locked
The Key Distribution Center (KDC) cannot find a suitable certificate on windows 2008 DC RRS feed

  • Question

  • Hi,

    There is a warning message on my windows 2008 DC.

    Event ID 29

    The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate.

    Is there any one have idea about it?

    Thanks,

    Matthew

    Wednesday, December 17, 2008 10:42 PM

Answers

  • Hi,

     

    Do you have a CA? If not, This is by design behavior. The KDC service repeats this check in order to see if there is an existing, workable cert or if a new one is present. Unfortunately the error handling doesn’t take into account that in a non-CA environment. You can safely ignore this error.

     

    If you have  a CA, Kerberos uses a domain controller certificate to ensure that the authentication information sent over the network is encrypted. If the certificate is missing or is no longer valid, this error may be logged.

     

    Please refer to the " Delete the domain controller certificate that is no longer valid" and " Request a new certificate" section of the following article to solve this issue.

     

    Event ID 29 — KDC Certificate Availability

    http://technet.microsoft.com/en-us/library/cc734096.aspx

     

    Thanks.

    • Proposed as answer by Mervyn Zhang Friday, December 19, 2008 1:29 AM
    • Marked as answer by Matthewli Friday, December 19, 2008 2:42 AM
    • Unmarked as answer by Matthewli Friday, December 19, 2008 2:42 AM
    • Marked as answer by Matthewli Monday, December 22, 2008 10:33 PM
    Thursday, December 18, 2008 10:12 AM
  • Hi,

    If you don’t setup a CA, we can safely ignore this error.

    If there is a working CA in your network, this error generally may occur if Certificate Authority is not working properly. If you’re not the administrator of CA, please contact the administrator to check it.  

    If you’re CA administrator, please check the Certificate Authority to make sure it’s working. You can try to encrypt a file and check if according certificate was issued.

    If the CA is working, you can refer to the steps below to setup Autoenrollment of Computer certificates.
    http://www.isaserver.org/img/upl/vpnkitbeta2/autoenroll.htm
     
    If the CA is not working properly and you would like to troubleshoot it, please help to collect detailed error message about CA. You can capture a screenshot and send to tfwst@microsoft.com.

    Thanks.
     
    • Marked as answer by Matthewli Monday, December 22, 2008 10:32 PM
    Monday, December 22, 2008 7:22 AM

All replies

  • Hi,

     

    Do you have a CA? If not, This is by design behavior. The KDC service repeats this check in order to see if there is an existing, workable cert or if a new one is present. Unfortunately the error handling doesn’t take into account that in a non-CA environment. You can safely ignore this error.

     

    If you have  a CA, Kerberos uses a domain controller certificate to ensure that the authentication information sent over the network is encrypted. If the certificate is missing or is no longer valid, this error may be logged.

     

    Please refer to the " Delete the domain controller certificate that is no longer valid" and " Request a new certificate" section of the following article to solve this issue.

     

    Event ID 29 — KDC Certificate Availability

    http://technet.microsoft.com/en-us/library/cc734096.aspx

     

    Thanks.

    • Proposed as answer by Mervyn Zhang Friday, December 19, 2008 1:29 AM
    • Marked as answer by Matthewli Friday, December 19, 2008 2:42 AM
    • Unmarked as answer by Matthewli Friday, December 19, 2008 2:42 AM
    • Marked as answer by Matthewli Monday, December 22, 2008 10:33 PM
    Thursday, December 18, 2008 10:12 AM
  • Hi,

    When I Expand Certificates (Local computer) > Personal, Nothing there while on document it supposed to have Certificates.

    And when I right-click Personal, and click Request New Certificate. On wizard window I click "Next", it shows "certificate types are not available"/ "you cannot request a certificate at the time because no certificate types are available. If you need a certificate, please contact your administrator".

    Should I just ignore that?

    Thanks,

    Matthew
    Friday, December 19, 2008 2:50 AM
  • Hi,

    If you don’t setup a CA, we can safely ignore this error.

    If there is a working CA in your network, this error generally may occur if Certificate Authority is not working properly. If you’re not the administrator of CA, please contact the administrator to check it.  

    If you’re CA administrator, please check the Certificate Authority to make sure it’s working. You can try to encrypt a file and check if according certificate was issued.

    If the CA is working, you can refer to the steps below to setup Autoenrollment of Computer certificates.
    http://www.isaserver.org/img/upl/vpnkitbeta2/autoenroll.htm
     
    If the CA is not working properly and you would like to troubleshoot it, please help to collect detailed error message about CA. You can capture a screenshot and send to tfwst@microsoft.com.

    Thanks.
     
    • Marked as answer by Matthewli Monday, December 22, 2008 10:32 PM
    Monday, December 22, 2008 7:22 AM