This article has been archived. It is offered "as is" and will no longer be updated.
In a Windows 2008-based domain that is using the Active Directory directory service, you enable a client computer to use smart card authentication to log on to the domain. However, when you try to log on to the domain from a Windows Vista-based or a Windows Server 2008-based client computer, the logon process may fail, and you may receive the following error message:
No valid certificates found Check that the card is inserted
This issue occurs if the smart card certificate does not contain Microsoft Extended Key Usage (EKU).
Currently, Windows Vista and Windows Server 2008 filters out any certificate that does not have EKU. Therefore, if the smart card certificate only has client authentication EKU, you cannot use the certificate for a smart card logon.
A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing the problem described in this article. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix.
If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix.
Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site:
Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.
Important Windows Vista and Windows Server 2008 hotfixes are included in the same packages. However, only one of these products may be listed on the “Hotfix Request” page. To request the hotfix package that applies to both Windows Vista and Windows Server 2008, just select the product that is listed on the page.
To apply this hotfix on Windows Vista-based client computers, you must have Windows Vista Service Pack 1 (SP1) installed. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
935791 How to obtain the latest Windows Vista service pack
No prerequisites are required for Windows Server 2008-based client computers.
After you install the hotfix, certificates that have Microsoft EKU or client authentication EKU are allowed.
The hotfix described by this article only resolves the problem on the client. You must also install hotfix 959887 on the Windows Server 2008-based Kerberos Key Distribution Center (KDC) server to resolve the problem on the server.
You must restart the computer after you apply this hotfix.
Hotfix replacement information
This hotfix does not replace any other hotfixes.
The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.
Windows Vista and Windows Server 2008 file information notes
The .manifest files and the .mum files that are installed in each environment are listed separately in the "Additional file information for Windows Server 2008 and for Windows Vista" section. These files and their associated .cat (security catalog) files are critical to maintaining the state of the updated component. The .cat files are signed with a Microsoft digital signature. The attributes of these security files are not listed.
For all supported 32-bit versions of Windows Server 2008 and of Windows Vista
For all supported 64-bit versions of Windows Server 2008 and of Windows Vista
For all supported Itanium-based versions of Windows Server 2008
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
For more information, click the following article numbers to view the articles in the Microsoft Knowledge Base:
291010 Requirements for Domain Controller Certificates from a Third-Party CA
959887 You cannot use a smart card certificate to log on to a domain from a Windows Vista-based client computer
Additional file information for Windows Server 2008 and for Windows Vista
Windows Vista Business, Windows Vista Enterprise, Windows Vista Home Basic, Windows Vista Home Premium, Windows Vista Ultimate, Windows Vista Business 64-bit Edition, Windows Vista Enterprise 64-bit Edition, Windows Vista Home Basic 64-bit Edition, Windows Vista Home Premium 64-bit Edition, Windows Vista Ultimate 64-bit Edition, Windows Server 2008 Standard, Windows Server 2008 Enterprise, Windows Server 2008 Datacenter, Windows Server 2008 Standard without Hyper-V, Windows Server 2008 Enterprise without Hyper-V, Windows Server 2008 Datacenter without Hyper-V, Windows Server 2008 for Itanium-Based Systems