Details of the event with ID 19 of the source Microsoft-Windows-Kerberos-Key-Distribution-Center

Event Source:Microsoft Windows Kerberos Key Distribution Center
Event ID:19 (0x80000013)
Event log:System
Event type:Warning
Event text (English):This event indicates an attempt was made to use smartcard logon, but the KDC is unable to use the PKINIT protocol because it is missing a suitable certificate.
Event text (German):This event indicates that an attempt was made to use the smart card login, but the KDC cannot use the PKINIT protocol because a suitable certificate is missing.
Continue reading „Details zum Ereignis mit ID 19 der Quelle Microsoft-Windows-Kerberos-Key-Distribution-Center“

Details of the event with ID 20 of the source Microsoft-Windows-Kerberos-Key-Distribution-Center

Event Source:Microsoft Windows Kerberos Key Distribution Center
Event ID:20 (0x80000014)
Event log:System
Event type:Warning
Event text (English):The currently selected KDC certificate was once valid, but now is invalid and no suitable replacement was found. Smartcard logon may not function correctly if this problem is not remedied. Have the system administrator check on the state of the domain's public key infrastructure. The chain status is in the error data.
Event text (German):The currently selected KDC certificate was previously valid but is now invalid. No suitable replacement has been found. Smart card logon may not work properly if this issue is not resolved. Have the system administrator check the status of the domain's public key infrastructure (PKI). The chain status is included in the error data.
Continue reading „Details zum Ereignis mit ID 20 der Quelle Microsoft-Windows-Kerberos-Key-Distribution-Center“

Details of the event with ID 29 of the source Microsoft-Windows-Kerberos-Key-Distribution-Center

Event Source:Microsoft Windows Kerberos Key Distribution Center
Event ID:29 (0x8000001D)
Event log:System
Event type:Warning
Event text (English):The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate.
Event text (German):The Key Distribution Center (KDC) cannot find a suitable certificate for smart card logins, or the KDC certificate could not be verified. Smart card logins may not work properly until this issue is resolved. To resolve this issue, either verify the existing KDC certificate using certutil.exe, or register for a new KDC certificate.
Continue reading „Details zum Ereignis mit ID 29 der Quelle Microsoft-Windows-Kerberos-Key-Distribution-Center“

Details of the event with ID 120 of the source Microsoft-Windows-Kerberos-Key-Distribution-Center

Event Source:Microsoft Windows Kerberos Key Distribution Center
Event ID:120 (0x78)
Event log:Microsoft-Windows-Kerberos-Key-Distribution-Center/Operational
Event type:Error
Event text (English):The Key Distribution Center (KDC) failed to validate its current KDC certificate. This KDC might not be enabled for smart card or certificate authentication. Kdc Certificate Information: Issuer Name: %1 Serial Number: %2 Thumbprint: %3 Template: %4 Kerberos Error: %5 Validation Error: %6
Event text (German):The Key Distribution Center (KDC) could not verify the current KDC certificate. This KDC may not be able to be used for smart card or certificate authentication. KDC certificate information: Issuer name: %1 Serial number: %2 Fingerprint: %3 Template: %4 Kerberos error: %5 Verification error: %6
Continue reading „Details zum Ereignis mit ID 120 der Quelle Microsoft-Windows-Kerberos-Key-Distribution-Center“

Change the signing algorithm of a certification authority hierarchy without issuing new certification authority certificates

Sometimes it may be necessary to change the Signature algorithm to subsequently change an already installed certification authority hierarchy.

This is often the case because one has installed them with PKCS#1 version 2.1 and unfortunately finds out afterwards that not all applications are compatible with the resulting certificates, and thus cannot use the hierarchy.

While it is relatively easy to change the signature algorithm for certificates issued by a certification authority, it is more difficult to do so for certification authority certificates.

Continue reading „Den Signaturalgorithmus einer Zertifizierungsstellen-Hierarchie ändern, ohne neue Zertifizierungsstellen-Zertifikate auszustellen“

The certification authority service does not start and throws the error message "The parameter is incorrect. 0x80070057 (WIN32: 87 ERROR_INVALID_PARAMETER)".

Assume the following scenario:

  • A certification authority is implemented in the network.
  • The certification authority service does not start.
  • When trying to start the Certification Authority service, you get the following error message:
The parameter is incorrect. 0x57 (WIN32: 87 ERROR_INVALID_PARAMETER)
Continue reading „Der Zertifizierungsstellen-Dienst startet nicht und wirft die Fehlermeldung „The parameter is incorrect. 0x80070057 (WIN32: 87 ERROR_INVALID_PARAMETER)““

Deploy PKCS#1 version 2.1 for a root CA (owned and issued certificates)

Before the Installation of a standalone root certification authority (Standalone Root CA) the question arises as to which cryptographic algorithms should be used.

Continue reading „PKCS#1 Version 2.1 für eine Stammzertifizierungsstelle (Root CA) einsetzen (eigenes und ausgestellte Zertifikate)“

Basics: key algorithms, signature algorithms and signature hash algorithms

When planning a public key infrastructure, the question arises as to which cryptographic algorithms it should use.

The main principles are explained below.

Continue reading „Grundlagen: Schlüsselalgorithmen, Signaturalgorithmen und Signaturhashalgorithmen“

Configuring a Certificate Template for Domain Controllers

Even with a certificate template for domain controllers that is supposedly simple to configure, there are a few things to keep in mind.

Continue reading „Konfigurieren einer Zertifikatvorlage für Domänencontroller“

Prevent smartcard logon to the network

Installing Active Directory Certificate Services in the default configuration automatically configures the environment to accept smart card logins from domain controllers.

Therefore, if the use of smart card logins is not desired, it makes sense to disable the functionality so that, in the event the certificate authority is compromised, it can not to jeopardize the Active Directory.

Continue reading „Smartcard Anmeldung im Netzwerk unterbinden“

Customize the Certificate Enrollment Web Service (CES) after migrating a certificate authority to a new server

If a Certificate Enrollment Web Service (CES) is operated in the network, it is necessary to use the "Migration of an Active Directory integrated certification authority (Enterprise Certification Authority) to another server" requires that the configuration of the CES is adapted to the new situation.

A configuration string (Config String) is stored in the configuration of the CES, which contains the server name of the connected certification authority. If this changes, the configuration must be adjusted accordingly.

Continue reading „Den Zertifikatbeantragungs-Webdienst (CES) nach der Migration einer Zertifizierungsstelle auf einen neuen Server anpassen“

Basics: Finding certificates and validating the certification path

In order to determine whether a certificate has been issued by a certification authority that has been classified as trustworthy, a trust chain must be formed. To do this, all certificates in the chain must be determined and checked. Microsoft CryptoAPI builds all possible certificate chains and returns those with the highest quality to the requesting application.

Continue reading „Grundlagen: Auffinden von Zertifikaten und Validierung des Zertifizierungspfades“

Basics: Checking the revocation status of certificates

If a valid, unexpired certificate is to be withdrawn from circulation, it must be revoked. For this purpose, the certification authorities maintain corresponding revocation lists in which the digital fingerprints of the revoked certificates are listed. They must be queried during the validity check.

Continue reading „Grundlagen: Überprüfung des Sperrstatus von Zertifikaten“

Use the Onlineresponder (OCSP) with a SafeNet Hardware Security Module (HSM)

With the SafeNet Key Storage Provider it is not possible to set permissions on the private keys: the Microsoft Management Console (MMC) will crash.

Continue reading „Den Onlineresponder (OCSP) mit einem SafeNet Hardware Security Module (HSM) verwenden“
en_USEnglish