![]() On the General tab, look for “Smart Card Logon” under “This certificate is intended for the following purposes”. If the certificate does not include Smart Card Logon as a usage, Windows will not allow it to be used for logon and the error will be shown. The Usage Attributes on the Certificate do not Allow for Smart Card Logon When you see this, press the “More details” option which will open a new window.Ĭheck the “Certificate Status” box at the bottom to see if it reports any issues with the certificate chain.Įnsure that the root and all intermediate CAs are installed on each workstation on your network. Near the end of the process, you will receive a prompt showing the certificate that was read from the YubiKey. When prompted, enter your smart card PIN. Open a Command Prompt window, and run “certutil -scinfo”. If the root certificate or any intermediate certificates are not trusted by the computer you are logging in to, the end certificate will not be trusted and will give this error. MSI installers from this page (this will cleanly install the latest version, add an entry to Programs and Features which can be used to uninstall, etc.), then uninstall by following these instructions. To do this, first install the Minidriver using one of the. Uninstall the YubiKey Smart Card Minidriver. You can download the latest version here. Upgrade the YubiKey Smart Card Minidriver to version 4.1 or higher and it will be able to correctly read certificates from YubiKeys enrolled using the PIV tools. On the non-working computer, check if the version of the YubiKey Smart Card Minidriver is installed. ![]() If the card is listed as “NIST Identity …” on the working computer but “Yubikey … Smart Card” on the non-working, continue with these steps otherwise this is not your issue and you should check the other potential causes. Near the top of the output, look for “Card:”. In a Command Prompt window, run “certutil -scinfo” on both a working and non-working computer. ![]() Note: This testing assumes you have a working and a non-working computer to test with on your domain. The YubiKey was enrolled outside Windows' native enrollment tools and the computer has the YubiKey Smart Card Minidriver installedĪn incompatibility between YubiKeys enrolled using YubiKey PIV Manager (deprecated), yubico-piv-tool, or other 3rd party software and version 3.3 of the YubiKey Smart Card Minidriver can cause this error. One or more domain controller(s) are missing certificates.ġ.The usage attributes on the certificate do not allow for smart card logon. The YubiKey was enrolled outside Windows' native enrollment tools and the computer has the YubiKey Smart Card Minidriver installed. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
March 2023
Categories |