Assume the following scenario:
- Domain controllers have certificates for LDAP over SSL.
- The certificates do not include the Extended Key Usage "Smart Card Logon" or "Kerberos Authentication".
- If you run certutil -dcinfo, the command reports the following error message:
0 KDC certificates for DC01
No KDC Certificate in MY store
KDC certificates: Cannot find object or property. 0x80092004 (-2146885628 CRYPT_E_NOT_FOUND)
This error is due to the fact that certutil -dcinfo looks for certificates for smartcard login and does not find any.
For smart card logon to work, the domain controller certificate must contain either the Extended Key Usage "Smart Card Logon" or the Extended Key Usage "KDC Authentication", or the certificate must be from the certificate template "Domain Controller" (not recommended, as it is still from Windows 2000 times).
For security reasons, it may be advisable not to enter the above extended key usages in the domain controller certificates. If no smartcard logon is used in the company, this can prevent domain controllers from processing corresponding logons - for example in the case of a compromised certificate authority.
The problem is purely cosmetic and does not affect the remaining functions of the certificate (LDAP over SSL).
Note that the error also occurs if the domain controller certificate includes the "KDC Authentication" Extended Key Usage as recommended, but not the "Smartcard Logon" Extended Key Usage.
If the certificate meets all the requirements for smartcard enrollment, the error message should not be displayed.
English 
Deutsch
One thought on “certutil -dcinfo schlägt fehl mit Fehlermeldung „KDC certificates: Cannot find object or property. 0x80092004 (-2146885628 CRYPT_E_NOT_FOUND)“”
Comments are closed.