Event 29: Kerberos Key Distribution Center

While looking through our new Windows 2008 Domain Controller’s event logs, I noticed this unusual error:

Log Name: System
Source: Microsoft-Windows-Kerberos-Key-Distribution-Center
Event ID: 29
Task Category: None
Level: Warning
Keywords: Classic
User: N/A
Description: The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate.

After a little research, I found a knowledgebase article 967623 on Microsoft’s site.

How Microsoft explains this error message is so amusing to me….

This is by design behavior.
The Kerberos-Key-Distribution-Center (KDC) service repeats this check in order to see if there is an existing, workable certificate or if a new one is present. In this case the error handling does not take into account a non-CA environment.

Basically in a nutshell, if you are not using CA, you can ignore this error message.

Posted by Brian 11/09/2009 Categories: Support System Administration Windows