| Event Source: | Microsoft Windows Kerberos Key Distribution Center |
| Event ID: | 40 (0x80000028) |
| Event log: | System |
| Event type: | Warning or error |
| Event text (English): | The Key Distribution Center (KDC) encountered a user certificate that was valid but could not be mapped to a user in a secure way (such as via explicit mapping, key trust mapping, or a SID). The certificate also predated the user it mapped to, so it was rejected. See https://go.microsoft.com/fwlink/?linkid=2189925 to learn more. User: %1 Certificate Subject: %2 Certificate Issuer: %3 Certificate Serial Number: %4 Certificate Thumbprint: %5 Certificate Issuance Time: %6 Account Creation Time: %7 |
| Event text (German): | The Key Distribution Center (KDC) found a valid user certificate, but it could not be mapped to a user in a secure way (for example, via an explicit mapping, key trust mapping, or SID). The certificate also prefixed the user it was associated with, which is why it was rejected. For more information, see https://go.microsoft.com/fwlink/?linkid=2189925. User: %1 Certificate requester: %2 Certificate issuer: %3 Certificate serial number: %4 Certificate fingerprint: %5 Certificate issuance time: %6 Account creation time: %7 |
Parameter
The parameters contained in the event text are filled with the following fields:
- %1: AccountName (win:UnicodeString)
- %2: Subject (win:UnicodeString)
- %3: Issuer (win:UnicodeString)
- %4: SerialNumber (win:UnicodeString)
- %5: Thumbprint (win:UnicodeString)
- %6: IssuanceTime (win:UnicodeString)
- %7: AccountCreationTime (win:UnicodeString)
- %8: __binLength (win:UInt32)
- %9: binary (win:Binary)
Description
No description has been written for this yet.
Safety assessment
The security assessment is based on the three dimensions of confidentiality, integrity and availability.
An alert should definitely be triggered for this event, since certificates are not accepted in the event of logging. This can indicate an attack, but also a misconfiguration with an effect on availability.
Related links:
- Logging on to Active Directory with the May 10, 2022 patch for Windows Server (KB5014754)
- Overview of Active Directory events relevant for PKI
- Overview of Windows events generated by the certification authority
- Overview of audit events generated by the Certification Authority
External sources
- KB5014754-Certificate-based authentication changes on Windows domain controllers (Microsoft Corporation)
English 
Deutsch