Forum Discussion
Windows Hello for business PIN and Kerberos
- OK fixed it. first fix AIA and CDL from the offline Root CA, then issue a new sub CA to the issuing CA server with existing key ( so all existing certificates don't need to be regenerated ). Setup a new Intune profile to deploy the new intermediate sub CA to Windows devices, then it worked!
followed https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-deployment-issues and enabled
Application and Services/Microsoft/Windows/Security-Kerberos/Operational.
saw event 102 in log:
Trust validation of the certificate for the Kerberos Key Distribution Center (KDC) DC01.mycompany.local failed: 0x800B010A. Use the CAPI2 diagnostic traces to identify the reason for the validation failure.
Looks like the issue is related with our DC's certificate. We got 0x800B010A 80092013 error and they are related with Certificate chain. I tuned on CAPI2 and found
So we have a offline root CA and a issuing CA, the issuing CA 's CRL setting is configured properly and it passed pkiview test for CRL list. The issue seems to be the Issuing CA's certificate, it is signed by the offline Root CA and it doesn't have valid http CRL. Not sure if I can regenerate the issuing CA's certificate without breaking all the certificate it signed. Maybe it can be done by renew issuing CA's certificate with existing keypair ?
- OK fixed it. first fix AIA and CDL from the offline Root CA, then issue a new sub CA to the issuing CA server with existing key ( so all existing certificates don't need to be regenerated ). Setup a new Intune profile to deploy the new intermediate sub CA to Windows devices, then it worked!