I'm managing a small network with a domain controller and several Windows 11 machines. After configuring the Certificate Authority (CA) and setting up smart cards, everything worked smoothly initially. Users could log in using their smart cards, and pulling them out would lock the screen, but inserting them again would allow them to log back in seamlessly.
However, after shutting everything down for the weekend and starting it up again on Monday, one user encountered a problem. They were able to log in at first, but after pulling out their smart card and trying to log in again, they received an error message stating: "the revocation status of the smart card certificate used for authentication could not be determined."
The network connectivity appears to be fine, as everything pings correctly. After rebooting the workstation (while the domain controller stayed online), another message appeared indicating that the revocation status of the domain controller could not be determined. I'm wondering why this issue occurred suddenly after a couple of days without any changes to the setup.
2 Answers
First off, can you check what type of PIV card you're using and which version of Windows 11 it's running? Also, try logging in using a username and password to see if that's working. Reviewing the event logs could provide some insight. I found that our specific model of cards wasn't compatible with the latest Windows 11 update, which led to authentication issues after reviewing the event viewer for errors.
It sounds like your problem might be related to an expired Certificate Revocation List (CRL). Since the user managed to log in initially but faced issues after pulling the card, it might indicate the CRL wasn’t available or updated correctly after the restart.
That’s the tricky part! The user did manage to log in with their smart card initially, but trouble only started after they pulled it and tried to log back in. It wasn’t just one card, either; multiple ones faced the same issue.
I’m using Win11 IoT, and I was able to log in before without any issues. It’s odd that problems arose only after everything restarted. The smart cards and CA were set so that nothing would expire in terms of certificates, and logging in with domain credentials works without a hitch.