| Event Source: | Microsoft Windows Kerberos Key Distribution Center |
| Event ID: | 32 (0x80000020) |
| Event log: | System |
| Event type: | Warning |
| Event text (English): | The Key Distribution Center (KDC) uses a certificate without KDC Extended Key Usage (EKU) which can result in authentication failures for device certificate logon and smart card logon from non-domain-joined devices. Enrollment of a KDC certificate with KDC EKU (Kerberos Authentication template) is required to remove this warning. |
| Event text (German): | The Key Distribution Center (KDC) uses a certificate without Extended Key Usage (EKU) for the KDC. This can lead to authentication errors during device certificate enrollments and smart card enrollments of devices without domain affiliation. Enrollment of a KDC certificate with KDC EKU (Kerberos authentication template) is required to eliminate this warning. |
Category: Active Directory
Details of the event with ID 200 of the source Microsoft-Windows-Kerberos-Key-Distribution-Center
| Event Source: | Microsoft Windows Kerberos Key Distribution Center |
| Event ID: | 200 (0xC8) |
| Event log: | Microsoft-Windows-Kerberos-Key-Distribution-Center/Operational |
| Event type: | Warning |
| Event text (English): | The Key Distribution Center (KDC) cannot find a suitable certificate to use. This KDC is not enabled for smart card or certificate authentication. |
| Event text (German): | The Key Distribution Center (KDC) cannot find a suitable certificate. This KDC is not enabled for smart card or certificate authentication. |
Details of the event with ID 21 of the source Microsoft-Windows-Kerberos-Key-Distribution-Center
| Event Source: | Microsoft Windows Kerberos Key Distribution Center |
| Event ID: | 21 (0x80000015) |
| Event log: | System |
| Event type: | Warning |
| Event text (English): | The client certificate for the user %1\%2 is not valid, and resulted in a failed smartcard logon. Please contact the user for more information about the certificate they're attempting to use for smartcard logon. The chain status was : %3 |
| Event text (German): | The client certificate for user %1\%2 is not valid. The result was an error during smartcard login. Contact the user for more information about the certificate to be used for the smartcard application. Chain status: %3 |
Details of the event with ID 302 of the source Microsoft-Windows-Kerberos-Key-Distribution-Center
| Event Source: | Microsoft Windows Kerberos Key Distribution Center |
| Event ID: | 302 (0x12E) |
| Event log: | Microsoft-Windows-Kerberos-Key-Distribution-Center/Operational |
| Event type: | Information |
| Event text (English): | The Key Distribution Center (KDC) uses the below KDC certificate for smart card or certificate authentication. Kdc Certificate Information: Issuer Name: %1 Serial Number: %2 Thumbprint: %3 Template: %4 |
| Event text (German): | The Key Distribution Center (KDC) uses the following certificate for smart card or certificate authentication. KDC certificate information: Issuer name: %1 Serial number: %2 Fingerprint: %3 Template: %4 |
Details of the event with ID 19 of the source Microsoft-Windows-Kerberos-Key-Distribution-Center
| Event Source: | Microsoft Windows Kerberos Key Distribution Center |
| Event ID: | 19 (0x80000013) |
| Event log: | System |
| Event type: | Warning |
| Event text (English): | This event indicates an attempt was made to use smartcard logon, but the KDC is unable to use the PKINIT protocol because it is missing a suitable certificate. |
| Event text (German): | This event indicates that an attempt was made to use the smart card login, but the KDC cannot use the PKINIT protocol because a suitable certificate is missing. |
Details of the event with ID 20 of the source Microsoft-Windows-Kerberos-Key-Distribution-Center
| Event Source: | Microsoft Windows Kerberos Key Distribution Center |
| Event ID: | 20 (0x80000014) |
| Event log: | System |
| Event type: | Warning |
| Event text (English): | The currently selected KDC certificate was once valid, but now is invalid and no suitable replacement was found. Smartcard logon may not function correctly if this problem is not remedied. Have the system administrator check on the state of the domain's public key infrastructure. The chain status is in the error data. |
| Event text (German): | The currently selected KDC certificate was previously valid but is now invalid. No suitable replacement has been found. Smart card logon may not work properly if this issue is not resolved. Have the system administrator check the status of the domain's public key infrastructure (PKI). The chain status is included in the error data. |
Details of the event with ID 29 of the source Microsoft-Windows-Kerberos-Key-Distribution-Center
| Event Source: | Microsoft Windows Kerberos Key Distribution Center |
| Event ID: | 29 (0x8000001D) |
| Event log: | System |
| Event type: | Warning |
| Event text (English): | The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate. |
| Event text (German): | The Key Distribution Center (KDC) cannot find a suitable certificate for smart card logins, or the KDC certificate could not be verified. Smart card logins may not work properly until this issue is resolved. To resolve this issue, either verify the existing KDC certificate using certutil.exe, or register for a new KDC certificate. |
Details of the event with ID 120 of the source Microsoft-Windows-Kerberos-Key-Distribution-Center
| Event Source: | Microsoft Windows Kerberos Key Distribution Center |
| Event ID: | 120 (0x78) |
| Event log: | Microsoft-Windows-Kerberos-Key-Distribution-Center/Operational |
| Event type: | Error |
| Event text (English): | The Key Distribution Center (KDC) failed to validate its current KDC certificate. This KDC might not be enabled for smart card or certificate authentication. Kdc Certificate Information: Issuer Name: %1 Serial Number: %2 Thumbprint: %3 Template: %4 Kerberos Error: %5 Validation Error: %6 |
| Event text (German): | The Key Distribution Center (KDC) could not verify the current KDC certificate. This KDC may not be able to be used for smart card or certificate authentication. KDC certificate information: Issuer name: %1 Serial number: %2 Fingerprint: %3 Template: %4 Kerberos error: %5 Verification error: %6 |
Configuring a Certificate Template for Domain Controllers
Even with a certificate template for domain controllers that is supposedly simple to configure, there are a few things to keep in mind.
Continue reading „Konfigurieren einer Zertifikatvorlage für Domänencontroller“Prevent smartcard logon to the network
Installing Active Directory Certificate Services in the default configuration automatically configures the environment to accept smart card logins from domain controllers.
Therefore, if the use of smart card logins is not desired, it makes sense to disable the functionality so that, in the event the certificate authority is compromised, it can not to jeopardize the Active Directory.
Continue reading „Smartcard Anmeldung im Netzwerk unterbinden“How are the compatibility settings for certificate templates technically mapped?
Since the Certificate Services management tools in Windows Server 2012, you can select the desired compatibility for the certificate authority and certificate recipient when configuring a certificate template.
In the following, this function is described in more detail, as well as possible effects in practice.
Continue reading „Wie sind die Kompatibilitätseinstellungen für Zertifikatvorlagen technisch abgebildet?“Automatically change passwords for accounts that require login via smartcard or Windows Hello for Business
A new feature of Windows Server 2016 is that the passwords for accounts that have a plain Login with smartcards be automatically renewed according to the password light lines.
If the "Smart card is required for interactive logon" option is enabled for a user account, the password of the user account is set to a random value once. However, the password never changes after that, which makes the account more vulnerable to pass-the-hash attacks.
The newly introduced feature solves this problem by generating new randomly generated passwords for corresponding accounts on a regular basis (depending on the password policy configured for the account).
Continue reading „Automatisches Ändern der Passwörter für Konten, die eine Anmeldung via Smartcard oder Windows Hello for Business erfordern“Classification of ADCS components in the Administrative Tiering Model
If, in addition to the Active Directory Certificate Services, the administrative tiering model is also implemented for the Active Directory directory service, the question arises as to how the individual PKI components are to be assigned to this model in order to be able to perform targeted security hardening.
Continue reading „Einordnung der ADCS-Komponenten in das administrative Schichtenmodell (Administrative Tiering Model)“Basics and risk assessment Delegation settings
Delegation is required whenever there is an intermediary between the user and the actual service. In the case of certification authority web registration, this would be the case if it is installed on a separate server. It then acts as an intermediary between the applicant and the certification authority.
Continue reading „Grundlagen und Risikobetrachtung Delegierungseinstellungen“After installing or migrating a certificate authority to a new server, you can no longer publish your own certificate templates
Assume the following scenario:
- An Active Directory integrated certificate authority (Enterprise CA) is integrated in the network.
- The certification authority was migrated to a new server (see also article "Migration of an Active Directory integrated certification authority (Enterprise Certification Authority) to another server„).
- When publishing the certificate templates, one notices that only the Standard certificate templates to be selected for publication. Own certificate templates are not displayed.
English 
Deutsch