Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Thursday, September 3, 2015 10:00 AM | 1 vote
I have 2 user certificates on a Yubikey NEO. Both are issued by our Enterprise CA for Smartcard logon. EKU's and certificate chain are OK.
On Windows 10 I am able to logon with just one of the certificates, the other one triggers "Your credentials could not be verified". On previous Windows versions this has never been a problem: using the same Yubikey, on Windows 8.1, both certificates (in slots 9a and 9e respectively) can still be used for logon.
I am at a loss troubleshooting this. Can someone give me a hint please?
Thanks
Chris
All replies (3)
Friday, September 11, 2015 12:45 PM ✅Answered | 1 vote
Hi Deason,
Thank you for your input. After further investigation I found that the root cause was not 2 smart cards on the same Yubikey.
One of the accounts had the attribute Do not require Kerberos pre-authentication set. Clearing this attribute enabled smart card logon for that account.
Regards
Chris
Monday, September 7, 2015 1:41 AM | 1 vote
Hi,
I found some blog states that the Yubico works fine under Windows 10, but Yubico official site states that it required domain account under Windows 7 and Windows 8. Since we know nothing about Yubico smart card system, I’d suggest that we contact with Yubico. There you can get more effective suggestion by other experts who familiar with design of their products. Your understanding is highly appreciated.
For some devices, the manufacturer may provide more up-to-date drivers or drivers that enable additional functionality than the drivers installed by Windows 10. Always follow the recommendations of the device manufacturer for optimal performance and stability.
Regards,
D. Wu
Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected].
Thursday, January 14, 2016 12:43 PM | 1 vote
Hello
I have a similar problem.
my infrastructure is DC Windows 2003 with client windows 7, 8, 8.1 and Windows 10.
It is used the smartcard logon to access the active directory domain.
My user account has the following configuration in the active directory "Do not require Kerberos pre-authentication" and "Smart Card is required for interactive logon", I have no problems with this setting on client windows 7, 8, 8.1, Windows 2012 and Windows 2012 r2.
With client Windows 10 includes the following error message during authentication: "Your credentials could not be verified."
If I try to clear the configuration "Do not require Kerberos pre-authentication" in Active Directory I have no problems logon on the client windows 10.
In the log of client security I note the following event ID 4625 after the error message "Your credentials could not be verified"
I tried to create a test infrastructure PKI smartcard logon with Windows 2012 R2 and Windows 10 enterprise and I note the same problem, then the problem is not related to Windows 2003 domain.
Currently no procedure has been found to solve this problem.
I need to use the following configuration "Do not require Kerberos pre-authentication" in active directory with Windows 10 client.
After the solution will be scheduled upgrade of the domain and forest to Windows 2003 to Windows 2012 R2
Attached the error log of client windows 10 of my test infrastructure with windows 2012 r2 and windows 10:
An account failed to log on.
Subject:
Security ID: SYSTEM
Account Name: TEST4-W10$
Account Domain: DOMAIN
Logon ID: 0x3E7
Logon Type: 2
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: [email protected]
Account Domain:
Failure Information:
Failure Reason: An Error occured during Logon.
Status: 0xC000006D
Sub Status: 0x0
Process Information:
Caller Process ID: 0x3f4
Caller Process Name: C:\Windows\System32\svchost.exe
Network Information:
Workstation Name: TEST4-W10
Source Network Address: 127.0.0.1
Source Port: 0
Detailed Authentication Information:
Logon Process: User32
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
The Process Information fields indicate which account and process on the system requested the logon.
The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Regards
Mariano