Forum Discussion
KDC error - Cannot find a suitable certificate to use for Smart Card Logons (Hello for Business)
We have been using Hello for Business for over a year now. This morning, I come in and have users that are no longer able to login via PIN or FaceID. On review, I can see that our certificate (PKI) r...
TristankMS
Microsoft
MicrosoftI'd'a said to check the Issuing CA certificate was in NTAuthCertificates. Enterprise CAs put themselves there by default if installed with sufficient permissions, but sometimes they get removed for enhanced security, or not updated for other reasons. A client won't attempt smart card logon unless the Issuing CA cert (i.e. the Issuer of the DC cert) is in that store.