Discussion:
Event ID 20 KDC certificate was once valid, but now is invalid
(too old to reply)
DirkDiggler
2005-06-17 12:48:01 UTC
Permalink
I'm getting the following error message on a domain controller: (How can I
fix it)

The currently selected KDC certificate was once valid, but now is invalid
and no suitable replacement was found. Smartcard logon may not function
correctly if this problem is not remedied. Have the system administrator
check on the state of the domain's public key infrastructure. The chain
status is in the error data.
Todd J Heron
2005-06-17 13:02:59 UTC
Permalink
Post by DirkDiggler
I'm getting the following error message on a domain controller: (How can I
fix it)
The currently selected KDC certificate was once valid, but now is invalid
and no suitable replacement was found. Smartcard >logon may not function
correctly if this problem is not remedied. Have the system administrator
check on the state of the >domain's public key infrastructure. The chain
status is in the error data.
If an Active Directory CA was removed, Domain Controllers will display this
error until they get a new certificate from a different CA. Run:

certutil -dcinfo deleteBad

to remove the offending certificates. The DCs should then get new ones the
next time Autoenrollment runs...provided Certificate services are
re-installed. In either event the error should go away.
--
Todd J Heron, MCSE
Windows Server 2003/2000/NT; CCA
----------------------------------------------------------------------------
This posting is provided "as is" with no warranties and confers no rights
Loading...