WS2016 AD DC, unlock Windows session with smartcard, '... credentials could not be verified'

Bertrand PERRET 61 Reputation points
2020-08-15T12:28:20.177+00:00

Hello,

Scenario:

----------

Try open a Windows session with a smartcard on computer joined to a 2016 AD domain

Technology:

------------

Involves a third party CSP library for the smartcard to work. the smartcard contains
the appropriate x509 certficate used to log on.

Result:
-------
after typing PIN code, I get error message "The system couldn't logon you, your credentials could not be verified".

Environment - Windows Server 2016, with Domain controller configured for smartcard logon.
client PC running Windows 7 joined to 2016 Active directory domain.

In event viewer I can notice the following message:

17708-smartcard-logon-ws2016.jpg

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,822 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,717 questions
Accepted answer
  1. Daisy Zhou 18,701 Reputation points Microsoft Vendor
    2020-08-17T01:52:31.997+00:00

    Hello @Bertrand PERRET ,

    Thank you for posting here.

    But now I have another error:
    You cannot log on because the logon method you are using is not allowed on this computer. Please see your network administrator for more information.

    A: For your error message, we can check as below:

    If you log on this machine locally, we can check if we deny this account to logon this client locally through local group policy setting.

    1.**On this machien, open **gpedit.msc (local group policy) and navigate to

    Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Allowed log on locally (there should be Administrators group and the user account now we are using on this machine)

    Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny log on locally (it should be blank or there should be no Administrators group or no the user account now we are using on this machine)

    **2.**If you log on this machine locally, we can check if we deny this account to logon this client locally through domain group policy setting.

    Check the same setting on the domain GPO object:

    Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Allowed log on locally (there should be Administrators group and the user account now we are using on this machine)

    Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny logon locally (it should be blank or there should be no Administrators group or no the user account now we are using on this machine)

    **3.**If we receive the error message above when we logon through remote desktop services, we can check if we deny this account to logon this client remotely through local group policy setting.

    On this machine, open gpedit.msc (local group policy) and navigate to:

    Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Allow logon through Remote Desktop Services (there should be Administrators group and the user account now we are using on this machine)

    Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny logon through Remote Desktop Services (it should be blank or there should be no Administrators group or no the user account now we are using on this machine)

    **4.**If we receive the error message above when we logon through remote desktop services, we can check if we deny this account to logon this client remotely through domain group policy setting.

    Check the same settings on the domain GPO object:

    Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Allow logon through Remote Desktop Services (there should be Administrators group and the user account now we are using on this machine)

    Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny logon through Remote Desktop Services (it should be blank or there should be no Administrators group or no the user account now we are using on this machine)

    For how to check 2&4 , we can check as below:
    1.We can logon this machine with domain administrator.
    2.Open CMD and run as Administrator.
    3.Type gpresult /h C:\logon.html and click Enter.
    4.Open the file above to check the group policy settings under "Computer Details".

    Hope the information is helpful. If anything is unclear, please feel free to let us know.

    Best Regards,
    Daisy Zhou

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Bertrand PERRET 61 Reputation points
    2020-08-17T12:51:28.377+00:00

    I edited the title to be accurate