"The Handle Is Invalid" Error Message When You Log On with a Smart Card

Article translations Article translations
Article ID: 310732 - View products that this article applies to.
This article was previously published under Q310732
This article has been archived. It is offered "as is" and will no longer be updated.
Expand all | Collapse all

SYMPTOMS

When you log on with a smart card, you may receive the following error message:
The handle is invalid.

CAUSE

This error message occurs if the certificate for the Certificate Authority (CA) that issued the smart card logon certificate is not contained in the NTAuth store on the domain controller that processes the logon request. This is more likely to occur if a third-party CA is used to issue the smart card logon certificate. A Windows 2000-based CA automatically publishes its certificate into the NTAuth store in Active Directory.

You can verify the presence of the CA certificate in the NTAuth store by using the Certmgr.exe tool. This tool is part of the Authenticode for Microsoft Internet Explorer 5 tools, and is available from the following Microsoft Web site:
http://msdn.microsoft.com/en-us/library/e78byta0(VS.80).aspx
Use the following command:
certmgr -s -r localmachine ntauth
The output from this command is similar to:
==============Certificate # 1 ==========
Subject::
  [0,0] 2.5.4.6 (C) US
  [1,0] 2.5.4.8 (S) Washington
  [2,0] 2.5.4.7 (L) Redmond
  [3,0] 2.5.4.10 (O) Microsoft
  [4,0] 2.5.4.11 (OU) PSS
  [5,0] 2.5.4.3 (CN) Corporate Enterprise CA
Issuer::
  [0,0] 2.5.4.6 (C) US
  [1,0] 2.5.4.8 (S) Washington
  [2,0] 2.5.4.7 (L) Redmond
  [3,0] 2.5.4.10 (O) Microsoft
  [4,0] 2.5.4.11 (OU) PSS
  [5,0] 2.5.4.3 (CN) Corporate Enterprise CA
SerialNumber::
   61 57 99 72 00 00 00 00 00 04
SHA1 Thumbprint::
      13822776 CE911B3B C698F1D1 F6744369 FFA237F5
MD5 Thumbprint::
      3B8BB361 930A50C2 044D8B79 1435CC28
NotBefore::
  Tue Sep 11 05:45:00 2001
NotAfter::
  Wed Sep 11 05:45:00 2002
==============No CTLs ==========
==============No CRLs ==========
==============================================
CertMgr Succeeded
					
This output shows that there is one certificate (issued to the "Corporate Enterprise" CA) in the NTAuth store.

RESOLUTION

To resolve this issue, publish the CA certificate in Active Directory. For additional information about publishing to the NTAuth store, click the article number below to view the article in the Microsoft Knowledge Base:
295663 How to Import a Third-Party Certificate into the NTAuth Store

Properties

Article ID: 310732 - Last Review: October 24, 2013 - Revision: 3.4
APPLIES TO
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Professional Edition
Keywords: 
kbnosurvey kbarchive kberrmsg kbprb KB310732

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com