![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(230.39999999999998, 30%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAM%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(275.2, 16%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EV%3C/text%3E%3C/svg%3E)
The first error means the user account is not configured for smart card logon, the second one means the certificate chain used for authentication is no longer trusted by the local machine or domain. In a hybrid environment, this usually happens when certificate trust or mapping has drifted since initial setup.
To fix them, you need to verify the certificate chain (Ensure the full chain up to the root CA is present in trusted root certification authorities.) Check User Account Configuration (Confirm that the account is enabled for smart card logon and that the certificate is mapped (via UPN or altSecurityIdentities). If the certificate was reissued, you must update the mapping). Then validate CA Trust in the Domain, and check revocation settings (If the CRL expired, publish a new one from your CA).
If you find this information useful to some extent, don't forget to accept the answer so that your experience with the issue would help contribute to the whole community. Thank you :)
Vivian