Internal Certificate Chaining Errors with Smart Cards (296801)

SYMPTOMS

When you attempt to use smart card to log on to a Windows 2000-based computer, you receive the following error message:

Internal certificate chaining error has occurred.

You may be able to successfully log on to another computer by using the same smart card without receiving this error message.

CAUSE

If a newly installed enterprise Certificate Authority (CA) has issued a smart card logon certificate, the domain controllers that process the logon request may not be aware of the new CA; therefore, the authenticating server may be unable to build the chain, either because certificates are not present on the domain controller, or because certificates in the chain are not attainable through their AIA extensions.

RESOLUTION

To resolve this issue, you can use the Dsstore utility, which is available in the Windows 2000 Resource Kit Utility, to delete all the domain controller certificates that do not chain.

You must be a domain administrator to perform the following steps. These steps verify that the domain controller certificates on all domain controllers chain correctly. It is recommended to run this option on a member workstation or server because this emulates the chain validation process that takes place on a smart card logon client.

From a command prompt, run the following command:
Dsstore -dcmon

Choose the following option:

2. Chain  Check chaining on DC certificates

If chaining errors do exist, run dsstore -dcmon again.

Choose the following option:

4. Delete bad  Deletes *all* KDC certificates which do not chain

MORE INFORMATION

When you install an Enterprise CA, all domain controllers in the domain automatically enroll for a domain controller certificate. You can use the Certificate snap-in to verify that the domain controller has received a certificate.

For additional information, click the article number below to view the article in the Microsoft Knowledge Base: