Details of the event with ID 41 of the source Microsoft-Windows-Kerberos-Key-Distribution-Center

Event Source:Microsoft Windows Kerberos Key Distribution Center
Event ID:41 (0x80000029)
Event log:System
Event type:Warning or error
Event text (English):The Key Distribution Center (KDC) encountered a user certificate that was valid but contained a different SID than the user to which it mapped. As a result, the request involving the certificate failed. See to learn more. User: %1 User SID: %2 Certificate Subject: %3 Certificate Issuer: %4 Certificate Serial Number: %5 Certificate Thumbprint: %6 Certificate SID: %7
Event text (German):The Key Distribution Center (KDC) found a valid user certificate, but it contained a different SID than the user it is assigned to. As a result, an error occurred in the request involving the certificate. For more information, see User: %1 User SID: %2 Certificate requester: %3 Certificate issuer: %4 Certificate serial number: %5 Certificate fingerprint: %6 Certificate SID: %7


The parameters contained in the event text are filled with the following fields:

  • %1: AccountName (win:UnicodeString)
  • %2: AccountSid (win:UnicodeString)
  • %3: Subject (win:UnicodeString)
  • %4: Issuer (win:UnicodeString)
  • %5: SerialNumber (win:UnicodeString)
  • %6: Thumbprint (win:UnicodeString)
  • %7: CertificateSid (win:UnicodeString)
  • %8: __binLength (win:UInt32)
  • %9: binary (win:Binary)


No description has been written for this yet.

Safety assessment

The security assessment is based on the three dimensions of confidentiality, integrity and availability.

An alert should definitely be triggered for this event, since certificates are not accepted in the event of logging. This can indicate an attack, but also a misconfiguration with an effect on availability.

Related links:

External sources