| Event Source: | Microsoft Windows Kerberos Key Distribution Center |
| Event ID: | 29 (0x8000001D) |
| Event log: | System |
| Event type: | Warning |
| Event text (English): | The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate. |
| Event text (German): | The Key Distribution Center (KDC) cannot find a suitable certificate for smart card logins, or the KDC certificate could not be verified. Smart card logins may not work properly until this issue is resolved. To resolve this issue, either verify the existing KDC certificate using certutil.exe, or register for a new KDC certificate. |
Example events
The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate.
Description
This message occurs when a logon is performed via smartcard, but the domain controller's certificate does not have any of the required extended key usage (Extended Key Usage) disposes
This is the case, for example, when a customized security-hardened certificate template is used for the domain controllers, which does not allow smartcard enrollment.
The event occurs together with the Event no. 19.
See also article "Signing in via smartcard fails with error message "Signing in with a security device isn't supported for your account."„.
Can also occur when the domain controllers cannot check the validity of their own certificates, for example, because the revocation list distribution points are offline, or because the trust position to the root certificate authority is not established.
More information
- For more information regarding the default certificate templates for domain controllers, see the article "Overview of the different generations of domain controller certificates„.
- For more information regarding smartcard registration see article "Domain Controller Certificate Templates and Smartcard Logon„.
- For the correct configuration of a certificate template for domain controllers, see the article "Configuring a Certificate Template for Domain Controllers„.
Safety assessment
The security assessment is based on the three dimensions of confidentiality, integrity and availability.
Become security hardened certificate templates for the domain controller certificates which do not allow logon via smartcard, this event can indicate an unauthorized logon attempt as well as compromise of a certification authority. In this case, it would be rated as "critical" in terms of integrity.
For a description of the underlying problem, see the article "Attack vector on Active Directory directory service via smartcard logon mechanism„.
Related links:
- Overview of Active Directory events relevant for PKI
- Overview of Windows events generated by the certification authority
- Overview of audit events generated by the Certification Authority
- Domain Controller Certificate Templates and Smartcard Logon
- Configuring a Certificate Template for Domain Controllers
- Attack vector on Active Directory directory service via smartcard logon mechanism
External sources
- Event ID 29 - KDC Certificate Availability (Microsoft)
English 
Deutsch
3 thoughts on “Details zum Ereignis mit ID 29 der Quelle Microsoft-Windows-Kerberos-Key-Distribution-Center”
Comments are closed.