You receive a Key Distribution Center "Event ID: 29" event message on a Windows Server 2008-based domain controller
Source: Microsoft Support
RAPID PUBLISHING ARTICLES PROVIDE INFORMATION DIRECTLY FROM WITHIN THE MICROSOFT SUPPORT ORGANIZATION. THE INFORMATION CONTAINED HEREIN IS CREATED IN RESPONSE TO EMERGING OR UNIQUE TOPICS, OR IS INTENDED SUPPLEMENT OTHER KNOWLEDGE BASE INFORMATION.
Consider the following scenario:
· You are using a Microsoft Windows Server 2008 domain controller.
· The domain controller is part of a domain that does not have a certification authority (CA) installed.
· You receive the following event message in the Event Viewer System log:
Log Name: System
Date: 10/13/2008 1:56:30 PM
Event ID: 29
Task Category: None
Computer: computer name
The Key Distribution Center (KDC) cannot find a suitable certificate to use for
smart card logons, or the KDC certificate could not be verified. Smart card logon
may not function correctly if this problem is not resolved. To correct this
problem, either verify the existing KDC certificate using certutil.exe or enroll
for a new KDC certificate.
This is by design behavior.
The Kerberos-Key-Distribution-Center (KDC) service repeats this check in order to see if there is an existing, workable certificate or if a new one is present. In this case the error handling does not take into account a non-CA environment.
To resolve this issue use one of the following methods:
· If there is no CA in your domain, you can ignore this event.
· Install a CA in the domain.
· If there is a CA in the domain, request a new domain controller certificate from the CA. For more information, see the following Microsoft Knowledgebase article: http://technet.microsoft.com/en-us/library/cc734096.aspx
· Make sure that the DC cert was not deleted. The DC certificate should be listed in the personal store on the DC under computer certificates.
This issue may also occur because of invalid domain controller certificates. Domain controller certificates may become invalid if you remove a CA that was installed in the domain. After you remove the CA, the domain controller still tries to contact the CA. To resolve this issue, remove all the invalid domain controller certificates.
For more information, see the following Microsoft Knowledgebase article:
For more information about Active Directory services, see the following:
Active Directory Certificate Services Overview
AD CS Upgrade and Migration Overview
MICROSOFT AND/OR ITS SUPPLIERS MAKE NO REPRESENTATIONS OR WARRANTIES ABOUT THE SUITABILITY, RELIABILITY OR ACCURACY OF THE INFORMATION CONTAINED IN THE DOCUMENTS AND RELATED GRAPHICS PUBLISHED ON THIS WEBSITE (THE “MATERIALS”) FOR ANY PURPOSE. THE MATERIALS MAY INCLUDE TECHNICAL INACCURACIES OR TYPOGRAPHICAL ERRORS AND MAY BE REVISED AT ANY TIME WITHOUT NOTICE.
TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, MICROSOFT AND/OR ITS SUPPLIERS DISCLAIM AND EXCLUDE ALL REPRESENTATIONS, WARRANTIES, AND CONDITIONS WHETHER EXPRESS, IMPLIED OR STATUTORY, INCLUDING BUT NOT LIMITED TO REPRESENTATIONS, WARRANTIES, OR CONDITIONS OF TITLE, NON INFRINGEMENT, SATISFACTORY CONDITION OR QUALITY, MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, WITH RESPECT TO THE MATERIALS.
Article ID: 967623 - Last Review: 02/06/2009 19:31:47 - Revision: 1.0
Windows Server 2008 Standard, Windows Server 2008 Enterprise, Windows Server 2008 Datacenter
- kbnomt kbrapidpub KB967623