Symptoms / Windows Errors | Solutions |
---|---|
Error shown to the user: The revocation status of the domain controller certificate used for the smart card authentication could not be determined. AND Windows Event Log: The client has failed to validate the domain controller certificate for dc.example.com. The following error was returned from the certificate validation process: A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider. | How to save kdccert.cer on the desktop:
Display certificate info on target:
Target host is not able to validate the domain controller certificate, if:
Note Active Directory doesn’t allow anonymous bind and the CRL object permissions do not allow access with ANONYMOUS LOGON, so use bind e.g. with ldapsearch if testing if CRL is valid in LDAP path if two-way trust is in place multi-domain environment and it should work, else configure CA with HTTP CRL accessible from all target hosts and renew DC KDC certificate(s). |
This error persists even when KDC certificate has been updated to include proper accessible HTTP CRL DP or expired CRL has been replaced by a valid CRL: The revocation status of the domain controller certificate used for the smart card authentication could not be determined. | Ensure Windows cache doesn’t interfere. Windows has a negacache for CRL queries that cause validation to fail locally if it has failed in the past. The system cache is persistent and survives reboot. The cache of the system cannot be cleared with |
Error shown to the user: The revocation status of the smart card certificate could not be determined. | On target:
Target host is not able to validate the user certificate from virtual smart card, if:
Ensure accessible IP / FQDN on PrivX Server and DNS is configured correctly on Windows environment. Check that CRL DP URL in the user certificate can be downloaded from the target with a browser or certutil and firewalls are not blocking outgoing port 80 on target or incoming port 80 on PrivX CA. PrivX CA issues empty CRL on demand and it is valid one hour in the past and 23 hours in the future. |
Windows Revocation Failures
Did you find it helpful? Yes No
Send feedbackSorry we couldn't be helpful. Help us improve this article with your feedback.