none
KDC Certificate Could Not Be Validated Error RRS feed

  • Question

  • I think this is the right forum for this question, but please feel free to redirect me if it is not. 

    We are using Windows Hello for Business for users to sign into their computers with a PIN or Biometric. It works well for sign in 99% of the time, but every once in a while a user gets the error:

    "Sign-in failed. Contract your system administrator and tell them that the KDC certificate could not be validated. Additional information my be available in the system event log."

    The user gets this message on the sign in screen after using their PIN or Biometric. To resolve this, the user can sign in with their password or wait about a minute, try again, then it will work. I've also seen this work after rebooting the computer. After getting signed in again, they don't have the error message on subsequent logins. 

    The odd part is that this happens very intermittently...so it's tough to troubleshoot. 

    Windows Hello for Business does require domain controller certificates with the KDC Authentication, but I have these issued to the devices....and again, they can use it fine 99% of the time. 

    Googling this error didn't get me anywhere helpful, so I am hoping that someone might know why I am getting this error intermittently?

    Thursday, September 12, 2019 8:39 PM

All replies

  • Hi,

    Thanks for posting in our forum.

    According to my knowledge, I will suggest you verify whether Event 19,29 or 29 logged on DCs. I the event logged, please delete the invalid certificate then request a new certificate.

    We can use command " certutil -dcinfo -deletebad" or certificate management console to delete the invalid certificate.

     

    For your reference:

    https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc733882(v=ws.10)

    https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc733985%28v%3dws.10%29

     

    Best Regards,

    William


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, September 13, 2019 9:09 AM
  • Thanks, 

    My DC doesn't even have events 19, 20 or 29 logged....so I will have to update that. I'll keep an eye on that log the next time I get the error. 

    The odd part, is on a device that had the error...I then waited a few minutes to login (since this seems to be the workaround). I run this command: certutil -dcinfo verify

    The command comes back stating that I have a valid KDC on both of my domain controller. This is what makes it tough to troubleshoot, because the cert checks are valid. 

    Friday, September 13, 2019 6:10 PM
  • Update: 

    I don't get any information in the DC's KDC event log after getting the error on a workstation. The only event I get is from the actual workstation that has the error:

    "The revocation function was unable to check revocation because the revocation server was offline"

    Again, this is odd because it gives this error, but if I try to login again a few seconds later with with a biometric, it allows me to login. 

    The only thing I have been able to isolate so far is that this usually happens on a first login of the day for a machine. I tested with both wired and wireless connections, both get the same error intermittently. I've seen this error when logging in after a full reboot and after just unlocking the computer. 

    Does anyone else have this issue? Or can anyone help explain why I would get this error about the revocation server only once? But then be allowed to login a few seconds later? If it is an issue with the server not be available right away, is there a way to do a delayed check of the revocation server after login?

    Monday, September 23, 2019 2:57 PM