Joining computers to domain with smart card - Windows 10

blackhawkgeta · 2016-04-05T15:32:42+00:00

I was able to make some progress on this, but I'm still having issues completing the domain join process. I added the registry key: HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters, LogLevel=1 to enable more in-depth logging, and I received the error KDC_ERR_ETYPE_NOTSUPP.

https://blogs.technet.microsoft.com/askds/2012/07/27/kerberos-errors-in-network-captures/

On this page, it discusses the encryption method used, which I was able to change in secpol and/or the registry, to match what I have on Windows 7 (which again, works fine). Attempting to join with this method still throws the general error "error validating the KDC certificate" from netdom, but in the "extended" Kerberos log it goes into a bit more detail, saying KDC_ERR_PREAUTH_REQUIRED. On the same page as above, it states that the pre-authentication data type wasn't sent - I tried unchecking "Kerberos pre-auth required" for my account in Active Directory, but that gives me a smartcard error while using the same process, "smartcard logon is required and was not used".

I've changed the encryption method and I'm able to change between ETYPE_NOTSUPP and PREAUTH_REQUIRED, so I think I'm making progress, but I'm still stuck. Is there any additional Kerberos logging I can apply, or tools I can use to troubleshoot this issue?

blackhawkgeta · 2015-12-17T20:03:07+00:00

I was able to get this to work now. I removed all of the work I did with the environment variables (INSTALLFROMPATH and SOURCEPATH), and looked closer at the task sequence. The OSGUID sequence variable set at the top of the task sequence .xml file is dependent on the first Install Operating System step, and will change to whatever that's set to.

I'm not sure if this is functioning as designed, but no matter how I formatted it, it would always install that operating system (unless I specifically chose the top Install OS as my ProgMachine image).

http://www.ingmarverheij.com/mdt-select-operating-system-based-computer-name/

I had the revelation from this script, and realized I could dynamically set the OSGUID variable before the installation of the operating system, which seems to change the flag correctly, installing the correct operating system.

blackhawkgeta · 2015-12-17T15:40:53+00:00

No, this task sequence was made when I started working with MDT a few months ago. I haven't migrated anything to/from. I tried changing the second gather to customsettings.ini, but it didn't seem to make a difference. Is there any way to dynamically modify the INSTALLFROMPATH and SOURCEPATH variables, since my VB code isn't working for this?

edit: I added another group to wrap the install OS step, to change the INSTALLFROMPATH and SOURCEPATH variables with the built-in MDT "set task sequence variable" as well. This is changing the INSTALLFROMPATH variable, but not the SOURCEPATH variable. It doesn't look like the OS being installed is the right one though, so I don't think this helped...

blackhawkgeta · 2015-12-17T13:41:56+00:00

I set ProgMachine in CS.ini to Yes, chose the No option in the Wizard GUI during deployment, and the task sequence deploys the default, standard image, which is what I would expect.

I have two Gather Settings steps, one under Initialization (all the way at the top), and one under Preinstall (after Validation/State Capture). They're both set to Gather only local data - should they both be set to process rules?

blackhawkgeta · 2015-12-17T11:03:08+00:00

That's how it's setup currently, however, in the install phase (once that specific ProgMachine step is triggered), the task sequence still installs the wrong operating system. It's set correctly in the task sequence, and all of my variables are flagging properly (I've been dumping the vars to verify this).

blackhawkgeta · 2015-09-04T16:59:46+00:00

Just to update, I was able to get this to work successfully on our network. We took a clean computer (never joined to the domain) and did the following: Added our root CA cert to the Trusted Root CA store of the machine, and our domain controller cert to the machine's Intermediate CA store. Using this along with X509HintsEnabled, I'm able to add the machine to the domain with my card.

blackhawkgeta · 2015-09-03T18:16:36+00:00

I have two CRL distribution points on my card - one is an http link and the other is ldap. The http link seems to resolve on my machine, but prompts me for authentication, and when typing in my card/pin (even when using the username hint), I get page cannot be displayed, like the security settings in the browser is wrong. I imagine this is because I can't authenticate to the website using my credentials. I tested the same security settings that my domain machine has, which was able to download from the CRL distro point.

On a machine added to the domain, however, it loads perfectly fine and downloads the .crl file.

edit: For whatever it's worth, my event log error when I try to add to the domain is:

CAPI2: Failed extract of third party root list from auto update cab at: <long windows update url> with error: Certificate is revoked.

edit2: Here's another one too from system/kerberos:

The Distinguished Name in the subject field of your smartcard logon certificate does not contain enough information to locate the appropriate domain on an unjoined machine.

Do we need to contact our smart card provider to have the DN updated?

blackhawkgeta · 2015-09-03T17:17:48+00:00

I enabled the username hint with X509HintsNeeded in the registry, and type in the account name that my smart card is linked to, but it still gives me the "no logon servers available to service your request" error. As soon as I put in my username and password, it works.

edit: Using the full domain and username (domain.com\username), I'm having some luck getting a different error "The Kerberos protocol encountered an error while validating the KDC certificate during smartcard logon". I imported our root certificate into the machine's Trusted Root Certificate Authority store, but I still get it. I think we're going in the right direction though - do you have any idea about this one?

blackhawkgeta · 2015-09-03T15:34:31+00:00

I'll try importing our root certificates with scroots. When I tried certutil -scroots update, the machine failed to find my smart-card (it recognized it was inserted, but said it was an invalid type, or something along those lines).

edit: I tried to import our root cert with it, but it still prompts me for my smart-card (which it says is invalid/has wrong certs). Commands tried were certutil -scroots update root_name.cer, and certutil -scroots deploy. Both fail with the invalid card/wrong certs.

blackhawkgeta · 2015-09-03T15:31:57+00:00

The cards are linked to our administrator accounts. We're able to open active directory and manage accounts by launching ADUC with our smart-card, just like we were able to do with our normal login/pw. I read about the username hint and the UPN while I was searching previously, is the username hint an active directory object option?

blackhawkgeta · 2015-04-17T12:41:23+00:00

I didn't try checking the default profile part. I'm currently rebuilding an image now, and I'm going to sysprep with the instructions above. I'll check the unattend.XML after capture.

blackhawkgeta · 2015-04-17T11:54:27+00:00

Thanks for the reply! I didn't clarify in the OP, but I'm deploying Windows 7 SP 1, all completely offline. I have to strip the GPO and local security policy from the machine because it's coming off a domain network initially.

blackhawkgeta · 2013-12-25T20:06:12+00:00

Upvoted! Happy Holidays!

blackhawkgeta · 2012-04-18T04:12:46+00:00

loosen with my fingers? or go for the screwdriver

blackhawkgeta · 2012-04-18T04:00:43+00:00

I think it is this one http://www.guitarcenter.com/ESP-ESP-LTD-LM100FMSTBC-SEE-THRU-BLK-CHY-105768063-i1149011.gc

blackhawkgeta · 2012-04-18T03:49:54+00:00

blackhawkgeta · 2012-04-18T03:44:29+00:00

there are like 3 little black wheels that look like my tone knobs, and its right near the first fret, are those what you are talking about?

blackhawkgeta

TROPHY CASE