Kerberos Smart Card Configuration

Applies To: Windows Server 2008 R2

The Kerberos client can be configured to use smart card authentication for user accounts on an organization's network.


Event ID Source Message



The Domain Controller rejected the client certificate of user %2, used for smartcard logon. The following error was returned from the certificate validation process: %1.



The Distinguished Name in the subject field of your smartcard logon certificate does not contain enough information to locate the appropriate domain on an unjoined machine. Please contact your system administrator.



While using your smartcard over a VPN connection, the Kerberos subsystem encountered an error. Typically, this indicates the card has been pulled from the reader during the VPN session. Troubleshooting Kerberos Errors



While using your smartcard for the Credential Manager the Kerberos subsystem encountered an error that appears to be from a missing or incorrect smartcard PIN. To remedy, launch the Stored User Names and Passwords control panel applet, and reenter the pin for the credential for %1%2%3.



The kerberos SSPI package failed to find the smartcard certificate in the certificate store. To remedy, logon as user %1 and insert the smartcard into your smartcard reader, then use the Certificates snap-in to verify that the smartcard certificate is in the user's personal certificate store.

Kerberos Client

Core Security