none
Smartcard Enrollment Error RRS feed

  • Question

  • We have a Microsoft Certification Authority which is used for Gemalto smartcard enrollment. When attempting to enroll one of our users, the error "x 80070534 An unexpected error occurred whilst selecting the user" when browsing using Smartcard Certificate Enrollment Station>User to Enroll>Select User.

    Any other user can be selected without issue. I have checked the properties of the user account and can find nothing untoward.

    So far I hav been unable to find anything on the many forums that resemble this problem.

    Any help appreciated.


    Agedmcse

    Thursday, April 26, 2012 1:32 PM

Answers

  • If you look at the file certsces.asp, you will see it does the following:

    ' ask SCrdEnrl to throw up UI to pick a user document.SCrdEnrl.selectUserName(FLAGS_NONE) If 0<>Err.Number Then Alert evalErrorMessage(L_SelectUser_ErrorMessage, "(0x" & HEX(Err.Number) & ")") End If ' make the page reflect what the user picked document.UIForm.tbUserName.value=document.SCrdEnrl.getUserName(SCARD_ENROLL_UPN_NAME) If 0<>Err.Number Then 'If we can not get the UPN name, get the SAM compatible name Err.Clear document.UIForm.tbUserName.value=document.SCrdEnrl.getUserName(SCARD_ENROLL_SAM_COMPATIBLE_NAME) End If

    The call to selectUserName seems to be failing. Since you are seeing the user selection dialog pop up then it must be a problem reading data about that particular user. The error you are getting back: 0x80070534 means: "No mapping between account names and security IDs was done."

    Are you able to select that user through other operations like add that user to read a file? It seems like there is a problem getting the user sid based on the account name.

    Andrew

    • Marked as answer by agedmcse Friday, May 4, 2012 1:49 PM
    Wednesday, May 2, 2012 10:28 PM

All replies

  • What application are you using to do the enrollment on the enrollment station?

    Andrew

    Friday, April 27, 2012 10:48 PM
  • Hi,

    I am using the web based Microsoft Certificate Services console http://<servername>/certsrv/certsces.asp on an Enterprise 2003 server.


    Agedmcse

    Monday, April 30, 2012 9:20 AM
  • If you look at the file certsces.asp, you will see it does the following:

    ' ask SCrdEnrl to throw up UI to pick a user document.SCrdEnrl.selectUserName(FLAGS_NONE) If 0<>Err.Number Then Alert evalErrorMessage(L_SelectUser_ErrorMessage, "(0x" & HEX(Err.Number) & ")") End If ' make the page reflect what the user picked document.UIForm.tbUserName.value=document.SCrdEnrl.getUserName(SCARD_ENROLL_UPN_NAME) If 0<>Err.Number Then 'If we can not get the UPN name, get the SAM compatible name Err.Clear document.UIForm.tbUserName.value=document.SCrdEnrl.getUserName(SCARD_ENROLL_SAM_COMPATIBLE_NAME) End If

    The call to selectUserName seems to be failing. Since you are seeing the user selection dialog pop up then it must be a problem reading data about that particular user. The error you are getting back: 0x80070534 means: "No mapping between account names and security IDs was done."

    Are you able to select that user through other operations like add that user to read a file? It seems like there is a problem getting the user sid based on the account name.

    Andrew

    • Marked as answer by agedmcse Friday, May 4, 2012 1:49 PM
    Wednesday, May 2, 2012 10:28 PM
  • Hi Andrew,

    First of all thank you for pointing me to the subset of certsces.asp which highlighted the importance of the User Principal Name. Further investigation showed I had 2 different SAM compatible user accounts sharing the same UPN (No haven't a clue why). I deleted the disabled account and checked there was only 1 unique UPN/SAM in AD for this user. I was then able to create the Smartcard without errors during the enrollment process.

    Unfortunately, when using this token the error "The system could not log you on. Your credentials could not be verified"

    Just to confirm I am not having issues with anyone else who requires a smartcard/token.


    Agedmcse


    PS: User can be added to any file/folder permissions
    • Edited by agedmcse Thursday, May 3, 2012 3:18 PM Additional Information
    Thursday, May 3, 2012 3:08 PM
  • Just to get this straight:

    You are able to issue a certificate through the web enrollment pages to the user. The certificate is for a smartcard logon. Using that smartcard which only has one certificate on it. The user cannot login.

    Is the user able to login with a password?

    Have you tried issuing the user a client auth cert and seeing if the user can use that cert to authenticate?

    What does certutil -scinfo say when the card is inserted?

    and what does certutil -user -store My "<serial number>" say for the particular cert? Is the UPN in the cert legit?

    Andrew

    Friday, May 4, 2012 2:54 AM
  • What a can of worms. Our 8 dc's are configured to Autoenroll but this has failed coincidentally one of the certificates expired yesterday. I have manually requested and installed a new domain controller certificate using same key (Note:cannot renew when cert has expired) and the smartcard token is now working.

    It just remains for me to find out why autoenroll is failing.

    Thanks again for your help in pointing me towards checking the UPN


    Agedmcse

    Friday, May 4, 2012 2:02 PM