Microsoft KB Archive/296801

= Internal Certificate Chaining Errors with Smart Cards =

Article ID: 296801

Article Last Modified on 3/1/2007

-

APPLIES TO


 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Datacenter Server

-



This article was previously published under Q296801



SYMPTOMS
When you attempt to use smart card to log on to a Windows 2000-based computer, you receive the following error message:

Internal certificate chaining error has occurred.

You may be able to successfully log on to another computer by using the same smart card without receiving this error message.



CAUSE
If a newly installed enterprise Certificate Authority (CA) has issued a smart card logon certificate, the domain controllers that process the logon request may not be aware of the new CA; therefore, the authenticating server may be unable to build the chain, either because certificates are not present on the domain controller, or because certificates in the chain are not attainable through their AIA extensions.



RESOLUTION
To resolve this issue, you can use the Dsstore utility, which is available in the Windows 2000 Resource Kit Utility, to delete all the domain controller certificates that do not chain.

You must be a domain administrator to perform the following steps. These steps verify that the domain controller certificates on all domain controllers chain correctly. It is recommended to run this option on a member workstation or server because this emulates the chain validation process that takes place on a smart card logon client.  From a command prompt, run the following command:

Dsstore -dcmon

  Choose the following option: 2. Chain Check chaining on DC certificates  If chaining errors do exist, run dsstore -dcmon again.  Choose the following option: 4. Delete bad Deletes *all* KDC certificates which do not chain 

<div class="status_section">

STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.

<div class="moreinformation_section">

MORE INFORMATION
When you install an Enterprise CA, all domain controllers in the domain automatically enroll for a domain controller certificate. You can use the Certificate snap-in to verify that the domain controller has received a certificate.

For additional information, click the article number below to view the article in the Microsoft Knowledge Base:

270048 Auto-Enrollment Objects Do Not Work When CA Certificate Renewed

Keywords: kberrmsg kbprb KB296801

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.