| Event Source: | Microsoft Windows Kerberos Key Distribution Center |
| Event ID: | 41 (0x80000029) |
| Event log: | System |
| Event type: | Warning or error |
| Event text (English): | The Key Distribution Center (KDC) encountered a user certificate that was valid but contained a different SID than the user to which it mapped. As a result, the request involving the certificate failed. See https://go.microsoft.com/fwlink/?linkid=2189925 to learn more. User: %1 User SID: %2 Certificate Subject: %3 Certificate Issuer: %4 Certificate Serial Number: %5 Certificate Thumbprint: %6 Certificate SID: %7 |
| Event text (German): | The Key Distribution Center (KDC) found a valid user certificate, but it contained a different SID than the user it is assigned to. As a result, an error occurred in the request involving the certificate. For more information, see https://go.microsoft.com/fwlink/?linkid=2189925 User: %1 User SID: %2 Certificate requester: %3 Certificate issuer: %4 Certificate serial number: %5 Certificate fingerprint: %6 Certificate SID: %7 |
Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem, has already proven itself in countless companies around the world and is available under a free license. It can downloaded via GitHub and can be used free of charge. Professional maintenance is also offered.
Parameter
The parameters contained in the event text are filled with the following fields:
- %1: AccountName (win:UnicodeString)
- %2: AccountSid (win:UnicodeString)
- %3: Subject (win:UnicodeString)
- %4: Issuer (win:UnicodeString)
- %5: SerialNumber (win:UnicodeString)
- %6: Thumbprint (win:UnicodeString)
- %7: CertificateSid (win:UnicodeString)
- %8: __binLength (win:UInt32)
- %9: binary (win:Binary)
Description
No description has been written for this yet.
Safety assessment
The security assessment is based on the three dimensions of confidentiality, integrity and availability.
An alert should definitely be triggered for this event, since certificates are not accepted in the event of logging. This can indicate an attack, but also a misconfiguration with an effect on availability.
Related links:
- Logging on to Active Directory with the May 10, 2022 patch for Windows Server (KB5014754)
- Overview of Active Directory events relevant for PKI
- Overview of Windows events generated by the certification authority
- Overview of audit events generated by the Certification Authority
External sources
- KB5014754-Certificate-based authentication changes on Windows domain controllers (Microsoft Corporation)
English 
Deutsch