos Authentication Certificates on the DCs for the user site. DCs at other sites were working correctly but the site DCs had stopped serving LDAPS because the certs had expired.

+ 1

Greg Askew

9/1/24, 7:56 PM

FYI - errors about the expired certificate should be available in the CAPI2 event log. Probably on both client and DC. Windows also logs warnings in the Application event log a few weeks before expiration.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: "Signing in with a smart card isn't supported for your account"

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.