Tuesday, September 22, 2015

The security device (smart card) could not be used. Additional details may be available in the system event log. Please report this error to your administrator.

When trying to remote desktop into a 2012R2 server with a smart card, you may run across one of these messages:

[virtual smartcard]
"The security device could not be used. Additional details may be available in the system event log. Please report this error to your administrator."

[physical card]
"This smart card could not be used. Additional details may be available in the system even log. Please report this error to your administrator."

I ran into this sporadically on a range of machines after a 2012R2 rollout. In the event logs on the systems, a variety of smartcard logon event id 5 messages:

1) An error occurred while retrieving a digital certificate from the inserted smart card. The handle is invalid.
2) An error occurred while decrypting a message: The handle is invalid.
3) An error occurred while retrieving some provider parameter: The handle is invalid.

All having "The handle is invalid" as part of the error. After opening a case with microsoft and doing some low level tracing of the logons, they found a timeout in the smartcard crypto provider. The default for this is 1.5 seconds. After adjusting it to 5 or more seconds, the errors went away.

This is configured at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Base Smart Card Crypto Provider\TransactionTimeoutMilliseconds as a DWORD. A reboot is required for this to take effect. The key can be used on other OS's as well.

I did continue to have problems with at least one machine after this, however the errors were different and quite varied. This system was on a bad network working with highly variable response times and 10% packet loss. On this same type of link, 2008R2 was more reliable for smartcard logons in comparison to 2012R2. So its always good to have some password logon backups to smartcard logons over slow links.

Remote Desktop cannot verify the identity of the remote computer because there is a time or date difference between your computer and the remote computer

I had an issue with a server that was failing to connect over RDP with the following error:

Remote Desktop cannot verify the identity of the remote computer because there is a time or date difference between your computer and the remote computer

On inspecting the machine via PSremoting, the clock time showed fine. I thought I would try connecting to RDP using the IP address. That let me through with only the normal certificate mismatch warning prompt. Looking around for solutions online usually pointed to the obvious clock problem in the error message. But again, clock time was perfectly in sync and timezone was fine as well. Another possibility given in some people's posts on this topic is the RDP certificate itself. This is located in the computer's certificate store under remote desktop\Certificates. This is automatically generated by the machine and will be recreated if deleted. I checked that, and again no issue with the certificate dates.

After digging around in the registry in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp, I found a discrepency between this machine and another working machine. My broken machine [freshly build] had the Security value set, while the other didn't. (https://support.microsoft.com/en-us/kb/259129) Additionally this didn't match the defaultsecurity value one level up. After deleting the value and rebooting, the issue went away. Trying to reproduce the problem by putting the same value back in place only gave me the error once, then continued to let me through. So this may be something to look at if all else fails.

Server getting hammered with DistributedCOM CLSID {ECABAFB9-7F19-11D2-978E-0000F8757E2A} events

In case you have a system getting flooded with event 10014 DistrubutedCom events with this message:

The activation for CLSID {ECABAFB9-7F19-11D2-978E-0000F8757E2A} failed because remote activations for COM+ are disabled. To enable this functionality use Server Manager to install the COM+ Network Access feature in the Application Server role.

It may be caused by a remote machine trying to access the system using dcomcnfg. This event is complaining that windows feature "AS-Ent-Services" is not installed.

If this is the case, you will see RPC connections between this machine and the machine running the dcomcnfg. The remote machine will also be getting flooded by events that mention they are coming from the targeted machine.