Fail to logon to Windows XP using Smart Card in Windows 2003 Domain, Event Kerberos 8 or 9 Logged on clients and KDC 21 on DCs

  • Article

問題情境:
在Windows XP 中,有時候會大量有使用者無法透過Smart Card登入,但是使用帳號密碼登入的狀況似乎又都是正常的。

在Client可能會看到以下的事件(系統):

  • Kerberos 8的事件:
    Event Type: Error
    Event Source: Kerberos
    Event Category: None
    Event ID: 8
    Date: 08/19/2010
    Time: 2:28:29 PM
    User: N/A
    Computer: <MachineName>
    Description:
    The Domain Controller rejected the client certificate used for smartcard logon.
    The error data contains the information returned from the certificate validation
    process. Contact your system administrator to determine why your smartcard logon
    certificate is invalid.
    For more information, see Help and Support Center at
    <https://go.microsoft.com/fwlink/events.asp>.
    Data:
    0000: 13 20 09 80 . .?
    This event means that the user certificate was rejected by the Domain controller.
  • Kerberos 9的事件:
    Event Type: Error
    Event Source: Kerberos
    Event Category: None
    Event ID: 9
    Date: 08/18/2010
    Time: 8:45:49 AM
    User: N/A
    Computer: <MachineName>
    Description:
    The client has failed to validate the Domain Controller certificate for
    <DC_Name>.domain.com. The following error was returned from the certificate
    validation process: The revocation function was unable to check revocation because
    the revocation server was offline.
    . Contact your system administrator to determine why the Domain Controller
    certificate is invalid.
    For more information, see Help and Support Center at
    <https://go.microsoft.com/fwlink/events.asp>.
    Data:
    0000: 13 20 09 80 . .?

在DCs上面可能會看到以下的事件(系統):

  • KDC 21的事件:
    Event Type: Warning
    Event Source: KDC
    Event Category: None
    Event ID: 21
    Date: 8/18/2010
    Time: 2:30:19 PM
    User: N/A
    Computer: <MachineName>
    Description:
    The client certificate for the user <DomainName><UserName> is not valid, and
    resulted in a
    failed smartcard logon. Please contact the user for more information about the
    certificate they're attempting to use for smartcard logon. The chain status was :
    The revocation function was unable to check revocation because the revocation server
    was offline.

 

問題排除的思路:

  1. 從Event Log裡面,我們可以看到Information裡面回報的真實錯誤訊息是 0x80092013,這個錯誤訊息的意義如下:
      CRYPT_E_REVOCATION_OFFLINE                                     winerror.h
    # The revocation function was unable to check revocation
    # because the revocation server was offline.
    # as an HRESULT: Severity: FAILURE (1), FACILITY_SSPI (0x9), Code 0x2013
    因此,從這個問題之中,我們可以直接判斷這個問題和Client驗證Server憑證的撤銷憑證清單有關。
  2. 接下來,我們可以透過以下的命令在Client端手工判斷憑證撤銷清單的功能是否正常:

    1. 取得DC使用的 "伺服器驗證"(1.3.6.1.5.5.7.3.1)的憑證,確認憑證是否正常,CRL連線位置是否可以用IE連的上;接下來把憑證複製到Client端電腦上。

    2. 在Client端下載並安裝 Windows 2003 Administration Tools Pack

    3. 插入Smart Card,並執行以下動作先確認Client端Smart Card運作正常:
      certutil.exe –scinfo

    4. 執行以下動作確認User 帳號驗證伺服器撤銷清單是否正常:
      certutil.exe /verify /urlfetch 伺服器的憑證檔案.cer

    5. 執行以下動作確認電腦帳號驗證伺服器撤銷清單是否正常:
      at.exe 現在時間的下一分鐘 /interactive c:windowssystem32cmd.exe  (EX.  at.exe 09:35 /interactive c:windowssystem32cmd.exe)

      當cmd.exe啟動之後,執行以下命令:
      certutil.exe /verify /urlfetch 伺服器的憑證檔案.cer

  3. 根據上面的Event,我們應該可以在上面的幾個命令中找到發生問題的點。這個問題常見的可能原因如下:
    1. 撤銷憑證清單的伺服器無法連線。
    2. 撤銷憑證清單的伺服器需要特定驗證才能取得清單。
    3. 有設定Proxy但卻沒有正確設定的環境。
    4. DC上面的憑證內容過期或是有問題。
    5. 網路問題。