Logon error with Windows Hello for Business: "Contact the system administrator and tell them that the KDC certificate could not be verified."

Author Uwe GradeneggerPosted on Categories Active Directory, Troubleshooting, Certificate usageTags , , , ,

Assume the following scenario:

  • The company is using Windows Hello for Business.
  • Users receive the following error message when logging in to the client:
Sign-in failed. Contact your system administrator and tell them that the KDC certificate could not be validated. Additional information may be available in the system event log.

The German translation of the error message is:

Error logging in. Contact the system administrator and tell them that the KDC certificate could not be verified. The system event log may contain additional information

On the domain controllers, the Event with ID 32 of source Microsoft-Windows-Kerberos-Key-Distribution-Center logged.

Possible causes

As the error message suggests, the KDC certificate (i.e. the domain controller certificate) cannot be verified by the client. Possible causes are:

  • The domain controllers do not have corresponding certificates.
  • The domain controller certificate has expired.
  • The domain controller certificate does not have one of the certificates required for Windows Hello for Business (analogous to smartcard logon) necessary Extended Key Usage ("KDC Authentication" or "Smartcard Logon").
  • The certification authority that issues the domain controller certificates is not populated to the NTAuthCertificates Object in Active Directory.
  • The revocation status of the domain controller certificate cannot be verified, for example because the revocation information has expired or is not accessible. Think here also of the entire certification authority hierarchy, the same problem occurs if the revocation information of a higher-level certification authority is not valid.

Further narrowing of the error

The domain controller certificates can be verified with the following command:

certutil -dcinfo verify

Please note here, that the command requires domain administrator permissions.

For example, a problem with the lock status check could be identified this way:

The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE)
The lock function could not check the lock because the lock server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE).

Please note that the CRYPT_E_REVOCATION_OFFLINE error code does not distinguish whether the blacklist cannot be downloaded or whether it can be downloaded but has expired.

Related links:

External sources

One thought on “Anmeldefehler mit Windows Hello for Business: „Wenden Sie sich an den Systemadministrator, und teilen Sie ihm mit, dass das KDC-Zertifikat nicht überprüft werden konnte.“”

  1. Pingback: Editing the NTAuthCertificates object in Active Directory - Uwe Gradenegger

Comments are closed.

en_USEnglish
de_DEDeutsch en_USEnglish