Share via

Kerberos-Key-Distribution-Center warning ID 32

Chong 871 Reputation points
2024-04-08T04:35:12.2866667+00:00

Hi Support,

Our DC will have a warning 32 on the Kerberos-Key-Distribution-Center:

The Key Distribution Center (KDC) uses a certificate without KDC Extended Key Usage (EKU) which can result in authentication failures for device certificate logon and smart card logon from non-domain-joined devices. Enrollment of a KDC certificate with KDC EKU (Kerberos Authentication template) is required to remove this warning.

Our device didn't use smartcard or device certificate to login, any idea?

Windows for business | Windows Server | User experience | Other
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2024-04-09T01:42:24.0666667+00:00

    Hello Chong,

    Thank you for posting in Q&A forum.

    How many Domain Controllers are there in your domain? Do you see the same event ID on all the DCs in your domain?

    Please check if you have an internal Windows CA server in your domain? If so, you can check if there is KDC certificate in Certificates - Local Computer\Personal store.

    User's image

    If you have Windows CA and there is such certificate (issued using Kerberos Authentication certificate template) on DC, you can try to request such Kerberos certificate on DC, then check if there is still this warning on DC.

    I hope the information above is helpful.

    If you have any questions or concerns, please feel free to let us know.

    Best Regards,

    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.