Problem

Desktop Validator is not intercepting and handling user smartcard certificate revocation checking on the domain controllers. DV Enterprise Edition validates certificates for all other processes except for Logon Account Authentication coming from the LSASS process during user smartcard authentication to the domain server. Enabling Microsoft CAPI2 logging shows it is handling the revocation checking of user smartcard certificates by pulling CRL data directly from certificate's information and logging this in the CAPI2 event log.

Resolution

The root cause of this issue is a conflict between DV and another third-party service running on the domain controller: Dell Change Auditor Agent version 6.7 Build 1352.

This Change Auditor service also hooks into LSASS to monitor for AD changes. Disable this service and reboot, then DV will start handling revocation checking through the LSASS service again.