| Event Source: | Microsoft Windows Kerberos Key Distribution Center |
| Event ID: | 19 (0x80000013) |
| Event log: | System |
| Event type: | Warning |
| Event text (English): | This event indicates an attempt was made to use smartcard logon, but the KDC is unable to use the PKINIT protocol because it is missing a suitable certificate. |
| Event text (German): | This event indicates that an attempt was made to use the smart card login, but the KDC cannot use the PKINIT protocol because a suitable certificate is missing. |
Example events
This event indicates an attempt was made to use smartcard logon, but the KDC is unable to use the PKINIT protocol because it is missing a suitable certificate.
Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem, has already proven itself in countless companies around the world and is available under a free license. It can downloaded via GitHub and can be used free of charge. Professional maintenance is also offered.
Description
This message occurs when a logon is performed via smartcard, but the domain controller's certificate does not have any of the required extended key usage (Extended Key Usage) disposes
The event occurs together with the Event no. 29.
This is the case, for example, when a customized security-hardened certificate template is used for the domain controllers, which does not allow smartcard enrollment.
See also article "Signing in via smartcard fails with error message "Signing in with a security device isn't supported for your account."„.
Can also occur when the domain controllers cannot check the revocation status of their own certificates, for example, because the revocation list distribution points are offline.
More information
- For more information regarding the default certificate templates for domain controllers, see the article "Overview of the different generations of domain controller certificates„.
- For more information regarding smartcard registration see article "Domain Controller Certificate Templates and Smartcard Logon„.
- For the correct configuration of a certificate template for domain controllers, see the article "Configuring a Certificate Template for Domain Controllers„.
Safety assessment
The security assessment is based on the three dimensions of confidentiality, integrity and availability.
If security-hardened certificate templates are used which do not allow logon via smartcard, this event may indicate an unauthorized logon attempt as well as compromise of a certification authority. In this case, it would be rated as "critical" in terms of integrity.
For a description of the underlying problem, see the article "Attack vector on Active Directory directory service via smartcard logon mechanism„.
Related links:
- Overview of Active Directory events relevant for PKI
- Overview of Windows events generated by the certification authority
- Overview of audit events generated by the Certification Authority
External sources
- Event ID 19 - KDC Certificate Availability (Microsoft)
English 
Deutsch
4 thoughts on “Details zum Ereignis mit ID 19 der Quelle Microsoft-Windows-Kerberos-Key-Distribution-Center”
Comments are closed.