Logon via smartcard fails with error message "The revocation status of the authentication certificate could not be determined."

Assume the following scenario:

• A user has a Smartcard Logon certificate and logs on to the Active Directory domain with it.
• The login fails. The following error message is returned to the user's computer:

The revocation status of the authentication certificate could not be determined.

In German, the message reads:

Der Sperrstatus des für die Authentifizierung verwendeten Smartcard-Zertifikats konnte nicht ermittelt werden.

A corresponding event should also be logged on the authenticating domain controller that processed the login:

• Details of the event with ID 21 of the source Microsoft-Windows-Kerberos-Key-Distribution-Center

Possible causes

Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem and is available under a free license. It can downloaded via GitHub and can be used free of charge.

• There are no Revocation status information available, for example, because the server on which the revocation list distribution points reside is not accessible by the authenticating domain controller (offline or through a Firewall blocked), or because the revocation list distribution points are reachable but the blacklists have expired.
• The deterministic good feature of the Online Responder (OCSP) returned a Status of "Unknown" to the domain controller.

Problems with the revocation list distribution points (availability and up-to-dateness of the revocation lists) can affect any certificate in the certificate chain being checked, for example even if the revocation list of a certification authority in the chain has expired (classically the root certification authority whose revocation list renewal was missed).

If the master certification authority's revocation list should have expired is a common consequential error, that subordinate Certification Authorities no longer start, as these check the validity of their own certificate authority certificate when the service is started.

Related links:

• Signing in via smartcard fails with error message "Signing in with a security device isn't supported for your account."
• Configure deterministic "good" for the online responder (OCSP).
• Domain Controller Certificate Templates and Smartcard Logon
• Firewall rules required for Active Directory Certificate Services
• Basics: Checking the revocation status of certificates
• Basics of online responders (Online Certificate Status Protocol, OCSP)