RE: [Fed-Talk] JITC CAC card gets " An untrusted certificate authority was detected while processing the smart card certificate used for authentication" login error...
RE: [Fed-Talk] JITC CAC card gets " An untrusted certificate authority was detected while processing the smart card certificate used for authentication" login error...
- Subject: RE: [Fed-Talk] JITC CAC card gets " An untrusted certificate authority was detected while processing the smart card certificate used for authentication" login error...
- From: "Miller, Timothy J." <email@hidden>
- Date: Tue, 6 Apr 2010 17:46:43 -0400
- Acceptlanguage: en-US
- Thread-topic: [Fed-Talk] JITC CAC card gets " An untrusted certificate authority was detected while processing the smart card certificate used for authentication" login error...
Was the client Vista or XP? There are slight differences in error text presented for different error conditions on both versions. And are you 100% positive that was the exact error text? There are multiple messages that are similar, and the specific message matters.
I recently did a near-exhaustive record of all the different error conditions for PKINIT with Win2k3/XP and Win2k8R2/Vista and noted the event log, console message, and Kerberos error returned for each case. That particular verbiage ("An untrusted certificate authority was detected") only occurs when there's broken trust issue at the DC (missing root or missing issuer).
-- Tim
>-----Original Message-----
>From: Paul Kwan [mailto:email@hidden]
>Sent: Tuesday, April 06, 2010 4:33 PM
>To: Miller, Timothy J.; Apple FED-TALK
>Cc: Louie Boczek; Keith Moreau; Paul Moore; David McNeely
>Subject: Re: [Fed-Talk] JITC CAC card gets " An untrusted certificate
>authority was detected while processing the smart card certificate used
>for authentication" login error...
>
>Hi Tim,
>
> I double checked all 3 certificated on our DC and they are all valid
>and under the "Trusted Root Certification Authorities" and "Intermediate
>Certification Authorities" tabs:
>
>
>
>
>
>
>
> Thanks.
>
>PSK
>
>On 4/6/10 1:33 PM, "Miller, Timothy J." <email@hidden> wrote:
>
>
>
> That specific message only appears on Vista when the *DC* doesn't
>trust the root CA the logon certificate chains to, or the DC doesn't
>trust the issuer the chain passes through. In this case, that's the
>JITC root CA or OM 20 or OM Email 20. Check trust on the DC, fix it,
>and continue. :)
>
> -- Tim
>
>
> >-----Original Message-----
> >From: fed-talk-bounces+tmiller=email@hidden
>[mailto:fed-
> >talk-bounces+tmiller=email@hidden] On Behalf Of Paul
>Kwan
> >Sent: Tuesday, April 06, 2010 8:18 AM
> >To: Apple FED-TALK
> >Cc: Louie Boczek; Keith Moreau; Paul Moore; David McNeely
> >Subject: [Fed-Talk] JITC CAC card gets " An untrusted certificate
> >authority was detected while processing the smart card
>certificate used
> >for authentication" login error...
> >
> >Hi All,
> >
> > I has test JITC CAC card that worked on Mac and Windows
>workstation
> >since May last year. Now I got the following error when trying to
>login
> >again:
> >
> > 1) From the Windows login screen, it pops up this error
>message:
> >
> >The system could not log you on. An untrusted certificate
>authority was
> >detected while processing the smart card certificate used for
> >authentication
> >
> > 2) On the Mac, secure.log shows similar error message
>complaining on
> >"An untrusted CA..."
> >
> > The JITC CAC card is valid until next year. And the DoD certs
>on AD
> >are also valid:
> >
> > 2.1) "DOD OM CA-20": Valid from 8/3/2007 to 8/1/2013
> > 2.2) "DOD OM EMAIL CA-20": Valid from 8/2/2007 to
>4/1/2013
> > 2.3) "DoD JITC Root CA 2": Valid from 7/14/2005 to
>7/2/2030
> >
> > 3) I can access and download the CRL files without any
>problem:
> >
> > 3.1) http://crl.nit.disa.mil/getcrl?DoD JITC Root CA 2
> > 3.2) http://crl.nit.disa.mil/getcrl?DOD OM CA-20
> > 3.3) http://crl.nit.disa.mil/getcrl?DOD OM EMAIL CA-20
> >
> > Does anybody out there see the similar problem? How can I fix
>this
> >so that my test JITC CAC card works again? Thanks for the help in
> >advance.
> >
> >PSK
>
>
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden