search

GSA / piv-guides

This is the old location for the PIV Playbook. New location below.
https://playbooks.idmanagement.gov/piv/
Other
69 stars 44 forks source link

RDP / Terminal Services & "The requested key container does not exist on the smart card." #49

Closed lachellel closed 3 years ago

lachellel commented 8 years ago

Error Message: The system could not log you on. The requested key container does not exist on the smart card.

Operating System:

Remote Desktop Only native drivers (Microsoft drivers) Repeatable (absolutely happens every time)

rt-smithee commented 8 years ago

This sounds like the key usage on the cert used for TLS client connections didnt' quite have the correct key usage fields. IIRC RDP squawks like a TLS client. Not all PIV certs are populated with a consistent set of certificate attributes (regardless of what the specs say.) Some systems emit misleading messages so I would not immediately assume the key doesn't exist and/or the key container (cert as visible in MMC?) is the problem. Troubleshooting suggestion would be to run certutil /scinfo, get the card populated into a windows machine, then use MMC to go and look at the certs from the card in detail to ensure the key usage fields of the certificates match a known working sample.

lachellel commented 8 years ago

@rt-smithee

This error is actually most common due to driver mismatches. The driver on the client and the driver on the target being different versions, and this error gets emitted (completely misleading!!!)

Generally have found it happening with a commercial middleware / driver on one side, and a native OS driver on the other.

The certutil scinfo is indeed the best first troubleshooting step!

GSAllewell commented 8 years ago

@rt-smithee @lachellel - Hef concurs: Cause : There is a problem with the smart card driver. The problem can be seen when trying to connect with terminal server. Solution: Check using certutil -scinfo that the driver is installed on the server and on the client computer.

oscarso commented 7 years ago

@lachellel How do you know that it is caused by minidriver mismatch ? Is that documented somewhere in the Microsoft Smartcard Minidriver Spec ? Thanks. I am hitting the same issue, and I just need some proof from Microsoft docs.

-Oscar

maxwellfunk commented 3 years ago

Please reopen if issue is re-discovered with Win server 2016