| Author |
Message |
Kerberos Error #8
Guest
|
 Posted:
Tue Feb 22, 2005 9:09 pm Post subject:
Windows 2003 Kerberos error Event ID #8 |
|
|
I am getting the following message "The Domain Controller rejected the client
certificate used for smartcard logon. The error data contains the
information returned from the certificate validation process." The error
data bytes are 13 20 09 80.
Where can I find out what the error data bytes mean |
|
| Back to top |
|
 |
Steven L Umbach
Guest
|
| Posted:
Wed Feb 23, 2005 6:48 am Post subject:
Re: Windows 2003 Kerberos error Event ID #8 |
|
|
The link below is for general kerberos troubleshooting but the problem seems
to be related to the smart card. Possibly the certificate has expired, was
revoked, or the private key is corrupted. In if this is happening with all
smart card users then there is a problem with wrong certificate type or
inability to locate the CRL or CA certificate, etc. Check Event Viewer on
both computers for any helpful info. --- Steve
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerberr.mspx
"Kerberos Error #8" <Kerberos Error #8 @discussions.microsoft.com> wrote in
message news:06B784D8-1AE7-4D46-85A9-A96606DF585B@microsoft.com...
| Quote: | I am getting the following message "The Domain Controller rejected the
client
certificate used for smartcard logon. The error data contains the
information returned from the certificate validation process." The error
data bytes are 13 20 09 80.
Where can I find out what the error data bytes mean |
|
|
| Back to top |
|
|
dave
Guest
|
| Posted:
Wed Feb 23, 2005 6:43 pm Post subject:
Re: Windows 2003 Kerberos error Event ID #8 |
|
|
The certificate is valid and the CRLS are uptodate. This is an iintermittent
problem. The user can logon sometimes. It always seems to be a CRL from the
same CA. We have loaded the CRLs into the registry to expidate processing.
The CRL is huge (over 6M) but other sites are not having the same problem. I
have verified that the CRLs are valid and not expired using the certificates
mmc. I was hoping the error bytes would give me some information.
The error message on the domain controller is KDC 21 "The client certificate
for the user xxxxxxxxx\xxxxxx is not valid, and resulted in a failed
smartcard logon".
I agree it looks like a problem with the CRL but sometimes the user can
logon at 6:30am but not at 8:30.
"Steven L Umbach" wrote:
| Quote: | The link below is for general kerberos troubleshooting but the problem seems
to be related to the smart card. Possibly the certificate has expired, was
revoked, or the private key is corrupted. In if this is happening with all
smart card users then there is a problem with wrong certificate type or
inability to locate the CRL or CA certificate, etc. Check Event Viewer on
both computers for any helpful info. --- Steve
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerberr.mspx
"Kerberos Error #8" <Kerberos Error #8 @discussions.microsoft.com> wrote in
message news:06B784D8-1AE7-4D46-85A9-A96606DF585B@microsoft.com...
I am getting the following message "The Domain Controller rejected the
client
certificate used for smartcard logon. The error data contains the
information returned from the certificate validation process." The error
data bytes are 13 20 09 80.
Where can I find out what the error data bytes mean
|
|
|
| Back to top |
|
|
Steven Umbach
Guest
|
| Posted:
Thu Feb 24, 2005 6:48 am Post subject:
Re: Windows 2003 Kerberos error Event ID #8 |
|
|
Hmm. That does sound strange. It might be worthwhile to issue the user a new
smart card to see if that could possibly fix the problem if it is isolated to
that one user. --- Steve
"dave" <dave@discussions.microsoft.com> wrote in message
news:B99A764A-C9E8-4A20-9915-93A4BF9F34B6@microsoft.com...
| Quote: | The certificate is valid and the CRLS are uptodate. This is an iintermittent
problem. The user can logon sometimes. It always seems to be a CRL from the
same CA. We have loaded the CRLs into the registry to expidate processing.
The CRL is huge (over 6M) but other sites are not having the same problem. I
have verified that the CRLs are valid and not expired using the certificates
mmc. I was hoping the error bytes would give me some information.
The error message on the domain controller is KDC 21 "The client certificate
for the user xxxxxxxxx\xxxxxx is not valid, and resulted in a failed
smartcard logon".
I agree it looks like a problem with the CRL but sometimes the user can
logon at 6:30am but not at 8:30.
"Steven L Umbach" wrote:
The link below is for general kerberos troubleshooting but the problem seems
to be related to the smart card. Possibly the certificate has expired, was
revoked, or the private key is corrupted. In if this is happening with all
smart card users then there is a problem with wrong certificate type or
inability to locate the CRL or CA certificate, etc. Check Event Viewer on
both computers for any helpful info. --- Steve
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerberr.mspx
"Kerberos Error #8" <Kerberos Error #8 @discussions.microsoft.com> wrote in
message news:06B784D8-1AE7-4D46-85A9-A96606DF585B@microsoft.com...
I am getting the following message "The Domain Controller rejected the
client
certificate used for smartcard logon. The error data contains the
information returned from the certificate validation process." The error
data bytes are 13 20 09 80.
Where can I find out what the error data bytes mean
|
|
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in