Details of the event with ID 29 of the source Microsoft-Windows-Kerberos-Key-Distribution-Center

Event Source:Microsoft Windows Kerberos Key Distribution Center
Event ID:29 (0x8000001D)
Event log:System
Event type:Warning
Event text (English):The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate.
Event text (German):The Key Distribution Center (KDC) cannot find a suitable certificate for smart card logins, or the KDC certificate could not be verified. Smart card logins may not work properly until this issue is resolved. To resolve this issue, either verify the existing KDC certificate using certutil.exe, or register for a new KDC certificate.

Example events

The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate.

Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem and is available under a free license. It can downloaded via GitHub and can be used free of charge.

Description

This message occurs when a logon is performed via smartcard, but the domain controller's certificate does not have any of the required extended key usage (Extended Key Usage) disposes

This is the case, for example, when a customized security-hardened certificate template is used for the domain controllers, which does not allow smartcard enrollment.

The event occurs together with the Event no. 19.

See also article "Signing in via smartcard fails with error message "Signing in with a security device isn't supported for your account."„.

Can also occur when the domain controllers cannot check the validity of their own certificates, for example, because the revocation list distribution points are offline, or because the trust position to the root certificate authority is not established.

More information

Safety assessment

The security assessment is based on the three dimensions of confidentiality, integrity and availability.

Become security hardened certificate templates for the domain controller certificates which do not allow logon via smartcard, this event can indicate an unauthorized logon attempt as well as compromise of a certification authority. In this case, it would be rated as "critical" in terms of integrity.

For a description of the underlying problem, see the article "Attack vector on Active Directory directory service via smartcard logon mechanism„.

Related links:

External sources

en_USEnglish