| Event Source: | Microsoft Windows Kerberos Key Distribution Center |
| Event ID: | 40 (0x80000028) |
| Event log: | System |
| Event type: | Warning or error |
| Event text (English): | The Key Distribution Center (KDC) encountered a user certificate that was valid but could not be mapped to a user in a secure way (such as via explicit mapping, key trust mapping, or a SID). The certificate also predated the user it mapped to, so it was rejected. See https://go.microsoft.com/fwlink/?linkid=2189925 to learn more. User: %1 Certificate Subject: %2 Certificate Issuer: %3 Certificate Serial Number: %4 Certificate Thumbprint: %5 Certificate Issuance Time: %6 Account Creation Time: %7 |
| Event text (German): | The Key Distribution Center (KDC) found a valid user certificate, but it could not be mapped to a user in a secure way (for example, via an explicit mapping, key trust mapping, or SID). The certificate also prefixed the user it was associated with, which is why it was rejected. For more information, see https://go.microsoft.com/fwlink/?linkid=2189925. User: %1 Certificate requester: %2 Certificate issuer: %3 Certificate serial number: %4 Certificate fingerprint: %5 Certificate issuance time: %6 Account creation time: %7 |
Details of the event with ID 39 of the source Microsoft-Windows-Kerberos-Key-Distribution-Center
| Event Source: | Microsoft Windows Kerberos Key Distribution Center |
| Event ID: | 39 (0x80000027) |
| Event log: | System |
| Event type: | Warning or error |
| Event text (English): | The Key Distribution Center (KDC) encountered a user certificate that was valid but could not be mapped to a user in a secure way (such as via explicit mapping, key trust mapping, or a SID). Such certificates should either be replaced or mapped directly to the user via explicit mapping. See https://go.microsoft.com/fwlink/?linkid=2189925 to learn more. User: %1 Certificate Subject: %2 Certificate Issuer: %3 Certificate Serial Number: %4 Certificate Thumbprint: %5 |
| Event text (German): | The Key Distribution Center (KDC) has found a valid user certificate, but it could not be mapped to a user in a secure way (for example, via an explicit mapping, a key trust mapping, or an SID). Such certificates should either be replaced or mapped directly to the user via an explicit mapping. For more information, see https://go.microsoft.com/fwlink/?linkid=2189925 User: %1 Certificate requester: %2 Certificate issuer: %3 Certificate serial number: %4 Certificate fingerprint: %5 |
Renewal of a certificate via the Network Device Enrollment Service (NDES) fails with error code CERT_E_UNTRUSTEDCA
Assume the following scenario:
- A certificate is requested through the Network Device Enrollment Service (NDES).
- Renewal mode is used here, i.e. the certificate request is signed with an existing certificate.
- The request for the new certificate fails with the following error message:
A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider. 0x800b0112 (-2146762478 CERT_E_UNTRUSTEDCA)Continue reading „Die Erneuerung eines Zertifikats über den Registrierungsdienst für Netzwerkgeräte (NDES) schlägt fehl mit Fehlercode CERT_E_UNTRUSTEDCA“
Installation of a new certification authority certificate fails with error code "ERROR_INVALID_PARAMETER".
Assume the following scenario:
- A new Certification Authority certificate is requested for a subordinate Certification Authority and issued by the superordinate Certification Authority.
- The Subject Distinguished Name (Subject DN) is identical to that of the previous certification authority certificate.
- However, the installation of the certificate authority certificate fails with the following error message:
An error was detected while configuring Active Directory Certificate Services. The Active Directory Certificate Services Setup Wizard will need to be rerun to complete the configuration. The new certificate subject name does not exactly match the active CA name. Renew with a new key to allow minor subject name changes: The parameter is incorrect. 0x80070057 (WIN32: 87 ERROR_INVALID_PARAMETER).Continue reading „Die Installation eines neuen Zertifizierungsstellen-Zertifikats schlägt fehl mit Fehlercode „ERROR_INVALID_PARAMETER““
Character encoding in the Subject Distinguished Name of certificate requests and issued certificates
Usually, the encoding of characters and strings in certificates is not a topic of great interest to the users of a PKI. However, there are cases where the default settings of the certification authority do not provide the desired results.
Continue reading „Zeichenkodierung im Subject Distinguished Name von Zertifikatanforderungen und ausgestellten Zertifikaten“List of certificate use cases for which compatibility with elliptic curve (ECC)-based keys is known
As computing power becomes increasingly available, the need to use stronger cryptographic keys also increases. Often there is a need (for example, because the keys have to be protected by a trusted platform module) to use elliptic curves (ECC) based keys to be used. For their use, it is essential that compatibility with the intended use cases is ensured.
Below is a list of use cases for which I am aware of compatibility.
Continue reading „Liste der Use Cases der Zertifikate, für welche die Kompatibilität zu auf elliptischen Kurven (ECC) basierenden Schlüsseln bekannt ist“Configuring the Network Device Enrollment Service (NDES) to work with a domain account.
The Network Device Enrollment Service (NDES), because it implements the web-based Simple Certificate Enrollment Protocol (SCEP), is mapped as a web application in Microsoft Internet Information Service (IIS). Here, the service runs in an application pool called "SCEP". In many cases it is sufficient to use the integrated application pool identity for it.
However, there are cases where you want to use a domain account. An example of this is the Certificate Connector for Microsoft Intune, which requires this.
Continue reading „Den Registrierungsdienst für Netzwerkgeräte (NDES) für den Betrieb mit einem Domänenkonto konfigurieren“The Certificate Connector for Microsoft Intune throws the error message "ArgumentException: String cannot be of zero length" during configuration.
Assume the following scenario:
- An NDES server has been set up for use with Microsoft Intune.
- The configuration of the Intune Certificate Connector cannot be completed because the following error message is thrown:
Error in Microsoft Intune Certificate Connector configuration. No changes were made to feature or proxy settings. Unexpected error: System.ArgumentException: The string cannot have a length of 0 (zero). Parameter name: name for System.Security.Principal.NTAccount.ctor(String name)Continue reading „Der Certificate Connector für Microsoft Intune wirft bei der Konfiguration die Fehlermeldung „ArgumentException: String cannot be of zero length““
Logon error with Windows Hello for Business: "Contact the system administrator and tell them that the KDC certificate could not be verified."
Assume the following scenario:
- The company is using Windows Hello for Business.
- Users receive the following error message when logging in to the client:
Sign-in failed. Contact your system administrator and tell them that the KDC certificate could not be validated. Additional information may be available in the system event log.Continue reading „Anmeldefehler mit Windows Hello for Business: „Wenden Sie sich an den Systemadministrator, und teilen Sie ihm mit, dass das KDC-Zertifikat nicht überprüft werden konnte.““
A policy module to tame them all: Introducing the TameMyCerts Policy Module for the Microsoft Certification Authority.
As a Certification Authority operator, you are (among other things) responsible for the identification of the enrollees and the confirmation of the requested identities. The fact that this task is carried out conscientiously and without errors is the central cornerstone for the trust that is placed in the Certification Authority. Well-known companies are already failed in this task, even had to file for insolvency as a result of misrepresentations and/or were severely punished by the major players on the market.
In many cases, we as enterprise (Microsoft) PKI operators (regardless of the quality involved) are able to delegate our task of uniquely identifying an enrollee to Active Directory. In many cases, however, we must also instruct our certification authority(ies) to simply issue whatever is requested.
Continue reading „Ein Policy Modul, um sie zu bändigen: Vorstellung des TameMyCerts Policy Moduls für Microsoft Active Directory Certificate Services“The partition of the Hardware Security Module (HSM) runs full
Assume the following scenario:
- A Certification Authority uses a Hardware Security Module (HSM).
- The partition of the hardware security module fills up with more and more keys over the lifetime of the certificate authority.
- At SafeNet hardware security modules, this can even cause the partition to fill up. As a result, the events 86 and 88 logged by the Certification Authority.
Basics: Authentication procedures for the Internet Information Services (IIS)
The Active Directory Certificate Services offer a number of web-based add-on interfaces (Network Device Registration Service (NDES), Certificate Enrollment Policy Web Service (CEP), Certificate Enrollment Web Service (CES), Certification Authority Web Enrollment (CAWE).
The Microsoft Internet Information Services (IIS) are thus almost indispensable for a Microsoft PKI. Each of the web-based interfaces (and also in-house developments) bring their own unique challenges in terms of authentication procedures and their implementation.
The following article should bring a little clarity to the topic.
Continue reading „Grundlagen: Authentisierungsverfahren für die Internet Information Services (IIS)“Enabling Basic Authentication for the Network Device Enrollment Service (NDES)
If the Network Device Enrollment Service (NDES) is reinstalled (Preferably without Enterprise Administrator permissions), only the Windows-integrated authentication for the administration web page is activated at first. With this (via NT LAN Manager, NTLM) protocol, authentication via user name and password is also possible. However, not all client applications support this.
Likewise, a company might be willing to, Disable NTLM where possible and enforce Kerberos for login. Enforcing Kerberos removes the ability to log in to the Network Device Registration Service administration page via username and password (since this is done with NTLM credentials). However, Basic Authentication can be retrofitted to provide an option here again.
One way out of this dilemma can be Basic Authentication, the setup of which will be explained below.
Continue reading „Aktivieren der Basic Authentication für den Registrierungsdienst für Netzwerkgeräte (NDES)“Disabling NTLM and enforcing Kerberos at the Network Device Enrollment Service (NDES) administration web page.
Many companies pursue the strategy of (largely) disabling the NT LAN Manager (NTLM) authentication protocol in their networks.
This is also possible for the administration web page of the network device registration service (NDES). How exactly this is implemented and how this may change the application behavior is explained below.
Continue reading „Deaktivieren von NTLM und erzwingen von Kerberos an der Administrations-Webseite des Registrierungsdienstes für Netzwerkgeräte (NDES)“Changes to Certificate Issuance and Certificate-Based Logon to Active Directory with the May 10, 2022 Patch for Windows Server (KB5014754)
With the May 10, 2022 patch, Microsoft is attempting to patch a vulnerability in the Active Directory in which the certificate-based enrollment (commonly known as PKINIT or also Smartcard Logon) to close.
The update changes both the behavior of the Certification Authority as well as the behavior of Active Directory when processing certificate-based logins.
Continue reading „Änderungen an der Zertifikatausstellung und an der zertifikatbasierten Anmeldung am Active Directory mit dem Patch für Windows Server vom 10. Mai 2022 (KB5014754)“
English 
Deutsch