Over the weekend, I've run into a major issue with logging into Windows using smartcards (Yubikeys). I keep seeing a message saying, "Revocation status of the smartcard certificate used for authentication could not be determined." I'm pretty sure there's something wrong with our Certificate Authority (CA), but unfortunately, I can't access it to make any fixes. Just to give you an idea of the current situation:
1. LDAP authentication still seems to be working, so I think non-smartcard accounts might be able to log in if I had access to one.
2. Most users, including myself, can still log into our local workstations when off-network. I can gain local admin rights on my machine if that's necessary.
3. Our Root Certificate and MSCS Intermediate CA certificates are still valid.
4. We have a Group Policy that mandates smartcard logins.
5. I don't have any network-accessible admin accounts that can log in with just a password since they're all service accounts.
6. Local admin passwords are stored in LAPS, but I can't access the DC VMs to retrieve them.
7. I do have an endpoint management tool that allows basic operations like reboots, but a reboot of our CA didn't help the situation.
8. I'm hesitant to turn off a VM because I might not be able to restart it without access to the VM host.
9. If I manage to set up a local admin account for safe mode, it seems like GPO will just remove it afterward.
Given all this, does anyone have suggestions for what I can do next?
4 Answers
Sounds like the issue could be related to the Certificate Revocation List (CRL). You might want to check where the CRL is trying to fetch from and make sure that your machine is online and can access that location. If the CRL has expired, you'll need to figure out how to publish a new one, although I’m not entirely sure how to approach that in AD CS.
You mentioned you’re only publishing your CRL via LDAP, which might be your first mistake here. Plus, it sounds like you don’t have any breakglass accounts available. You're somewhat trapped in a catch-22 situation. If you have the directory services restore mode (DSRM) password for your domain controller, you could start a DC in DSRM mode to change group policies. This would allow you to delete or rename the policies enforcing smartcard logins, letting you back in. Also, consider switching to HTTP for CRL publishing – that’s Microsoft's recommendation.
Thanks for the advice! I do have a CRL in place, but currently, it's only being accessed through LDAP. I'm trying to find a way to log into one of the domain controller VMs.
Just checking, did any of your root or other CA keys expire recently? That could definitely complicate things.
No, as I mentioned before, both our intermediate and Root certificates are in good standing with a long time before expiration.
If you want to do some troubleshooting, you can open pkiview.msc to see what it reports – it could give you some leads on what's wrong with the certificates.
That's a good point. I can't access the CA to see where it's checking for the CRL, but I do know it's only using the LDAP location right now.