We have 5 DCs (2 read only in the DMZ), 4 of them report the same issue every day. The error is this:
"The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly if this problem is not resolved. To correct this problem, either
verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate."
Running "certutil -dcinfo verify" as administrator from the command prompt does not report any certificate issues on any DC.
The advice from MS/TechNet is to obtain a valid DC certificate but goes on to say " In this case the error handling does not take into account a non-CA environment."
The problem is we have a non-CA environment but all DCs have valid certificates (minimum 1 year to expiration) issued by the same source.
If this is due to the non-CA environment why does one DC not report this and how can I resolve the issue?
Microsoft is conducting an online survey to understand your opinion of the Technet Web site. If you choose to participate, the online survey will be presented to you when you leave the Technet Web site.