| Event Source: | Microsoft Windows Kerberos Key Distribution Center |
| Event ID: | 200 (0xC8) |
| Event log: | Microsoft-Windows-Kerberos-Key-Distribution-Center/Operational |
| Event type: | Warning |
| Event text (English): | The Key Distribution Center (KDC) cannot find a suitable certificate to use. This KDC is not enabled for smart card or certificate authentication. |
| Event text (German): | The Key Distribution Center (KDC) cannot find a suitable certificate. This KDC is not enabled for smart card or certificate authentication. |
Month: September 2020
Details of the event with ID 21 of the source Microsoft-Windows-Kerberos-Key-Distribution-Center
| Event Source: | Microsoft Windows Kerberos Key Distribution Center |
| Event ID: | 21 (0x80000015) |
| Event log: | System |
| Event type: | Warning |
| Event text (English): | The client certificate for the user %1\%2 is not valid, and resulted in a failed smartcard logon. Please contact the user for more information about the certificate they're attempting to use for smartcard logon. The chain status was : %3 |
| Event text (German): | The client certificate for user %1\%2 is not valid. The result was an error during smartcard login. Contact the user for more information about the certificate to be used for the smartcard application. Chain status: %3 |
Details of the event with ID 302 of the source Microsoft-Windows-Kerberos-Key-Distribution-Center
| Event Source: | Microsoft Windows Kerberos Key Distribution Center |
| Event ID: | 302 (0x12E) |
| Event log: | Microsoft-Windows-Kerberos-Key-Distribution-Center/Operational |
| Event type: | Information |
| Event text (English): | The Key Distribution Center (KDC) uses the below KDC certificate for smart card or certificate authentication. Kdc Certificate Information: Issuer Name: %1 Serial Number: %2 Thumbprint: %3 Template: %4 |
| Event text (German): | The Key Distribution Center (KDC) uses the following certificate for smart card or certificate authentication. KDC certificate information: Issuer name: %1 Serial number: %2 Fingerprint: %3 Template: %4 |
Details of the event with ID 19 of the source Microsoft-Windows-Kerberos-Key-Distribution-Center
| Event Source: | Microsoft Windows Kerberos Key Distribution Center |
| Event ID: | 19 (0x80000013) |
| Event log: | System |
| Event type: | Warning |
| Event text (English): | This event indicates an attempt was made to use smartcard logon, but the KDC is unable to use the PKINIT protocol because it is missing a suitable certificate. |
| Event text (German): | This event indicates that an attempt was made to use the smart card login, but the KDC cannot use the PKINIT protocol because a suitable certificate is missing. |
Details of the event with ID 20 of the source Microsoft-Windows-Kerberos-Key-Distribution-Center
| Event Source: | Microsoft Windows Kerberos Key Distribution Center |
| Event ID: | 20 (0x80000014) |
| Event log: | System |
| Event type: | Warning |
| Event text (English): | The currently selected KDC certificate was once valid, but now is invalid and no suitable replacement was found. Smartcard logon may not function correctly if this problem is not remedied. Have the system administrator check on the state of the domain's public key infrastructure. The chain status is in the error data. |
| Event text (German): | The currently selected KDC certificate was previously valid but is now invalid. No suitable replacement has been found. Smart card logon may not work properly if this issue is not resolved. Have the system administrator check the status of the domain's public key infrastructure (PKI). The chain status is included in the error data. |
Details of the event with ID 29 of the source Microsoft-Windows-Kerberos-Key-Distribution-Center
| Event Source: | Microsoft Windows Kerberos Key Distribution Center |
| Event ID: | 29 (0x8000001D) |
| Event log: | System |
| Event type: | Warning |
| Event text (English): | The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate. |
| Event text (German): | The Key Distribution Center (KDC) cannot find a suitable certificate for smart card logins, or the KDC certificate could not be verified. Smart card logins may not work properly until this issue is resolved. To resolve this issue, either verify the existing KDC certificate using certutil.exe, or register for a new KDC certificate. |
Details of the event with ID 120 of the source Microsoft-Windows-Kerberos-Key-Distribution-Center
| Event Source: | Microsoft Windows Kerberos Key Distribution Center |
| Event ID: | 120 (0x78) |
| Event log: | Microsoft-Windows-Kerberos-Key-Distribution-Center/Operational |
| Event type: | Error |
| Event text (English): | The Key Distribution Center (KDC) failed to validate its current KDC certificate. This KDC might not be enabled for smart card or certificate authentication. Kdc Certificate Information: Issuer Name: %1 Serial Number: %2 Thumbprint: %3 Template: %4 Kerberos Error: %5 Validation Error: %6 |
| Event text (German): | The Key Distribution Center (KDC) could not verify the current KDC certificate. This KDC may not be able to be used for smart card or certificate authentication. KDC certificate information: Issuer name: %1 Serial number: %2 Fingerprint: %3 Template: %4 Kerberos error: %5 Verification error: %6 |
Change the signing algorithm of a certification authority hierarchy without issuing new certification authority certificates
Sometimes it may be necessary to change the Signature algorithm to subsequently change an already installed certification authority hierarchy.
This is often the case because one has installed them with PKCS#1 version 2.1 and unfortunately finds out afterwards that not all applications are compatible with the resulting certificates, and thus cannot use the hierarchy.
While it is relatively easy to change the signature algorithm for certificates issued by a certification authority, it is more difficult to do so for certification authority certificates.
Continue reading „Den Signaturalgorithmus einer Zertifizierungsstellen-Hierarchie ändern, ohne neue Zertifizierungsstellen-Zertifikate auszustellen“The certification authority service does not start and throws the error message "The parameter is incorrect. 0x80070057 (WIN32: 87 ERROR_INVALID_PARAMETER)".
Assume the following scenario:
- A certification authority is implemented in the network.
- The certification authority service does not start.
- When trying to start the Certification Authority service, you get the following error message:
The parameter is incorrect. 0x57 (WIN32: 87 ERROR_INVALID_PARAMETER)Continue reading „Der Zertifizierungsstellen-Dienst startet nicht und wirft die Fehlermeldung „The parameter is incorrect. 0x80070057 (WIN32: 87 ERROR_INVALID_PARAMETER)““
Configuring PKCS#1 Version 2.1 for Issued Certificates and Revocation Lists of a Certification Authority
Sometimes it may be necessary to change the Signature algorithm of an already installed certification authority subsequently.
Continue reading „PKCS#1 Version 2.1 für ausgestellte Zertifikate und Sperrlisten einer Zertifizierungsstelle konfigurieren“Deploy PKCS#1 version 2.1 for a root CA (owned and issued certificates)
Before the Installation of a standalone root certification authority (Standalone Root CA) the question arises as to which cryptographic algorithms should be used.
Continue reading „PKCS#1 Version 2.1 für eine Stammzertifizierungsstelle (Root CA) einsetzen (eigenes und ausgestellte Zertifikate)“Basics: key algorithms, signature algorithms and signature hash algorithms
When planning a public key infrastructure, the question arises as to which cryptographic algorithms it should use.
The main principles are explained below.
Continue reading „Grundlagen: Schlüsselalgorithmen, Signaturalgorithmen und Signaturhashalgorithmen“Configuring a Certificate Template for Domain Controllers
Even with a certificate template for domain controllers that is supposedly simple to configure, there are a few things to keep in mind.
Continue reading „Konfigurieren einer Zertifikatvorlage für Domänencontroller“Prevent smartcard logon to the network
Installing Active Directory Certificate Services in the default configuration automatically configures the environment to accept smart card logins from domain controllers.
Therefore, if the use of smart card logins is not desired, it makes sense to disable the functionality so that, in the event the certificate authority is compromised, it can not to jeopardize the Active Directory.
Continue reading „Smartcard Anmeldung im Netzwerk unterbinden“Customize the Certificate Enrollment Web Service (CES) after migrating a certificate authority to a new server
If a Certificate Enrollment Web Service (CES) is operated in the network, it is necessary to use the "Migration of an Active Directory integrated certification authority (Enterprise Certification Authority) to another server" requires that the configuration of the CES is adapted to the new situation.
A configuration string (Config String) is stored in the configuration of the CES, which contains the server name of the connected certification authority. If this changes, the configuration must be adjusted accordingly.
Continue reading „Den Zertifikatbeantragungs-Webdienst (CES) nach der Migration einer Zertifizierungsstelle auf einen neuen Server anpassen“
English 
Deutsch