Smart Card Logon Error Messages

The smart card certificate used for authentication was not trusted

Certificate not trusted error message — Error: certificate not trusted

Cause

The certificate presented is not trusted by the client or the domain controller. This is typically caused by:

Missing root or intermediate certificates in the computer store and/or the NTAuth store.
The system was unable to verify whether the certificate has been revoked.
No CRL Distribution Point (CDP) is configured in the certificate, or the domain controller could not reach it.

Diagnostic — Check that the smart card certificate is trusted

Run certutil –scinfo and look for "Smart card logon: chain validates".

certutil -scinfo chain validates — Expected output: chain validates

If the test fails, the output shows: "smart card logon: chain on smart card is invalid".

certutil -scinfo chain invalid — Chain validation failure

Diagnostic — Verify trust in depth

Open the certificate file on the client computer.
Open the Certification Path tab and note all root and intermediate certificates.
Open the computer certificate store (mmc → Certificates snap-in → Computer account — not certmgr.msc).
Verify the root certificate is in Trusted Root Certification Authorities.
Verify all intermediate certificates are in Intermediate Certification Authorities.
Repeat the same checks on the domain controller used for authentication (find it with echo %LOGONSERVER%).
Check that all intermediate and root certificates are in the NTAuth store:
```
certutil -viewstore -enterprise NTAuth
```

Resolution

Add missing certificates to the relevant stores via GPO or directly.
If a root or intermediate CA certificate is missing from the NTAuth store, add it with:
```
certutil -dspublish -f [cert_file] NtAuthCA
```

Note: Certificates can take up to 8 hours to publish to the NTAuth store. Force immediate deployment with gpupdate /force on both the domain controller and the client.

Key usage

Open the certificate properties and locate the Key Usage extension. It must contain at least one of: Key Encipherment, Data Encipherment, or Digital Signature.

Certificate Key Usage extension - missing — Key Usage extension missing or insufficient

Certificate Key Usage extension detail — Key Usage detail

Extended Key Usage

The Extended Key Usage extension must be absent, or contain at least one of:

Smart Card Logon (OID 1.3.6.1.4.1.311.20.2.2)
Client Authentication (OID 1.3.6.1.5.5.7.3.2)

Extended Key Usage - valid Smart Card Logon — Valid EKU — Smart Card Logon present

Extended Key Usage - invalid — Invalid EKU — Smart Card Logon absent

Extended Key Usage detail — EKU detail view

Your credentials could not be verified

Credentials could not be verified error — Error: credentials could not be verified

Cause

The domain controller cannot find the account associated with the smart card.
The certificate is associated with more than one account.
There is a mapping issue (unrecognised format or KB5014754 change).

Diagnostic — System Event Log

Check the System Event Log for Kerberos errors. An event reading "The Distinguished Name in the subject field of your smartcard logon certificate does not contain enough information to locate the appropriate domain" indicates no mapping was found.

Kerberos event log error — Kerberos error in System Event Log

Diagnostic — Check for duplicate mappings

Run ADExplorer.exe, go to Search, and search for the attribute altSecurityIdentities with the relation Not Empty. Check for duplicate entries across multiple accounts.

ADExplorer search for altSecurityIdentities — Searching for duplicate mappings in ADExplorer

altSecurityIdentities attribute value — altSecurityIdentities attribute

Warning: When using serial number mapping (<SR>), the serial number bytes are written in reverse order compared to what the certificate viewer shows.

Smart card logon not supported for your account

Smart card logon not supported error — Error: smart card logon not supported

Cause

The domain controller has no certificate issued by the Enterprise PKI in its computer certificate store. Confirmed by Event ID 19 or 29 in the System log:

KDC Event ID 19 or 29 — Event ID 19/29: KDC certificate missing

Resolution — Option A: force GPO re-application

gpupdate /force

Resolution — Option B: manually request a KDC certificate

On the domain controller, run mmc.
Go to File → Add/Remove Snap-in → Certificates → Computer account.
Expand Certificates (Local Computer) → Personal.
Right-click Personal → All Tasks → Request New Certificate.
Select Domain Controller Authentication and click Enroll.

Request new KDC certificate — Requesting a new Domain Controller Authentication certificate

Domain Controller Authentication certificate template — Selecting the Domain Controller Authentication template

Certificate enrollment success — Certificate enrolment succeeded

Certificate in Personal store — KDC certificate now present in Personal store

Logon succeeds after KDC certificate — Logon now succeeds

ADCS enrollment error — If enrolment fails, restart the ADCS service

The requested key container does not exist on the smart card

Key container does not exist error — Error: key container not found

Also reported as: "The requested certificate does not exist on the smart card" or "The requested keyset does not exist on the smart card".

Cause

A problem with the smart card driver — most commonly seen when connecting via Terminal Server.

Resolution

Verify that the smart card driver is installed on both the server and the client: run certutil -scinfo on both machines.

An error occurred trying to use this smart card

Error using smart card — Error: error occurred using smart card

Additional symptom

Event 4625 — Logon failure with status 0xC000006D / sub-status 0xC0000321.

Event 4625 sub-status 0xC0000321 — Event 4625 — Kerberos smart card subsystem error

API Monitor showing detailed error — API Monitor can reveal the underlying error code

Resolution

Contact your smart card manufacturer. For detailed diagnostics, run API Monitor and attach it to lsass.exe.

The Kerberos protocol encountered an error while validating the KDC certificate

KDC certificate validation error — Error: KDC certificate validation failed (Terminal Server)

Cause

The KDC certificate chain cannot be built on the connecting client. Confirmed by Event ID 9 (Security-Kerberos).

Resolution

On a computer where logon works, run certutil -scinfo and identify the root certificate.
Copy that root certificate to the failing client's computer certificate store (mmc → Certificates → Local Computer).
Run gpupdate /force on the client.

Root certificate in computer store — Root CA certificate added to client computer store

certutil -scinfo after fix — Chain now validates after adding the root certificate

Logon succeeds after KDC fix — Logon now succeeds

The function requested is not supported

Function not supported error — Error: function not supported

This error is related to a CredSSP vulnerability patch. Refer to Microsoft KB4093492 — CredSSP updates for CVE-2018-0886.

No valid certificates found

Causes

Only UPN mapping is allowed and the certificate does not match.
Certificate Key Usage or EKU attributes are incompatible.
Connecting via Terminal Server from a computer outside the domain.
The certificate chain is not trusted.

Resolution — Relax GPO restrictions

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\SmartCardCredentialProvider]
"AllowCertificatesWithNoEKU"=dword:00000001
"AllowSignatureOnlyKeys"=dword:00000001
"ForceReadingAllCertificates"=dword:00000001

GPO SmartCardCredentialProvider settings — SmartCardCredentialProvider registry settings

Certificate now visible on logon screen — Certificate is now visible after relaxing restrictions

Resolution — Terminal Server without NLA

On the server, deselect "Allow connections only from computers running Remote Desktop with Network Level Authentication".

In the .rdp file for the connection, add:

EnableCredSspSupport:i:0

RDP connection without NLA — RDP without NLA — certificate visible from outside the domain