Logon error with Windows Hello for Business: "Contact the system administrator and tell them that the KDC certificate could not be verified."

Assume the following scenario:

  • The company is using Windows Hello for Business.
  • Users receive the following error message when logging in to the client:
Sign-in failed. Contact your system administrator and tell them that the KDC certificate could not be validated. Additional information may be available in the system event log.
Continue reading „Anmeldefehler mit Windows Hello for Business: „Wenden Sie sich an den Systemadministrator, und teilen Sie ihm mit, dass das KDC-Zertifikat nicht überprüft werden konnte.““

About the "Build this from Active Directory information" option for certificate templates

When configuring a certificate template, one must decide on the intended certificate content, i.e., among other things, which identities are confirmed by the certificates and how they are mapped.

In the "Subject Name" tab of the certificate template configuration dialog, you can configure how the identity confirmed by the certificate is mapped.

Continue reading „Zur Option „Build this from Active Directory information“ bei Zertifikatvorlagen“

Configuring a Certificate Template for Domain Controllers

Even with a certificate template for domain controllers that is supposedly simple to configure, there are a few things to keep in mind.

Continue reading „Konfigurieren einer Zertifikatvorlage für Domänencontroller“

Prevent smartcard logon to the network

Installing Active Directory Certificate Services in the default configuration automatically configures the environment to accept smart card logins from domain controllers.

Therefore, if the use of smart card logins is not desired, it makes sense to disable the functionality so that, in the event the certificate authority is compromised, it can not to jeopardize the Active Directory.

Continue reading „Smartcard Anmeldung im Netzwerk unterbinden“

Certificates for domain controllers do not contain the domain name in the Subject Alternative Name (SAN)

Assume the following scenario:

  • Certificates for domain controllers are issued by an Active Directory integrated certificate authority (Enterprise CA)
  • The certificate template used for this purpose was created by the user
  • The issued certificates contain in the Subject Alternative Name (SAN) only the fully qualified computer name of the respective domain controller, but not the fully qualified name and the NETBIOS name of the domain
Continue reading „Zertifikate für Domänencontroller enthalten nicht den Domänennamen im Subject Alternative Name (SAN)“

Signing in via smart card fails with error message "Signing in with a security device isn't supported for your account."

Assume the following scenario:

  • A user has a Smartcard Logon certificate and logs on to the Active Directory domain with it.
  • The login fails. The following error message is returned to the user's computer:
Signing in with a security device isn't supported for your account. For more info, contact your administrator.
Continue reading „Die Anmeldung via Smartcard schlägt fehl mit Fehlermeldung „Signing in with a security device isn’t supported for your account.““

Logon via smartcard fails with error message "The revocation status of the authentication certificate could not be determined."

Assume the following scenario:

  • A user has a Smartcard Logon certificate and logs on to the Active Directory domain with it.
  • The login fails. The following error message is returned to the user's computer:
The revocation status of the authentication certificate could not be determined.
Continue reading „Die Anmeldung via Smartcard schlägt fehl mit Fehlermeldung „The revocation status of the authentication certificate could not be determined.““

Domain Controller Certificate Templates and Smartcard Logon

In order for domain controllers to process smart card logins, they need certificates that provide this function.

Continue reading „Domänencontroller-Zertifikatvorlagen und Smartcard Anmeldung“

Overview of the different generations of domain controller certificates

Over the generations of Windows operating systems, various certificate templates for domain controllers have been established. In a current Active Directory directory service, one will find three different templates for this purpose.

  • Domain controller
  • Domain Controller Authentication
  • Kerberos Authentication

Below is a description of each template and a recommendation for configuring domain controller certificate templates.

Continue reading „Übersicht über die verschiedenen Generationen von Domänencontroller-Zertifikaten“

certutil -dcinfo fails with error message "KDC certificates: Cannot find object or property. 0x80092004 (-2146885628 CRYPT_E_NOT_FOUND)"

Assume the following scenario:

  • Domain controllers have certificates for LDAP over SSL.
  • The certificates do not include the Extended Key Usage "Smart Card Logon" or "Kerberos Authentication".
  • If you run certutil -dcinfo, the command reports the following error message:
0 KDC certificates for DC01
No KDC Certificate in MY store
KDC certificates: Cannot find object or property. 0x80092004 (-2146885628 CRYPT_E_NOT_FOUND)
Continue reading „certutil -dcinfo schlägt fehl mit Fehlermeldung „KDC certificates: Cannot find object or property. 0x80092004 (-2146885628 CRYPT_E_NOT_FOUND)““

Manual application for a domain controller certificate

There are cases where you cannot or do not want to obtain domain controller certificates from a certification authority in your own Active Directory forest.

In this case, the use of certificate templates is not possible, and one must manually create a Certificate Signing Request (CSR).

Continue reading „Manuelle Beantragung eines Domänencontroller-Zertifikats“

Requesting a certificate for domain controller fails with error message "The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_SERVER_UNAVAILABLE)".

Here's the scenario:

  • Requesting a certificate for a domain controller fails.
  • On the certification authority, the certificate request is logged in the failed requests. The error message reads:
The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_SERVER_UNAVAILABLE)
Continue reading „Die Beantragung eines Zertifikats für Domänencontroller schlägt fehl mit Fehlermeldung „The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)““
en_USEnglish