Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Wednesday, March 9, 2016 3:42 PM
I have several C# applications that connect to Active Directory to obtain user information. Authentication is via a Windows service account. Whenever the connection is attempted I receive a "Insert Smart Card" pop-up box. This same behavior exist if I run the Windows utility LDP.exe. If I click Cancel 4 times, the box will go away and the connection is established.
This same type of behavior existed on our domain controllers and was resolved by removing a certificate in the Personal store where the CA was no longer valid. I've checked the certificates on my PC and can't find any problems.
Is there any debug settings or a utility that I can run to identify the problem?
All replies (12)
Thursday, September 21, 2017 7:10 PM ✅Answered | 1 vote
I know this an older thread, but what I had a very similar issue and found that the machine asking for a smart card (SC) has a list of certificates from users' SC's who had signed in earlier. After I cleared all SC certs from the certificate personal store, the prompts for smart cards stopped.
Thursday, March 10, 2016 2:43 PM
Hi,
Have you configured LDAP over SSL on your domain controller?
It's a default behavior to use a client authentication certificate(if available in personal store) for mutual authentication over SSL/TLS connection.
As a workaround, please try to stop the smart card services.
Best Regards,
Steven Lee Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected].
Thursday, March 10, 2016 7:50 PM
Yes, we have configured LDAP over SSL on DC's. I've been using the workaround (stopping the Smart Card service) for over a year now, but that causes issues when the applications run in an RDP session. If I minimize RDP and stop the Smart Card service on that box, it does work.
I did find some good information of using CAPI2 diagnostic messages to troubleshoot PKI problems;
Hopefully this will uncover the root of the problem without having to stop the Smart Card service.
Thursday, March 10, 2016 10:05 PM
The Interactive Logon: Require smart Card GPO wouldn't be causing this issue would it? I was wondering if the service account authentication attempt is still being treated as an interactive logon, and potentially leading to the prompt for smart card.
The GPO could be checked here:
Smart Card Group Policy and Registry Settings
There is also the option to check on the account in AD if the Smart card is required for interactive logon.
Sincerely,
Will
Friday, March 11, 2016 7:22 PM
Just to be sure, I rechecked the GPO and the service account and neither is set to require smart card authentication.
Saturday, March 12, 2016 6:07 PM
Hi.
Is this issue with all clients in that domain?
If it is so can you see any interesting configuration when you run gpresult /v /scope:computer?
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. Even if you are not the author of a thread you can always help others by voting as Helpful. This can be beneficial to other community members reading the thread. Oscar Virot
Monday, March 14, 2016 12:15 PM
Yes, it is happening to all PC within the domain. I ran the gpresult command and I'm sifting through 5000+ lines of output.
Monday, March 14, 2016 12:51 PM
The only thing I found was a GPO for "Smart Card Auth Policy" that enabled X509HintsNeeded.
Thursday, September 21, 2017 7:35 PM
You are correct! This is an old thread and I meant to update it with the resolution a long time ago.
The only issue you will have with removing the certificates is an issue with encrypted email in Outlook. As long as you enable the "certificate propagation from smart card" policy, just insert your smart card and your back in business.
Thanks for the response!
Monday, October 16, 2017 10:59 PM
thank you, but I don't think you marked this as answered
Tuesday, October 17, 2017 11:16 AM
Sorry. It is now. Thank you!
Saturday, February 23, 2019 3:05 AM
it's the new fking SKYPE