Details of event with ID 32 of source Microsoft-Windows-Kerberos-Key-Distribution-Center

Event Source:	Microsoft Windows Kerberos Key Distribution Center
Event ID:	32 (0x80000020)
Event log:	System
Event type:	Warning
Event text (English):	The Key Distribution Center (KDC) uses a certificate without KDC Extended Key Usage (EKU) which can result in authentication failures for device certificate logon and smart card logon from non-domain-joined devices. Enrollment of a KDC certificate with KDC EKU (Kerberos Authentication template) is required to remove this warning.
Event text (German):	The Key Distribution Center (KDC) uses a certificate without Extended Key Usage (EKU) for the KDC. This can lead to authentication errors during device certificate enrollments and smart card enrollments of devices without domain affiliation. Enrollment of a KDC certificate with KDC EKU (Kerberos authentication template) is required to eliminate this warning.

Example events

The Key Distribution Center (KDC) uses a certificate without KDC Extended Key Usage (EKU) which can result in authentication failures for device certificate logon and smart card logon from non-domain-joined devices. Enrollment of a KDC certificate with KDC EKU (Kerberos Authentication template) is required to remove this warning.

Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem, has already proven itself in countless companies around the world and is available under a free license. It can downloaded via GitHub and can be used free of charge. Professional maintenance is also offered.

Description

This message occurs when a smart card login was processed and the domain controller certificate does not have a extended key usage (Extended Key Usage) for "Kerberos Authentication" is included.

This is the case, for example, if the domain controller uses a certificate based on the default Domain Controller certificate template. This does not contain the extended key usage for "Kerberos Authentication". The same applies to the deprecated Domain Controller Authentication certificate template.

The "domain controller" certificate template is - if it is offered by a certification authority - automatically requested by the domain controllers. It is therefore often used unknowingly.

More information

For more information regarding the default certificate templates for domain controllers, see the article "Overview of the different generations of domain controller certificates„.
For more information regarding smartcard registration see article "Domain Controller Certificate Templates and Smartcard Logon„.
For the correct configuration of a certificate template for domain controllers, see the article "Configuring a Certificate Template for Domain Controllers„.

Safety assessment

The security assessment is based on the three dimensions of confidentiality, integrity and availability.

Since it is very likely that the "domain controller" certificate template will be used inadvertently for the reasons described previously, it should also be checked whether it is intended that users log in via smartcard at all.

If this is not the case, this event could be an indication of an attack on Active Directory via the certificate authority, and in this case would be considered critical for the integrity of the network.

For a description of the underlying problem, see the article "Attack vector on Active Directory directory service via smartcard logon mechanism„.

Details of the event with ID 32 of the source Microsoft-Windows-Kerberos-Key-Distribution-Center

Example events

Description

More information

Safety assessment

Related links:

External sources

2 thoughts on “Details zum Ereignis mit ID 32 der Quelle Microsoft-Windows-Kerberos-Key-Distribution-Center”