Joining AD domain with Windows 10 using smart card

windows-10 windows-server-2012 domain kerberos smartcard

We had the same issue and resolved it by re-issuing the domain controller certificates with the required KDC EKU. Our domain controller certificates now have four EKU's: Client, Server, KDC, and Smart Card. We also had to tweak the SAN's for our domain controller certificates.

If you don't want to do that, you may want to experiment with disabling the "Require strict KDC validation" setting on the client to see if it helps. This does seem to be a not too well documented change in behavior from Windows 7, or at least it is not consistent with how the setting is documented in the group policy settings spreadsheet/documentation.

https://technet.microsoft.com/en-us/library/hh831747.aspx

"Strict KDC validation is a more restrictive set of criteria which ensures all of the following are met:

  • The domain controller has the private key for the certificate provided.

  • For domain-joined systems, the certification authority (CA) that issued the KDC’s certificate is in the NTAuth store.

  • For non-domain-joined systems, the root CA of the KDC’s certificate is in the Third-Party Root CA or Smart Card Trusted Roots store.

  • KDC’s certificate has the KDC EKU.

  • KDC certificate’s DNSName field of the subjectAltName (SAN) extension matches the DNS name of the domain.

For non-domain-joined smart card sign on, strict KDC validation is required.

To disable this default behavior, disable the Group Policy setting Require strict KDC validation."

More information:

What's New in Kerberos Authentication
https://technet.microsoft.com/en-us/library/hh831747(v=ws.11).aspx

Strict KDC Validation default changes

"For non-domain-joined smart card sign on, strict KDC validation is required.

"To disable this default behavior, disable the Group Policy setting Require strict KDC validation."

Related

Push DNS for only a domain OpenVPN
mdadm software RAID isn't assembled at boot during initramfs stage
Massive performance degradation on sustained sequential write
Configure nginx to send response with header and footer for HTTP body
How to set-up google-authenticator and set specific match rules to allow different login rules?
Pre-labelled LTO-6/LTFS tape numbers- Are the tape numbers stored somewhere on the tape?
Apache Remote proxy for a reverse proxy SNI mismatch
Nginx cannot see unix socket
IMAP connection with Dovecot keeps failing (time-out)
Upgrade 2012R2 Core to 2016 Core blank window
8mm Data8 tape drive compatibility for Maxell HS-8/112 and 3M D8-112
Nginx + PHP maximum output limit