Logon error with Windows Hello for Business: "Contact the system administrator and tell them that the KDC certificate could not be verified."

Author Uwe GradeneggerPosted on Categories Active Directory, Troubleshooting, Certificate usageTags , , , ,

Assume the following scenario:

  • The company is using Windows Hello for Business.
  • Users receive the following error message when logging in to the client:
Sign-in failed. Contact your system administrator and tell them that the KDC certificate could not be validated. Additional information may be available in the system event log.

The German translation of the error message is:

Error logging in. Contact the system administrator and tell them that the KDC certificate could not be verified. The system event log may contain additional information

On the domain controllers, the Event with ID 32 of source Microsoft-Windows-Kerberos-Key-Distribution-Center logged.

Possible causes

Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem and is available under a free license. It can downloaded via GitHub and can be used free of charge.

As the error message suggests, the KDC certificate (i.e. the domain controller certificate) cannot be verified by the client. Possible causes are:

  • The domain controllers do not have corresponding certificates.
  • The domain controller certificate has expired.
  • The domain controller certificate does not have one of the certificates required for Windows Hello for Business (analogous to smartcard logon) necessary Extended Key Usage ("KDC Authentication" or "Smartcard Logon").
  • The certification authority that issues the domain controller certificates is not populated to the NTAuthCertificates Object in Active Directory.
  • The revocation status of the domain controller certificate cannot be verified, for example because the revocation information has expired or is not accessible. Think here also of the entire certification authority hierarchy, the same problem occurs if the revocation information of a higher-level certification authority is not valid.

Further narrowing of the error

The domain controller certificates can be verified with the following command:

certutil -dcinfo verify

Please note here, that the command requires domain administrator permissions.

For example, a problem with the lock status check could be identified this way:

The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE)
The lock function could not check the lock because the lock server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE).

Please note that the CRYPT_E_REVOCATION_OFFLINE error code does not distinguish whether the blacklist cannot be downloaded or whether it can be downloaded but has expired.

Related links:

External sources

One thought on “Anmeldefehler mit Windows Hello for Business: „Wenden Sie sich an den Systemadministrator, und teilen Sie ihm mit, dass das KDC-Zertifikat nicht überprüft werden konnte.“”

  1. Pingback: Editing the NTAuthCertificates object in Active Directory - Uwe Gradenegger

Comments are closed.

en_USEnglish
de_DEDeutsch en_USEnglish