Skip to content

Windows Desktop Access - AD CS Mandatory ? Smardcard Logon Issue in no AD CS environment #33108

Answered by zmb3
vngu95 asked this question in Q&A
Discussion options

You must be logged in to vote

This can be pretty tricky to get right. The best and most complete reference I'm aware of is https://awakecoding.com/posts/active-directory-kerberos-kdc-certificate-selection/

A couple highlights to look out for:

  • The issuer CA cert must be present in the NTAuth store
  • Revocation checks must succeed
  • The certificates are imported in the correct order so that the proper KDC cert is selected (this is the tricky part)

Replies: 3 comments 1 reply

Comment options

You must be logged in to vote
0 replies
Comment options

You must be logged in to vote
1 reply
@zmb3
Comment options

zmb3 Oct 9, 2023
Maintainer

Answer selected by webvictim
Comment options

You must be logged in to vote
0 replies
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Category
Q&A
Labels
None yet
3 participants