No announcement yet.

KDC service prevents smart card logon after reboot

  • Filter
  • Time
  • Show
Clear All
new posts

  • KDC service prevents smart card logon after reboot

    Hello all,

    I have a sudden issue on 2 domain controllers in my domain. Both DCs are Windows 2008 and the functional level is Windows 2008. All domain users are required to logon with a smart card.

    Last Friday recent updates were installed on both DCs and then each DC was rebooted. When the came up each DC had Event Id 29 in their system log.

    The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate.

    Because of this event none of my users were able to logon to the domain with their smart card. Once I restart the KDC service everything is fine and users can logon with smart cards. Naturally I blamed the recent updates. So, I uninstalled both of them on both DC but still get the same error after every restart.

    Each DC has its own certificate from a third party CA which is valid and working properly. The DCs trust each CA in the chain. I am out of options. What bothers me most of all is this just became an issue. Everything has been running fine for 8 months with these certificates. Any ideas?

  • #2
    Re: KDC service prevents smart card logon after reboot

    Can you give us the KB numbers for the updates?
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    IT Trainer / Consultant
    Ossian Ltd

    ** Remember to give credit where credit is due and leave reputation points where appropriate **


    • #3
      Re: KDC service prevents smart card logon after reboot

      Thanks for your reply. Yes, they are KB980302, KB890830 and KB973917.


      • #4
        Re: KDC service prevents smart card logon after reboot


        I have run into the same situation in my environment, with one difference. We are bringing 2008 servers into a 2003 domain in the process of migrating all our 2003 servers to 2008. We see the same KDC errors you mentioned and are able to log into the domain with a smartcard after restarting the KDC service.

        I wish I had a solution for you, but we've noticed a couple of interesting things in troubleshooting this problem.

        1. Remote connection via UNC path or mapped drive with smartcard authentication is successful despite failed smartcard logon attempts to the domain. To me, this is an indication that the server certificate cannot validate itself.

        2. When smartcard logon fails, I log onto the domain controller via username/password and test the server certificate. Using certutil to test the URL CRL checking yielded a failed AIA path to the CRL, but I don't know why. Connectivity through the browser works just fine.

        After restarting the KDC service, AIA CRL checking works and we are again able to log into the domain and domain controller with a smartcard.

        Maybe this information can help you get closer to the answer and we can try to solve this together.


        • #5
          Re: KDC service prevents smart card logon after reboot

          Thanks for the reply. I spent a week or so on the phone with Microsoft and they have provided me with a workaround. I use Tumbleweed Enterprise DV on my Domain Controllers and Microsoft believes the issue is related to Tumbleweed. I then opened a ticket with Tumbleweed (Axway) and they researched the issue and agreed that there is an issue and it will be fixed in their next release which is 4.11 scheduled for the 4th quarter of this year.

          Here is the workaround from Microsoft...

          create the registry key "UseCachedCRLOnlyAndIgnoreRevocationUnknownErr ors" in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\servic es\kdc of type dword with the value of 1 to force it to not perform a revocation check at boot up time.

          This workaround works for us. We no longer have to restart the KDC service after rebooting our domain controllers and our clients can successfully logon with a smart card.

          I hope this helps.


          • #6
            Re: KDC service prevents smart card logon after reboot

            Thanks, we have seen this registry workaround as well. Funny, we use Tumbleweed, too, and I'm almost afraid to ask where you work. I have a feeling we may already know each other. Thanks for the update on Tumbleweed.