Details of the event with ID 21 of the source Microsoft-Windows-Kerberos-Key-Distribution-Center

Event Source:Microsoft Windows Kerberos Key Distribution Center
Event ID:21 (0x80000015)
Event log:System
Event type:Warning
Event text (English):The client certificate for the user %1\%2 is not valid, and resulted in a failed smartcard logon. Please contact the user for more information about the certificate they're attempting to use for smartcard logon. The chain status was : %3
Event text (German):The client certificate for user %1\%2 is not valid. The result was an error during smartcard login. Contact the user for more information about the certificate to be used for the smartcard application. Chain status: %3

Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem and is available under a free license. It can downloaded via GitHub and can be used free of charge.

Parameter

The parameters contained in the event text are filled with the following fields:

  • %1: Domain (win:UnicodeString)
  • %2: Username (win:UnicodeString)
  • %3: Status (win:UnicodeString)
  • %4: __binLength (win:UInt32)
  • %5: binary (win:Binary)

Example events

The client certificate for the user INTRA\Administrator is not valid, and resulted in a failed smartcard logon. Please contact the user for more information about the certificate they're attempting to use for smartcard logon. The chain status was : The revocation function was unable to check revocation because the revocation server was offline.
The client certificate for the user INTRA\Administrator is not valid, and resulted in a failed smartcard logon. Please contact the user for more information about the certificate they're attempting to use for smartcard logon. The chain status was : The operation completed successfully.
The client certificate for the user INTRA\Administrator is not valid, and resulted in a failed smartcard logon. Please contact the user for more information about the certificate they're attempting to use for smartcard logon. The chain status was : The certificate is not valid for the requested usage.
The client certificate for the user INTRA\Administrator is not valid, and resulted in a failed smartcard logon. Please contact the user for more information about the certificate they're attempting to use for smartcard logon. The chain status was : A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider.

Description

The revocation function was unable to check revocation because the revocation server was offline.

Occurs when there are problems with the lock infrastructure.

Also occurs when Domain controllers are hard-configured to use OCSP, the online responders (OCSP) are configured for a deterministic good and the returned status is "Unknown".

In this case, both events should be correlated.

See also article "Details of the event with ID 5125 of the source Microsoft-Windows-Security-Auditing„.

The operation completed successfully.

Occurs when a PKINIT is attempted but the name in the Subject Alternative Name (SAN) does not match for the requested user (KDC_ERR_CLIENT_NAME_MISMATCH).

The certificate is not valid for the requested usage.

Occurs when a PKINIT is attempted with a certificate that does not have the extended key usage (Extended Key Usage) for "Client Authentication" nor for "Smartcard Logon".

A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider.

Occurs when a smartcard enrollment is performed with a certificate from a certification authority that is not listed in the NTAuthCertificates object is registered in the Active Directory.

Safety assessment

The security assessment is based on the three dimensions of confidentiality, integrity and availability.

If the event occurs due to incorrect locking information, the availability is affected and the event is rated as critical.

If the event occurs due to an "Unknown" status returned by the online responder, this may indicate the use of a compromised certificate. In this case, too, the event must be rated as "critical".

The same applies in the event that a logon is attempted with a certificate whose issuing certificate authority is not located in the NTAuthCertificates object in Active Directory.

Related links:

External sources

en_USEnglish