Nachfolgend eine Übersicht über die für die Public Key Infrastruktur relevanten auf Domänencontrollern erzeugten Ereignisse in der Windows-Ereignisanzeige.
Ereignisquellen
Die Ereignisse der Domönencontroller werden in das System-Protokoll geschrieben. Folgende Quellen enthalten PKI-relevante Active Directory-Ereignisse:
- Microsoft-Windows-Kerberos-Key-Distribution-Center
Ereignisquelle Microsoft-Windows-Kerberos-Key-Distribution-Center
Kennen Sie TameMyCerts? TameMyCerts ist ein Add-On für die Microsoft Zertifizierungsstelle (Active Directory Certificate Services). Es erweitert die Funktion der Zertifizierungsstelle und ermöglicht die Anwendung von Regelwerken, um die sichere Automatisierung von Zertifikat-Ausstellungen zu realisieren. TameMyCerts ist einzigartig im Microsoft-Ökosystem, hat sich bereits in unzähligen Unternehmen auf der ganzen Welt bewährt und steht unter einer freien Lizenz. Es kann über GitHub heruntergeladen und kostenlos verwendet werden. Professionelle Wartung wird ebenfalls angeboten.
ID | Typ | Ereignistext |
---|---|---|
19 | Warnung | This event indicates an attempt was made to use smartcard logon, but the KDC is unable to use the PKINIT protocol because it is missing a suitable certificate. |
20 | Warnung | The currently selected KDC certificate was once valid, but now is invalid and no suitable replacement was found. Smartcard logon may not function correctly if this problem is not remedied. Have the system administrator check on the state of the domain’s public key infrastructure. The chain status is in the error data. |
21 | Warnung | The client certificate for the user %1\%2 is not valid, and resulted in a failed smartcard logon. Please contact the user for more information about the certificate they’re attempting to use for smartcard logon. The chain status was : %3 |
29 | Warnung | The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate. |
32 | Warnung | The Key Distribution Center (KDC) uses a certificate without KDC Extended Key Usage (EKU) which can result in authentication failures for device certificate logon and smart card logon from non-domain-joined devices. Enrollment of a KDC certificate with KDC EKU (Kerberos Authentication template) is required to remove this warning. |
39 | Warnung oder Fehler | The Key Distribution Center (KDC) encountered a user certificate that was valid but could not be mapped to a user in a secure way (such as via explicit mapping, key trust mapping, or a SID). Such certificates should either be replaced or mapped directly to the user via explicit mapping. See https://go.microsoft.com/fwlink/?linkid=2189925 to learn more. User: %1 Certificate Subject: %2 Certificate Issuer: %3 Certificate Serial Number: %4 Certificate Thumbprint: %5 |
40 | Warnung oder Fehler | The Key Distribution Center (KDC) encountered a user certificate that was valid but could not be mapped to a user in a secure way (such as via explicit mapping, key trust mapping, or a SID). The certificate also predated the user it mapped to, so it was rejected. See https://go.microsoft.com/fwlink/?linkid=2189925 to learn more. User: %1 Certificate Subject: %2 Certificate Issuer: %3 Certificate Serial Number: %4 Certificate Thumbprint: %5 Certificate Issuance Time: %6 Account Creation Time: %7 |
41 | Warnung oder Fehler | The Key Distribution Center (KDC) encountered a user certificate that was valid but contained a different SID than the user to which it mapped. As a result, the request involving the certificate failed. See https://go.microsoft.com/fwlink/?linkid=2189925 to learn more. User: %1 User SID: %2 Certificate Subject: %3 Certificate Issuer: %4 Certificate Serial Number: %5 Certificate Thumbprint: %6 Certificate SID: %7 |
120 | Fehler | The Key Distribution Center (KDC) failed to validate its current KDC certificate. This KDC might not be enabled for smart card or certificate authentication. Kdc Certificate Information: Issuer Name: %1 Serial Number: %2 Thumbprint: %3 Template: %4 Kerberos Error: %5 Validation Error: %6 |
200 | Warnung | The Key Distribution Center (KDC) cannot find a suitable certificate to use. This KDC is not enabled for smart card or certificate authentication. |
302 | Information | The Key Distribution Center (KDC) uses the below KDC certificate for smart card or certificate authentication. Kdc Certificate Information: Issuer Name: %1 Serial Number: %2 Thumbprint: %3 Template: %4 |
Ein Gedanke zu „Übersicht über die für die PKI relevanten Active Directory Ereignisse“
Kommentare sind geschlossen.