The following is an overview of the events generated on domain controllers in the Windows Event Viewer that are relevant to the public key infrastructure.
Continue reading „Übersicht über die für die PKI relevanten Active Directory Ereignisse“Category: Active Directory
Force domain controller (or other participants) to use an online responder (OCSP)
By default, Windows systems, even if an online responder (OCSP) is configured, will be sent to a certain number of OCSP requests fall back to a (if available) brevocation list, because this is usually more efficient in such a case. However, this behavior is not always desired.
For example, if one uses smart card logins, one might want to know if Logins were executed with unauthorized issued certificates. In conjunction with the deterministic good of the online responder you can thus create an (almost) seamless Audit trail create for all smartcard logins.
Continue reading „Domänencontroller (oder andere Teilnehmer) zwingen, einen Onlineresponder (OCSP) zu verwenden“Details of the event with ID 75 of the source Microsoft-Windows-CertificationAuthority
| Event Source: | Microsoft-Windows-CertificationAuthority |
| Event ID: | 75 (0x4B) |
| Event log: | Application |
| Event type: | Error |
| Symbolic Name: | MSG_E_DELTA_CRL_PUBLICATION_HOST_NAME |
| Event text (English): | Active Directory Certificate Services could not publish a Delta CRL for key %1 to the following location on server %4: %2. %3.%5%6 |
| Event text (German): | Failed to publish delta certificate revocation list for key %1 at the following location on server "%4": %2. %3.%5%6 |
Details of the event with ID 74 of the source Microsoft-Windows-CertificationAuthority
| Event Source: | Microsoft-Windows-CertificationAuthority |
| Event ID: | 74 (0x4A) |
| Event log: | Application |
| Event type: | Error |
| Symbolic Name: | MSG_E_BASE_CRL_PUBLICATION_HOST_NAME |
| Event text (English): | Active Directory Certificate Services could not publish a Base CRL for key %1 to the following location on server %4: %2. %3.%5%6 |
| Event text (German): | Failed to publish a base certificate revocation list for key %1 at the following location on server "%4": %2. %3.%5%6 |
Details of the event with ID 65 of the source Microsoft-Windows-CertificationAuthority
| Event Source: | Microsoft-Windows-CertificationAuthority |
| Event ID: | 65 (0x41) |
| Event log: | Application |
| Event type: | Error |
| Symbolic Name: | MSG_E_BASE_CRL_PUBLICATION |
| Event text (English): | Active Directory Certificate Services could not publish a Base CRL for key %1 to the following location: %2. %3.%5%6 |
| Event text (German): | No base certificate revocation list could be published for the key %1 at the following location: %2. %3.%5%6 |
Details of the event with ID 66 of the source Microsoft-Windows-CertificationAuthority
| Event Source: | Microsoft-Windows-CertificationAuthority |
| Event ID: | 66 (0x42) |
| Event log: | Application |
| Event type: | Error |
| Symbolic Name: | MSG_E_DELTA_CRL_PUBLICATION |
| Event text (English): | Active Directory Certificate Services could not publish a Delta CRL for key %1 to the following location: %2. %3.%5%6 |
| Event text (German): | Failed to publish delta certificate revocation list for key %1 at the following location: %2. %3.%5%6 |
Details of the event with ID 32 of the source Microsoft-Windows-Kerberos-Key-Distribution-Center
| Event Source: | Microsoft Windows Kerberos Key Distribution Center |
| Event ID: | 32 (0x80000020) |
| Event log: | System |
| Event type: | Warning |
| Event text (English): | The Key Distribution Center (KDC) uses a certificate without KDC Extended Key Usage (EKU) which can result in authentication failures for device certificate logon and smart card logon from non-domain-joined devices. Enrollment of a KDC certificate with KDC EKU (Kerberos Authentication template) is required to remove this warning. |
| Event text (German): | The Key Distribution Center (KDC) uses a certificate without Extended Key Usage (EKU) for the KDC. This can lead to authentication errors during device certificate enrollments and smart card enrollments of devices without domain affiliation. Enrollment of a KDC certificate with KDC EKU (Kerberos authentication template) is required to eliminate this warning. |
Details of the event with ID 200 of the source Microsoft-Windows-Kerberos-Key-Distribution-Center
| Event Source: | Microsoft Windows Kerberos Key Distribution Center |
| Event ID: | 200 (0xC8) |
| Event log: | Microsoft-Windows-Kerberos-Key-Distribution-Center/Operational |
| Event type: | Warning |
| Event text (English): | The Key Distribution Center (KDC) cannot find a suitable certificate to use. This KDC is not enabled for smart card or certificate authentication. |
| Event text (German): | The Key Distribution Center (KDC) cannot find a suitable certificate. This KDC is not enabled for smart card or certificate authentication. |
Details of the event with ID 21 of the source Microsoft-Windows-Kerberos-Key-Distribution-Center
| Event Source: | Microsoft Windows Kerberos Key Distribution Center |
| Event ID: | 21 (0x80000015) |
| Event log: | System |
| Event type: | Warning |
| Event text (English): | The client certificate for the user %1\%2 is not valid, and resulted in a failed smartcard logon. Please contact the user for more information about the certificate they're attempting to use for smartcard logon. The chain status was : %3 |
| Event text (German): | The client certificate for user %1\%2 is not valid. The result was an error during smartcard login. Contact the user for more information about the certificate to be used for the smartcard application. Chain status: %3 |
Details of the event with ID 302 of the source Microsoft-Windows-Kerberos-Key-Distribution-Center
| Event Source: | Microsoft Windows Kerberos Key Distribution Center |
| Event ID: | 302 (0x12E) |
| Event log: | Microsoft-Windows-Kerberos-Key-Distribution-Center/Operational |
| Event type: | Information |
| Event text (English): | The Key Distribution Center (KDC) uses the below KDC certificate for smart card or certificate authentication. Kdc Certificate Information: Issuer Name: %1 Serial Number: %2 Thumbprint: %3 Template: %4 |
| Event text (German): | The Key Distribution Center (KDC) uses the following certificate for smart card or certificate authentication. KDC certificate information: Issuer name: %1 Serial number: %2 Fingerprint: %3 Template: %4 |
Details of the event with ID 19 of the source Microsoft-Windows-Kerberos-Key-Distribution-Center
| Event Source: | Microsoft Windows Kerberos Key Distribution Center |
| Event ID: | 19 (0x80000013) |
| Event log: | System |
| Event type: | Warning |
| Event text (English): | This event indicates an attempt was made to use smartcard logon, but the KDC is unable to use the PKINIT protocol because it is missing a suitable certificate. |
| Event text (German): | This event indicates that an attempt was made to use the smart card login, but the KDC cannot use the PKINIT protocol because a suitable certificate is missing. |
Details of the event with ID 20 of the source Microsoft-Windows-Kerberos-Key-Distribution-Center
| Event Source: | Microsoft Windows Kerberos Key Distribution Center |
| Event ID: | 20 (0x80000014) |
| Event log: | System |
| Event type: | Warning |
| Event text (English): | The currently selected KDC certificate was once valid, but now is invalid and no suitable replacement was found. Smartcard logon may not function correctly if this problem is not remedied. Have the system administrator check on the state of the domain's public key infrastructure. The chain status is in the error data. |
| Event text (German): | The currently selected KDC certificate was previously valid but is now invalid. No suitable replacement has been found. Smart card logon may not work properly if this issue is not resolved. Have the system administrator check the status of the domain's public key infrastructure (PKI). The chain status is included in the error data. |
Details of the event with ID 29 of the source Microsoft-Windows-Kerberos-Key-Distribution-Center
| Event Source: | Microsoft Windows Kerberos Key Distribution Center |
| Event ID: | 29 (0x8000001D) |
| Event log: | System |
| Event type: | Warning |
| Event text (English): | The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate. |
| Event text (German): | The Key Distribution Center (KDC) cannot find a suitable certificate for smart card logins, or the KDC certificate could not be verified. Smart card logins may not work properly until this issue is resolved. To resolve this issue, either verify the existing KDC certificate using certutil.exe, or register for a new KDC certificate. |
Details of the event with ID 120 of the source Microsoft-Windows-Kerberos-Key-Distribution-Center
| Event Source: | Microsoft Windows Kerberos Key Distribution Center |
| Event ID: | 120 (0x78) |
| Event log: | Microsoft-Windows-Kerberos-Key-Distribution-Center/Operational |
| Event type: | Error |
| Event text (English): | The Key Distribution Center (KDC) failed to validate its current KDC certificate. This KDC might not be enabled for smart card or certificate authentication. Kdc Certificate Information: Issuer Name: %1 Serial Number: %2 Thumbprint: %3 Template: %4 Kerberos Error: %5 Validation Error: %6 |
| Event text (German): | The Key Distribution Center (KDC) could not verify the current KDC certificate. This KDC may not be able to be used for smart card or certificate authentication. KDC certificate information: Issuer name: %1 Serial number: %2 Fingerprint: %3 Template: %4 Kerberos error: %5 Verification error: %6 |
Configuring a Certificate Template for Domain Controllers
Even with a certificate template for domain controllers that is supposedly simple to configure, there are a few things to keep in mind.
Continue reading „Konfigurieren einer Zertifikatvorlage für Domänencontroller“
English 
Deutsch