question

BrianG-8991 avatar image
0 Votes"
BrianG-8991 asked BrianG-8991 commented

"The client certificate for the user "DOMAIN\user" is not valid, and resulted in a failed smartcard logon" after KB5005568 update.

Running Windows Server 2019. In the early morning of Sept 16, 2021 this update auto-installed and restarted the server (September 14, 2021—KB5005568). Now, the event noted below has began to appear anytime a user signs in to their computer. None of our users use Smartcards, but we do run hybrid Azure AD with Windows Hello for Business enabled. Doesn't seem to be causing any issues, but I'd still like to know what the underlying issue is and correct it.

Any ideas?

**Kerberos-Key-Distribution-Center
The client certificate for the user "DOMAIN\user" is not valid, and resulted in a failed smartcard logon. Please contact the user for more information about the certificate they're attempting to use for smartcard logon. The chain status was : A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.


windows-server-security
· 5
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

II see the same behavior in my infrastructure as ell. Several domain controllers running Windows Server 2019, after being patched earlier this month this event started to pop up on each dc used by users. Also running hybrid Azure AD with WHfB. No recent changes to CA or GPOs.
No issue with users log on at the moment, but those warnings are messing with our monitoring.

0 Votes 0 ·
brent24099 avatar image brent24099 AdrianPopovici-7348 ·

Glad to here no issues with anything for you as well! But I would like to know why these are popping up for sure. Don't want them to become failures down the road.

1 Vote 1 ·

Agreed. I would have normally posted on TechNet, but it seems that platform has been discontinued... although somehow users are still posting their questions. I'm wondering if the Microsoft techs ignore this platform since none of them have responded. So very disappointing.

0 Votes 0 ·

Did anyone find any kind of solution to this?
I was waiting to see if maybe some hotfix would be released during last week's Patching Tuesday, installed all the updates on our servers last weekend, but I still see the warnings in the logs of all domain controllers hit by authentication requests.

0 Votes 0 ·
BrianG-8991 avatar image BrianG-8991 AdrianPopovici-7348 ·

I'm still having the same issue as well. Very frustrating.

0 Votes 0 ·
cthivierge avatar image
0 Votes"
cthivierge answered

If you enable CAPI2 log on the client computer and set the size of the log to at least 4096K
Then ask a user to login using his smartcard
Look for errors in the CAPI2 log.

CAPI2 log
Event Viewer / Applications and Services Logs / Microsoft / Windows / CAPI2

It may give you more information

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

BrianG-8991 avatar image
0 Votes"
BrianG-8991 answered BrianG-8991 edited

These three ERRORS are being recorded several times for several different [ProcessName]'s.


Result The revocation function was unable to check revocation for the certificate.
[ value] 80092012

Result The certificate is not valid for the requested usage.
[ value] 800B0110

Result A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
[ value] 800B0109

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

cthivierge avatar image
0 Votes"
cthivierge answered

That there is no changes in your internal PKI ?

Can you validate that there is no issuing CA in the trusted root store ?
You can validate using this PS command:
Get-Childitem cert:\LocalMachine\root -Recurse | Where-Object {$.Issuer -ne $.Subject}

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

BrianG-8991 avatar image
0 Votes"
BrianG-8991 answered

First... thank you for your help.

I ran the command (I needed to add underscore after $). It didn't appear to do anything and returned me to the command prompt.


PS C:\Users\Administrator> Get-Childitem cert:\LocalMachine\root -Recurse | Where-Object {$.Issuer -ne $.Subject}
PS C:\Users\Administrator>

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

LimitlessTechnology-2700 avatar image
0 Votes"
LimitlessTechnology-2700 answered

Hello @BrianG-8991,

In fact this new updates have changed how the Key authentication works.

There was a previous thread on this topic, where a community member created an article for a workaround this behavior:

https://social.technet.microsoft.com/Forums/en-US/4fd818f0-c72a-409c-8ef5-8717d02f4666/windows-hello-intune-mdm-aad-hybrid-ad-kb3200970-amp-kb3199986-pin-login-failure?forum=win10itprosecurity

Hope this also helps in your case,



--If the reply is helpful, please Upvote and Accept as answer--

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

BrianG-8991 avatar image
0 Votes"
BrianG-8991 answered

Hi. Unfortunately, all of this is already in place for our server. We only have one server and it is a domain controller and Windows Hello works perfectly for everyone. We're experiencing no issues except the Warning Messages.

Also, the Windows Update I'm referring to was released Sept 14, 2021. The update referenced in the link you provided is dated October 2016. So it doesn't really apply to me, but thank you anyway.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

brent24099 avatar image
0 Votes"
brent24099 answered brent24099 edited

This warning pops for my Windows Hello users as well as for a couple of my VMs that I have credential guard and TPM enabled. I've been trying to figure out if it is something to be concerned about or not, as nothing has actually stopped working! The computer ones happen around once per hour, and the Windows Hello ones when they sign in.

Example Event ID 21 for the COMPUTER accounts:

The client certificate for the user DOMAIN\COMPUTER$ is not valid, and resulted in a failed smartcard logon.
Please contact the user for more information about the certificate they're attempting to use for smartcard logon.
The chain status was : A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.

It definitely started directly following the update on September 14th - KB5005102

We utilize AD CS and it is a trusted root authority on the DCs. Everything looks fine, nothing expired, and no changes were made to the CS setup recently. I checked the NTAuthCertificates store and the CA cert is there as well.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DerekUFC-0879 avatar image
0 Votes"
DerekUFC-0879 answered BrianG-8991 commented

I'm not seeing this error anymore. I don't know if the 2021-10 Cumulative Updates corrected it, but I didn't see this error logged any times during the month of October.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I'm still seeing the error. Unfortunately.

0 Votes 0 ·