Question : Key Distribution Center (KDC) cannot find a suitable certificate

I have 2 Window 2003 DCs and recently, I have added one Window 2008 DC.

However, I find the following is logged on the Event Log. Following the advise to verify the certificate but I couldn't understand the diagnosis. Does anyone advise how to fix the problem ?

Thanks.
------------------------------------------------
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\administrator.mydomain>certutil -dcinfo verify
0: TST-DC02
1: TST-DC01
2: TST-DC03

*** Testing DC[0]: TST-DC02
** Enterprise Root Certificates for DC TST-DC02
Certificate 0:
Serial Number: 65c3e042e99f0db147da506cce5cd7d0
Issuer: CN=TST-DC02, DC=mydomain, DC=net
 NotBefore: 3/24/2008 12:15 AM
 NotAfter: 3/24/2013 12:24 AM
Subject: CN=TST-DC02, DC=mydomain, DC=net
Certificate Template Name (Certificate Type): CA
CA Version: V0.0
Signature matches Public Key
Root Certificate: Subject matches Issuer
Template: CA, Root Certification Authority
Cert Hash(sha1): e8 ce c9 53 ec 34 e2 54 43 a3 4f 87 50 3f f8 92 46 1d 1e 41

Certificate 1:
Serial Number: 588a24e5300122ab4b0b9be43734ca83
Issuer: CN=stafflink, DC=mydomain, DC=net
 NotBefore: 3/23/2008 11:51 PM
 NotAfter: 3/23/2013 11:59 PM
Subject: CN=stafflink, DC=mydomain, DC=net
CA Version: V0.0
Signature matches Public Key
Root Certificate: Subject matches Issuer
Template:
Cert Hash(sha1): c9 90 50 ee f5 58 5f 58 de e5 34 cb 3f 9e 01 89 fe 19 33 4f

** KDC Certificates for DC TST-DC02
Certificate 0:
Serial Number: 1653673f000000000004
Issuer: CN=TST-DC02, DC=mydomain, DC=net
 NotBefore: 3/24/2008 7:28 AM
 NotAfter: 3/24/2009 7:28 AM
Subject: CN=TST-DC02.mydomain.net
Certificate Template Name (Certificate Type): DomainController
Non-root Certificate
Template: DomainController, Domain Controller
Cert Hash(sha1): 4a 07 3b c3 c3 43 6e ce f4 b6 ee e1 a4 92 88 e9 d2 20 80 35

dwFlags = CA_VERIFY_FLAGS_NT_AUTH (0x10)
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication
Application[1] = 1.3.6.1.5.5.7.3.2 Client Authentication
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_NT_AUTH
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwErrorStatus = CERT_TRUST_IS_NOT_TIME_VALID (0x1)
ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
ChainContext.dwRevocationFreshnessTime: 764 Days, 14 Hours, 25 Minutes, 27 Secon
ds

SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_NOT_TIME_VALID (0x1)
SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
SimpleChain.dwRevocationFreshnessTime: 764 Days, 14 Hours, 25 Minutes, 27 Second
s

CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=1000041
  Issuer: CN=TST-DC02, DC=mydomain, DC=net
  NotBefore: 3/24/2008 7:28 AM
  NotAfter: 3/24/2009 7:28 AM
  Subject: CN=TST-DC02.mydomain.net
  Serial: 1653673f000000000004
  SubjectAltName: Other Name:DS Object Guid=04 10 f7 a4 7d 5f 45 a0 72 44 89 02
3e 74 c4 7e 3f 00, DNS Name=TST-DC02.mydomain.net
  Template: DomainController
  4a 07 3b c3 c3 43 6e ce f4 b6 ee e1 a4 92 88 e9 d2 20 80 35
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  Element.dwErrorStatus = CERT_TRUST_IS_NOT_TIME_VALID (0x1)
  Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
  Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
    CRL 40:
    Issuer: CN=TST-DC02, DC=mydomain, DC=net
    5f cc 98 ac c1 42 a9 aa 0b 4d 16 7f 2a c9 d4 9a 0d eb ea 73
    Delta CRL 41:
    Issuer: CN=TST-DC02, DC=mydomain, DC=net
    63 e1 1d 53 9b 02 04 89 0d f6 4e 51 ed f2 13 de 97 e8 f4 c6
  Application[0] = 1.3.6.1.5.5.7.3.2 Client Authentication
  Application[1] = 1.3.6.1.5.5.7.3.1 Server Authentication

CertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0
  Issuer: CN=TST-DC02, DC=mydomain, DC=net
  NotBefore: 3/24/2008 12:15 AM
  NotAfter: 3/24/2013 12:24 AM
  Subject: CN=TST-DC02, DC=mydomain, DC=net
  Serial: 65c3e042e99f0db147da506cce5cd7d0
  Template: CA
  e8 ce c9 53 ec 34 e2 54 43 a3 4f 87 50 3f f8 92 46 1d 1e 41
  Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
  Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)

Exclude leaf cert:
  47 4f 5b 4d f7 e6 af 36 e6 6f 2c 28 2d 48 d0 49 8b 82 63 9c
Full chain:
  2e 5d b6 2a 8e e0 22 f4 f9 3a 57 dc 82 20 30 d7 32 23 d0 7e
  Issuer: CN=TST-DC02, DC=mydomain, DC=net
  NotBefore: 3/24/2008 7:28 AM
  NotAfter: 3/24/2009 7:28 AM
  Subject: CN=TST-DC02.mydomain.net
  Serial: 1653673f000000000004
  SubjectAltName: Other Name:DS Object Guid=04 10 f7 a4 7d 5f 45 a0 72 44 89 02
3e 74 c4 7e 3f 00, DNS Name=TST-DC02.mydomain.net
  Template: DomainController
  4a 07 3b c3 c3 43 6e ce f4 b6 ee e1 a4 92 88 e9 d2 20 80 35
A required certificate is not within its validity period when verifying against
the current system clock or the timestamp in the signed file. 0x800b0101 (-21467
62495)
------------------------------------
Expired certificate
1 KDC certs for TST-DC02

*** Testing DC[1]: TST-DC01
** Enterprise Root Certificates for DC TST-DC01
Certificate 0:
Serial Number: 65c3e042e99f0db147da506cce5cd7d0
Issuer: CN=TST-DC02, DC=mydomain, DC=net
 NotBefore: 3/24/2008 12:15 AM
 NotAfter: 3/24/2013 12:24 AM
Subject: CN=TST-DC02, DC=mydomain, DC=net
Certificate Template Name (Certificate Type): CA
CA Version: V0.0
Signature matches Public Key
Root Certificate: Subject matches Issuer
Template: CA, Root Certification Authority
Cert Hash(sha1): e8 ce c9 53 ec 34 e2 54 43 a3 4f 87 50 3f f8 92 46 1d 1e 41

Certificate 1:
Serial Number: 588a24e5300122ab4b0b9be43734ca83
Issuer: CN=stafflink, DC=mydomain, DC=net
 NotBefore: 3/23/2008 11:51 PM
 NotAfter: 3/23/2013 11:59 PM
Subject: CN=stafflink, DC=mydomain, DC=net
CA Version: V0.0
Signature matches Public Key
Root Certificate: Subject matches Issuer
Template:
Cert Hash(sha1): c9 90 50 ee f5 58 5f 58 de e5 34 cb 3f 9e 01 89 fe 19 33 4f

** KDC Certificates for DC TST-DC01
0 KDC certs for TST-DC01
No KDC Certificate in MY store
KDC certificates: Cannot find object or property. 0x80092004 (-2146885628)

*** Testing DC[2]: TST-DC03
** Enterprise Root Certificates for DC TST-DC03
Certificate 0:
Serial Number: 65c3e042e99f0db147da506cce5cd7d0
Issuer: CN=TST-DC02, DC=mydomain, DC=net
 NotBefore: 3/24/2008 12:15 AM
 NotAfter: 3/24/2013 12:24 AM
Subject: CN=TST-DC02, DC=mydomain, DC=net
Certificate Template Name (Certificate Type): CA
CA Version: V0.0
Signature matches Public Key
Root Certificate: Subject matches Issuer
Template: CA, Root Certification Authority
Cert Hash(sha1): e8 ce c9 53 ec 34 e2 54 43 a3 4f 87 50 3f f8 92 46 1d 1e 41

Certificate 1:
Serial Number: 588a24e5300122ab4b0b9be43734ca83
Issuer: CN=stafflink, DC=mydomain, DC=net
 NotBefore: 3/23/2008 11:51 PM
 NotAfter: 3/23/2013 11:59 PM
Subject: CN=stafflink, DC=mydomain, DC=net
CA Version: V0.0
Signature matches Public Key
Root Certificate: Subject matches Issuer
Template:
Cert Hash(sha1): c9 90 50 ee f5 58 5f 58 de e5 34 cb 3f 9e 01 89 fe 19 33 4f

** KDC Certificates for DC TST-DC03
0 KDC certs for TST-DC03
No KDC Certificate in MY store
KDC certificates: Cannot find object or property. 0x80092004 (-2146885628)

CertUtil: -DCInfo command FAILED: 0x80092004 (-2146885628)
CertUtil: Cannot find object or property.

C:\Users\administrator.mydomain>




 
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:

Log Name:      System
Source:        Microsoft-Windows-Kerberos-Key-Distribution-Center
Date:          6/30/2010 5:21:34 AM
Event ID:      29
Task Category: None
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:      tst-dc03.mydomain.net
Description:
The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Kerberos-Key-Distribution-Center" Guid="{3FD9DA1A-5A54-46C5-9A26-9BD7C0685056}" EventSourceName="KDC" />
    <EventID Qualifiers="32768">29</EventID>
    <Version>0</Version>
    <Level>3</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2010-06-29T21:21:34.000000000Z" />
    <EventRecordID>7132</EventRecordID>
    <Correlation />
    <Execution ProcessID="0" ThreadID="0" />
    <Channel>System</Channel>
    <Computer>tst-dc03.mydomain.net</Computer>
    <Security />
  </System>
  <EventData>
  </EventData>
</Event>

Answer : Key Distribution Center (KDC) cannot find a suitable certificate

"The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate."

You can ignore this if you do not use smart cards, everyone gets it, it is just an advisroy message.
Random Solutions  
 
programming4us programming4us