In January, I had the DoD CAC (smartcard) solution working in our domain for
authentication with Vista. Recently, I gave it another test on the same
machine that had been working previously, but it has stopped working.

I now get an error message at the logon screen that says "The system could
not log you on. The revocation status of the domain controller certificate
used for smart card authentication could not be determined." In the event
log, it says the server is offline. However, this is not the case. I am
able to see the query coming from the Vista client to the openLDAP server
which hosts the CRL's. In the query there is some odd LDAP command is being
presented that isn't supported by LDAP.

do_search: invalid dn (cn=DoD Root CA 2,ou=PKI,ou=DoD,o=U.S.
overnment,c=US?certificaterevocationlist;binary)

It looks like they change the search dn to include the crl attr in the dn
too, which isn't supported by openLDAP.

My question is, did something change recently with an update in Vista that
would explain this? We were getting geared up to migrate to Vista as soon as
SP1 is released, however, without smartcard logon capabilities, the DoD will
never use Vista. What is the best route to get support on this issue and
work with Microsoft to come up with a solution?

----------------
This post is a suggestion for Microsoft, and Microsoft responds to the
suggestions with the most votes. To vote for this suggestion, click the "I
Agree" button in the message pane. If you do not see the button, follow this
link to open the suggestion in the Microsoft Web-based Newsreader and then
click "I Agree" in the message pane.

http://windowshelp.microsoft.com/com...sta.sec urity