Event Source: | Microsoft Windows Kerberos Key Distribution Center |
Event ID: | 41 (0x80000029) |
Event log: | System |
Event type: | Warning or error |
Event text (English): | The Key Distribution Center (KDC) encountered a user certificate that was valid but contained a different SID than the user to which it mapped. As a result, the request involving the certificate failed. See https://go.microsoft.com/fwlink/?linkid=2189925 to learn more. User: %1 User SID: %2 Certificate Subject: %3 Certificate Issuer: %4 Certificate Serial Number: %5 Certificate Thumbprint: %6 Certificate SID: %7 |
Event text (German): | The Key Distribution Center (KDC) found a valid user certificate, but it contained a different SID than the user it is assigned to. As a result, an error occurred in the request involving the certificate. For more information, see https://go.microsoft.com/fwlink/?linkid=2189925 User: %1 User SID: %2 Certificate requester: %3 Certificate issuer: %4 Certificate serial number: %5 Certificate fingerprint: %6 Certificate SID: %7 |
Parameter
The parameters contained in the event text are filled with the following fields:
- %1: AccountName (win:UnicodeString)
- %2: AccountSid (win:UnicodeString)
- %3: Subject (win:UnicodeString)
- %4: Issuer (win:UnicodeString)
- %5: SerialNumber (win:UnicodeString)
- %6: Thumbprint (win:UnicodeString)
- %7: CertificateSid (win:UnicodeString)
- %8: __binLength (win:UInt32)
- %9: binary (win:Binary)
Description
No description has been written for this yet.
Safety assessment
The security assessment is based on the three dimensions of confidentiality, integrity and availability.
An alert should definitely be triggered for this event, since certificates are not accepted in the event of logging. This can indicate an attack, but also a misconfiguration with an effect on availability.
Related links:
- Logging on to Active Directory with the May 10, 2022 patch for Windows Server (KB5014754)
- Overview of Active Directory events relevant for PKI
- Overview of Windows events generated by the certification authority
- Overview of audit events generated by the Certification Authority
External sources
- KB5014754-Certificate-based authentication changes on Windows domain controllers (Microsoft Corporation)