No Dll or exported function was found to verify revocation
I'm writing this as much to myself as to everyone else, because this is the second time I've run across it at a customer site and then (because my memory doesn't seem to keep this one in cache) have to go hunt it down again.
Anyway, you might get the error "No Dll or exported function was found to verify revocation" along with an error at the GINA (logon screen) saying, "The system could not log you on. The revocation status of the domain controller certificate used for smart card authentication could not be determined. There is additional information in the system event log. Please contact your system administrator."
Most likely if you saw the first error you've already enabled CAPI2 logging. Also, it is likely that the server you're on used to have a third party CAPI2 provider (such as Desktop Validator or Tumbleweed). If this is the case, the uninstall may have damaged Cryptographic Services. Have no fear, it's fixable.
First, make sure all the DLL's are still registered in Windows. This can be done by running (or copy/pasting) the following at an administrative command prompt:
regsvr32 CERTCLI.DLL
regsvr32 CRYPTDLG.DLL
regsvr32 CRYPTEXT.DLL
regsvr32 CRYPTNET.DLL
regsvr32 CRYPTUI.DLL
regsvr32 SOFTPUB.DLL
regsvr32 WINTRUST.DLL
regsvr32 INITPKI.DLL
regsvr32 DSSENH.DLL
regsvr32 RSAENH.DLL
regsvr32 GPKCSP.DLL
regsvr32 SCCBASE.DLL
regsvr32 SLBCSP.DLL
regsvr32 CRYPTDLG.DLL
There is also a registry key that may not have been set back after the 3rd party software uninstall. If so, it may still be holding on to the old DLL (which is tmwdcapiclient.dll for instance with Tumbleweed).
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\Encoding Type 1\CertDllVerifyRevocation\Default
And:
HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Cryptography\OID\Encoding Type 1\CertDllVerifyRevocation\Default
Which should be:
REG_MULTI_SZ: Dll
Value data: Cryptnet.dll
It is possible that you'll see both the cryptnet.dll AND the 3rd party dll together or just the 3rd party one. In either case, remove them. If all you see is cryptnet you're fine.
A reboot seems to be required. Restarting cryptographic services alone had no effect for me.
***NOTE*** If you still intend to use a 3rd party CAPI provider, you may want to avoid these directions as it will likely disable the program in favor of Windows' built-in mechanisms. Try re-installing that software to fix your issue.
Comments
- Anonymous
July 06, 2015
Thanks for the great information, this was exactly our problem on many clients. I have already verified on a few that all we needed to do was fix the reg entry and smart card login now works. What's better is that this fix is easily mass-deployable via Powershell to our Win7 clients!