KDC error - Cannot find a suitable certificate to use for Smart Card Logons (Hello for Business)

%3CLINGO-SUB%20id%3D%22lingo-sub-236462%22%20slang%3D%22en-US%22%3EKDC%20error%20-%20Cannot%20find%20a%20suitable%20certificate%20to%20use%20for%20Smart%20Card%20Logons%20(Hello%20for%20Business)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-236462%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20have%20been%20using%20Hello%20for%20Business%20for%20over%20a%20year%20now.%20This%20morning%2C%20I%20come%20in%20and%20have%20users%20that%20are%20no%20longer%20able%20to%20login%20via%20PIN%20or%20FaceID.%20On%20review%2C%20I%20can%20see%20that%20our%20certificate%20(PKI)%20renewed.%20Everything%20states%20that%20the%20certificates%20are%20valid.%20For%20the%20life%20of%20me%2C%20I%20cannot%20seem%20to%20figure%20out%20why%20after%20a%20renewal%2C%20this%20would%20break.%26nbsp%3B%20Any%20ideas%3F%20%26nbsp%3B%20The%20date%20on%20the%20certificate%20for%26nbsp%3BKerberos%2C%20and%20DC%20Authentication%20are%20both%20dated%20today%20with%201YR%20expiration%20(2019%20Aug)%26nbsp%3B%20Desktops%20all%20have%20valid%20certificates.%20Root%20certificate%20is%20valid%20and%20does%20not%20expire%20for%20like%2030%20years.%26nbsp%3B%20I%20even%20delete%20the%20DC%2C%20Kerberos%20certifcates%2C%20and%20reissued%20them.%26nbsp%3B%20Found%20an%20article%20about%20changing%20the%20RSA%20and%20merging%20the%20three%20certificates%20into%20one%20(Domain%20Controller%20Authentication%20(Kerberos))%20and%20superseded%20the%20prior%20three.%20Verified%20that%20all%20DCs%20had%20the%20new%20certificate.%26nbsp%3B%20Still%20same%20error%20on%20DCs.%26nbsp%3B%20Please%20help!%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-236462%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EWindows%20Server%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-236466%22%20slang%3D%22en-US%22%3ERe%3A%20KDC%20error%20-%20Cannot%20find%20a%20suitable%20certificate%20to%20use%20for%20Smart%20Card%20Logons%20(Hello%20for%20Business)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-236466%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20two%20errors%20are%20Error%2029%3A%20The%20KDC%20cannot%20find%20a%20suitable%20certificate%20to%20use%20for%20smart%20card%20logons%20or%20the%20KDC%20could%20not%20be%20verified.%20%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3EError%2019%3A%20This%20event%20indicates%20an%20attempt%20was%20made%20to%20use%20smartcard%20logon%2C%20but%20the%20KDC%20is%20unable%20to%20use%20the%20PKINIT%20protocol%20because%20it%20is%20missing%20a%20suitable%20certificate.%20%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20original%20and%20newly%20created%20template%20(and%20certificate)%20includes%20Smart%20Card%20Logon.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1052533%22%20slang%3D%22en-US%22%3ERe%3A%20KDC%20error%20-%20Cannot%20find%20a%20suitable%20certificate%20to%20use%20for%20Smart%20Card%20Logons%20(Hello%20for%20Business)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1052533%22%20slang%3D%22en-US%22%3E%3CP%3EJeff%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20know%20this%20is%20an%20old%20post%2C%20but%20we%20are%20setting%20up%20the%20environment%20right%20now%20and%20experiencing%20the%20same%20issue.%3C%2FP%3E%3CP%3ECare%20to%20share%20how%20you%20solved%20this%20one%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Etx!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1058545%22%20slang%3D%22en-US%22%3ERe%3A%20KDC%20error%20-%20Cannot%20find%20a%20suitable%20certificate%20to%20use%20for%20Smart%20Card%20Logons%20(Hello%20for%20Business)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1058545%22%20slang%3D%22en-US%22%3E%3CP%3EUnfortunately%2C%20I%20do%20not%20recall%20the%20solution.%20We%20have%20since%20moved%20to%20Azure%20AD%20and%20not%20even%20using%20the%20method%20at%20that%20time.%20Sorry.%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F155477%22%20target%3D%22_blank%22%3E%40Matthias%20Vandenberghe%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Regular Contributor

We have been using Hello for Business for over a year now. This morning, I come in and have users that are no longer able to login via PIN or FaceID. On review, I can see that our certificate (PKI) renewed. Everything states that the certificates are valid. For the life of me, I cannot seem to figure out why after a renewal, this would break.  Any ideas?   The date on the certificate for Kerberos, and DC Authentication are both dated today with 1YR expiration (2019 Aug)  Desktops all have valid certificates. Root certificate is valid and does not expire for like 30 years.  I even delete the DC, Kerberos certifcates, and reissued them.  Found an article about changing the RSA and merging the three certificates into one (Domain Controller Authentication (Kerberos)) and superseded the prior three. Verified that all DCs had the new certificate.  Still same error on DCs.  Please help! 

3 Replies
Highlighted

The two errors are Error 29: The KDC cannot find a suitable certificate to use for smart card logons or the KDC could not be verified.   

Error 19: This event indicates an attempt was made to use smartcard logon, but the KDC is unable to use the PKINIT protocol because it is missing a suitable certificate.  

 

The original and newly created template (and certificate) includes Smart Card Logon. 

Highlighted

Jeff,

 

I know this is an old post, but we are setting up the environment right now and experiencing the same issue.

Care to share how you solved this one?

 

tx!

Highlighted

Unfortunately, I do not recall the solution. We have since moved to Azure AD and not even using the method at that time. Sorry. 

@Matthias Vandenberghe