Assume the following scenario:
- Domain controllers have certificates for LDAP over SSL.
- The certificates do not include the Extended Key Usage "Smart Card Logon" or "Kerberos Authentication".
- If you run certutil -dcinfo, the command reports the following error message:
0 KDC certificates for DC01
No KDC Certificate in MY store
KDC certificates: Cannot find object or property. 0x80092004 (-2146885628 CRYPT_E_NOT_FOUND)
Cause
Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem, has already proven itself in countless companies around the world and is available under a free license. It can downloaded via GitHub and can be used free of charge. Professional maintenance is also offered.
This error is due to the fact that certutil -dcinfo looks for certificates for smartcard login and does not find any.
For smart card logon to work, the domain controller certificate must contain either the Extended Key Usage "Smart Card Logon" or the Extended Key Usage "KDC Authentication", or the certificate must be from the certificate template "Domain Controller" (not recommended, as it is still from Windows 2000 times).
For security reasons, it may be advisable not to enter the above extended key usages in the domain controller certificates. If no smartcard logon is used in the company, this can prevent domain controllers from processing corresponding logons - for example in the case of a compromised certificate authority.
The problem is purely cosmetic and does not affect the remaining functions of the certificate (LDAP over SSL).
Note that the error also occurs if the domain controller certificate includes the "KDC Authentication" Extended Key Usage as recommended, but not the "Smartcard Logon" Extended Key Usage.
If the certificate meets all the requirements for smartcard enrollment, the error message should not be displayed.
One thought on “certutil -dcinfo schlägt fehl mit Fehlermeldung „KDC certificates: Cannot find object or property. 0x80092004 (-2146885628 CRYPT_E_NOT_FOUND)“”
Comments are closed.