| Event Source: | Microsoft Windows Kerberos Key Distribution Center |
| Event ID: | 32 (0x80000020) |
| Event log: | System |
| Event type: | Warning |
| Event text (English): | The Key Distribution Center (KDC) uses a certificate without KDC Extended Key Usage (EKU) which can result in authentication failures for device certificate logon and smart card logon from non-domain-joined devices. Enrollment of a KDC certificate with KDC EKU (Kerberos Authentication template) is required to remove this warning. |
| Event text (German): | The Key Distribution Center (KDC) uses a certificate without Extended Key Usage (EKU) for the KDC. This can lead to authentication errors during device certificate enrollments and smart card enrollments of devices without domain affiliation. Enrollment of a KDC certificate with KDC EKU (Kerberos authentication template) is required to eliminate this warning. |
Example events
The Key Distribution Center (KDC) uses a certificate without KDC Extended Key Usage (EKU) which can result in authentication failures for device certificate logon and smart card logon from non-domain-joined devices. Enrollment of a KDC certificate with KDC EKU (Kerberos Authentication template) is required to remove this warning.
Description
This message occurs when a smart card login was processed and the domain controller certificate does not have a extended key usage (Extended Key Usage) for "Kerberos Authentication" is included.
This is the case, for example, if the domain controller uses a certificate based on the default Domain Controller certificate template. This does not contain the extended key usage for "Kerberos Authentication". The same applies to the deprecated Domain Controller Authentication certificate template.
The "domain controller" certificate template is - if it is offered by a certification authority - automatically requested by the domain controllers. It is therefore often used unknowingly.
More information
- For more information regarding the default certificate templates for domain controllers, see the article "Overview of the different generations of domain controller certificates„.
- For more information regarding smartcard registration see article "Domain Controller Certificate Templates and Smartcard Logon„.
- For the correct configuration of a certificate template for domain controllers, see the article "Configuring a Certificate Template for Domain Controllers„.
Safety assessment
The security assessment is based on the three dimensions of confidentiality, integrity and availability.
Since it is very likely that the "domain controller" certificate template will be used inadvertently for the reasons described previously, it should also be checked whether it is intended that users log in via smartcard at all.
If this is not the case, this event could be an indication of an attack on Active Directory via the certificate authority, and in this case would be considered critical for the integrity of the network.
For a description of the underlying problem, see the article "Attack vector on Active Directory directory service via smartcard logon mechanism„.
Related links:
- Overview of Active Directory events relevant for PKI
- Overview of Windows events generated by the certification authority
- Overview of audit events generated by the Certification Authority
External sources
- What's New in Kerberos Authentication (Microsoft)
- You cannot use a smart card certificate to log on to a domain from a Windows Vista-based client computer (Microsoft)
- Enabling Strict KDC Validation in Windows Kerberos (Microsoft)
- Configure Windows Logon With An Electronic Identity Card (EID) (Thomas Vuylsteke)
English 
Deutsch
2 thoughts on “Details zum Ereignis mit ID 32 der Quelle Microsoft-Windows-Kerberos-Key-Distribution-Center”
Comments are closed.