Server 2008 R2 Error 29 - with a twist

    General discussion

  • We have 5 DCs (2 read only in the DMZ), 4 of them report the same issue every day. The error is this:
    "The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate."

    Running "certutil -dcinfo verify" as administrator from the command prompt does not report any certificate issues on any DC.

    The advice from MS/TechNet is to obtain a valid DC certificate but goes on to say " In this case the error handling does not take into account a non-CA environment."

    The problem is we have a non-CA environment but all DCs have valid certificates (minimum 1 year to expiration) issued by the same source.

    If this is due to the non-CA environment why does one DC not report this and how can I resolve the issue?
    Thursday, August 01, 2013 8:38 PM

All replies