Details of the event with ID 40 of the source Microsoft-Windows-Kerberos-Key-Distribution-Center

Event Source:Microsoft Windows Kerberos Key Distribution Center
Event ID:40 (0x80000028)
Event log:System
Event type:Warning or error
Event text (English):The Key Distribution Center (KDC) encountered a user certificate that was valid but could not be mapped to a user in a secure way (such as via explicit mapping, key trust mapping, or a SID). The certificate also predated the user it mapped to, so it was rejected. See to learn more. User: %1 Certificate Subject: %2 Certificate Issuer: %3 Certificate Serial Number: %4 Certificate Thumbprint: %5 Certificate Issuance Time: %6 Account Creation Time: %7
Event text (German):The Key Distribution Center (KDC) found a valid user certificate, but it could not be mapped to a user in a secure way (for example, via an explicit mapping, key trust mapping, or SID). The certificate also prefixed the user it was associated with, which is why it was rejected. For more information, see User: %1 Certificate requester: %2 Certificate issuer: %3 Certificate serial number: %4 Certificate fingerprint: %5 Certificate issuance time: %6 Account creation time: %7

Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem and is available under a free license. It can downloaded via GitHub and can be used free of charge.


The parameters contained in the event text are filled with the following fields:

  • %1: AccountName (win:UnicodeString)
  • %2: Subject (win:UnicodeString)
  • %3: Issuer (win:UnicodeString)
  • %4: SerialNumber (win:UnicodeString)
  • %5: Thumbprint (win:UnicodeString)
  • %6: IssuanceTime (win:UnicodeString)
  • %7: AccountCreationTime (win:UnicodeString)
  • %8: __binLength (win:UInt32)
  • %9: binary (win:Binary)


No description has been written for this yet.

Safety assessment

The security assessment is based on the three dimensions of confidentiality, integrity and availability.

An alert should definitely be triggered for this event, since certificates are not accepted in the event of logging. This can indicate an attack, but also a misconfiguration with an effect on availability.

Related links:

External sources