While looking through our new Windows 2008 Domain Controller’s event logs, I noticed this unusual error:
||The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate.
After a little research, I found a knowledgebase article 967623 on Microsoft’s site.
How Microsoft explains this error message is so amusing to me….
This is by design behavior.
The Kerberos-Key-Distribution-Center (KDC) service repeats this check in order to see if there is an existing, workable certificate or if a new one is present. In this case the error handling does not take into account a non-CA environment.
Basically in a nutshell, if you are not using CA, you can ignore this error message.