The Kerberos Key Distribution Center (KDC) service on Windows Server 2008 R2 will look for one of three conditions when parsing its certificate store for potential domain controller certificates:
  • the OID for KDC Authentication (
  • the presence of the Template Name DomainController in the certificate (all flavors of MS CA’s stamp this on certificates if it is a part of the request)
  • the OID for SmartcardLogon (

If one of these is present in the certificate, the KDC will consider it potentially usable as a DC certificate capable of servicing smartcard logons (if it also passes revocation checks).
The last two are present in the W2k3 code while the first one was introduced with Windows Server 2008.

The following two OID's are typically also used for the EKU´s of a KDC certificate:

  • The OID for Server Authentication(
  • The OID for Client Authentication (

In addition to this, the direct issuer of the potential KDC certificate needs to be in the NTAuth store of the DC and all certificates in the chain (except the Root CA cert) need to pass revocation checking as well.

Finally, as per RFC5280, the CRL of the SubCA that signs the CRL of the Domain Controller certificate must also include the CERT_CRL_SIGN_KEY_USAGE flag in the Key Usage extension of the SubCA certificate.

This is a change from the Windows Server 2003 behaviour which did not enforce the RFC5280 requirements concerning the key usage flag of the certificate used to sign the CRL.

Without these you'll most likely see KDC Event ID 19 or KDC Event ID 29 being logged on the DC whenever the KDC service starts and every 10 hours afterwards when it tries to locate a valid domain controller certificate.


Further details:

Requirements for Domain Controller certificates from a Third-party CA

Guidelines for enabling smart card logon with third-party certification authorities

Kerberos Authentication Template