This is the first that you mentioned a 2nd forest. Thanks for the info <G>
the NTAuth store does not contain root certs, it must contain the CA that
issued the smart card certificate
Look at the CA stores in the working forest using PKIView.msc (from the
resource kit).
They must be the same in the other forest.
Number 2, does CRL checking work in the other forest (are the URLs
accessible)/
Number 3. Do the accounts have the same UPN in both forests. The UPN in the
cert must match the account's UPN in the 2nd forest to work
Brian
"Don Jones" <DonJones@discussions.microsoft.com> wrote in message
news:49B24A2C-FFFD-49A9-B182-134704327EEB@microsoft.com...<span style="color:blue">
> The SmartCards can log into on AD Forest, but not another. The two forest
> don't trust each other.
>
> Looked that the article on 3rd party CA's, but still no go. The 3rd party
> CA's root certificates are in the NTAuthCA store, and the CRLs have been
> imported into Certificate manager and placed in the CRL store.
>
> "Brian Komar (MVP)" wrote:
><span style="color:green">
>> The domain controller certificate will work for smart card
>> authentication.
>> You meed to look at the KB article on enabling smart card auth certs from
>> 3rd paty CAs.
>>
http://support.microsoft.com/kb/281245/en-us
>>
>> Does the certificate contain the user's UPN in the subject alternative
>> name
>> Is the CA in the NTAuth store
>> Are all CRLs and CA certificates for the 3rd party chain available
>>
>> Brian
>>
>> "Don Jones" <DonJones@discussions.microsoft.com> wrote in message
>> news:90ACC56E-F936-4A4B-BF85-272F3DF00DFA@microsoft.com...<span style="color:darkred">
>> > Thanks for the response. I have read the articles, have a question.
>> >
>> > We have smartcards issued by a third party ca, and have the root-ca's
>> > certificate listed in the places mentioned in the articles. Our
>> > DomainController Certificate is not from the Same CA that issued the
>> > SmartCards Certificates. The Certificate is from our Enterprise CA.
>> > We
>> > are
>> > currently using the DomainController template, which doesn't list
>> > SmartCard
>> > Logon as a property.
>> >
>> > Does the DomainController's certificate contain the SmartCard Logon
>> > property? If so, How can I add the SmartCard Logon property to the
>> > DomainController Template or do I need to upgrade to Enterprise
>> > Edition?
>> >
>> > Don Jones
>> >
>> > "Dobromir Todorov" wrote:
>> >
>> >> Try this if you are looking at a third party (non-Microsoft) CA, or
>> >> Microsoft Standalone CA.
>> >>
>> >>
http://support.microsoft.com/kb/281245
>> >>
>> >> If you are looking at your own, Microsoft Enterprise CAs, you'd
>> >> suggest
>> >> that
>> >> you go for a longer read here:
>> >>
http://technet2.microsoft.com/windowsserve...3.mspx?mfr=true
>> >>
>> >> --
>> >> ---
>> >> HTH,
>> >> Dobromir
>> >>
>> >> Visit
http://www.iamechanics.com
>> >>
>> >> "Don Jones" <DonJones@discussions.microsoft.com> wrote in message
>> >> news:014B2D7A-CDBC-46ED-95B8-E9D22952AEBB@microsoft.com...
>> >> > Can someone direct me to some articles that explain how to configure
>> >> > AD
>> >> > for
>> >> > Smart Card Authentication? If read various articles and they were
>> >> > not
>> >> > clear
>> >> > as to what is required and how to implement smartcard
>> >> > authentication.
>> >> >
>> >> > If this isn't the correct group, please let me know what the correct
>> >> > group
>> >> > would be.
>> >> >
>> >> > Thanks.
>> >> >
>> >> > Don Jones
>> >>
>> >>
>> >></span>
>>
>> </span></span>