Windows Server 2025 | Kerberos Local Key Distribution Center (LocalKDC) service fails to start

Question

Windows Server 2025 | Kerberos Local Key Distribution Center (LocalKDC) service fails to start

Krasimir Rangelov 240

Hello,

After installing the latest cumulative update for December, KB5048667, on my Windows Server 2025 system, the Kerberos Local Key Distribution Center (LocalKDC) service fails to start due to the following generic exception:

"Some services stop automatically if they are not in use by other services or programs."

This issue appears to be related to the recent changes regarding NTLM deprecation and the optional shift to Kerberos for local user authentication.

After uninstalling the cumulative update for December, the service gets stuck at START_PENDING and never starts, that gives me some chills.

Cannot find any events regarding the Local KDC service, even after enabling logging for Microsoft-Windows-Kerberos-Local-Key-Distribution-Center/Operational.

Given the importance of these changes, I’d like to report this as a potential issue with the latest GA implementation.

Is this a known issue with KB5048667?

Ian Wall 0 Reputation points

2024-12-31T00:26:56.06+00:00

Apologies, this was meant as a response to the answer.
Ahmed Alsayed Ibrahim 0 Reputation points

2025-01-05T14:43:40.5+00:00

i have same issue, and now Windows Hello for Business Cloud Kerberos stop working
O HICKMOTT 10 Reputation points

2025-01-08T14:29:04.28+00:00

Same for us also, including broken WHfB cloud trust
Nicolas Lavisse 10 Reputation points

2025-01-13T13:10:33.93+00:00

I have the same problem on a 2025 that has just been installed and the installation of updates...
Nicolas Lavisse 10 Reputation points

2025-01-13T13:15:38.9666667+00:00

I have the same problem on a 2025 that has just been installed and the installation of updates...
Nicolas Lavisse 10 Reputation points

2025-01-13T14:50:07.46+00:00

Uninstall KB5048667... and Uuable to login and black screen...

Pfff ...
O HICKMOTT 10 Reputation points

2025-01-15T13:18:19.41+00:00

2025-01 Cumulative Update makes no difference on 24H2 client or server. Nor does making the required KDC Strong Cert binding changes suggested in KB5014754.

We have this behaviour now on more than 2k client devices and have had to remove Windows Hello for Business across our estate.
David Hoeft 11 Reputation points

2025-01-17T15:51:05.6466667+00:00

Same trouble here. Have not found a solution.
Koopman 1 Reputation point

2025-01-18T00:08:50.0633333+00:00

After upgrading I cannot sign in unless I turn that service OFF!! 2025 is extremely buggy and had costs me 2 broken sites now. Rebuilding back to 2022 :(
Nicolas Lavisse 10 Reputation points

2025-01-18T15:43:42.2233333+00:00

I do that and everything works fine !

https://batcmd.com/windows/11/services/localkdc/
O HICKMOTT 10 Reputation points

2025-01-29T15:41:56.7433333+00:00

I think the bigger picture is being missed here - this is an issue that is present in both 24h2 server and client. It's one thing have your DC's unable to leverage Kerberos but the issue is compounded when all your client devices also cannot leverage it. Especially where Microsoft has now deprecated RPC and NTLM in favour of Kerberos. Which is great unless the very services that allows this auth process is broken and won't start.
tfc 15 Reputation points

2025-01-29T18:05:49.7166667+00:00

@O HICKMOTT Agree with your technical assessment of the issue but I think the bigger picture is that we are being ignored by Microsoft but that's nothing new...
Michael B Allen 0 Reputation points

2025-02-05T01:22:13.0433333+00:00

LocalKDC is just not enabled yet. Allegedly it will be in a few months. Presumably with IAKerb.

For now, NTLM is still very much required for clients that can't get tickets.

@O HICKMOTT RPC is not deprecated. RPC over HTTP transport (ncacn_http) is deprecated but other transports like RPC over TCP (ncacn_tcp_ip) and RPC over SMB (ncacn_np) are still used extensively on prem.
O HICKMOTT 10 Reputation points

2025-02-05T07:48:50.4366667+00:00

Thanks for the info @Michael B Allen please could you advise on your thoughts as to why it was enabled prior to the November CU and why WuFB no longer functions post this update?
Michael B Allen 0 Reputation points

2025-02-05T13:00:00.98+00:00

@O HICKMOTT Please correct me but my understanding is that Local KDC has never been enabled. My guess is that using Local KDC will require a client to use IAKerb which is not available yet. And until clients can do IAKerb, they can't "disable" NTLM. So, it seems we're waiting on IAKerb I think.

I think maybe all of the announcements about disabling NTLM and introducing Local KDC / IAKerb were meant to motivate and placate certain folks. But these things always take twice as long as you think so ... just chill.
tfc 15 Reputation points

2025-02-08T21:10:36.74+00:00

@Michael B Allen if true then it is still a bug that MS is not acknowledging. After the last patches they mysteriously set the service to Automatic startup but as we all can attest it does not start which results in a event log failures. They should acknowledge their error and publish a KB article telling us to disregard the error and set the service to manual. As usual they continue to release buggy updates and not address the issues that arise from them.
Mela Germier 96 Reputation points

2025-02-13T10:27:38.1733333+00:00

OS build: 26100.3194

And The Problem persist...

It's unbelievable how bad Microsoft support has become these days.

Here another issue where we are Fighting with Microsoft..... interesting for this who is as ADDS (https://techcommunity.microsoft.com/discussions/WindowsServerInsiders/when-is-network-profile-issue-for-domain-controllers-going-to-be-at-least-acknow/4156679)
Paul 15 Reputation points

2025-02-15T20:28:38.66+00:00

Exact same Service Status report here on all 2025 member servers and DCs

I found this video very useful https://youtu.be/nJ3gGNv8aZI

LocalKDC overview at time point 13.05 so from what I can ascertain this service that is reporting as not started should have no impact on your current DC/Client Kerberos setup and is a new additional Kerberos Implementation between local clients and workgroups to eliminate NTLM auths. Just my interpretation so I would reccomend watching the video and coming to your own conclusions

One of three on this blog and worth a watch https://techcommunity.microsoft.com/blog/windowsosplatform/active-directory-improvements-in-windows-server-2025/4202383

Furthermore according to this blog from Steve Syfuhs (Windows Cryptography, Identity, and Authentication team at Microsoft. https://syfuhs.net/steve) the LocalKDC and IAKerb aren't enabled "The lack of documentation is intentional. I have not enabled this feature yet. The fact that you see the service present is just an artifact of feature gating. https://www.reddit.com/r/sysadmin/comments/1d0xmms/local_kdc_service_on_windows_server_2025/

My DCs are now all migrated to Server 2025, show this Service not started warning as each one was migrated but AD and authentication are functioning as expected.

Not to say we all have the same environments of course..... so definitely test test test!
Olivier Hefti 0 Reputation points

2025-02-19T13:35:32.1533333+00:00

We have the same problem/warning on all Win 2025 Server version 24H2 (Build 26100.3194)... Some servers have been deleted for this reason and are now running on Windows Server 2022 again. It would be good if we just knew if the problem can be ignored for now and it has no consequences on the functions....
Ian G. Sully 21 Reputation points

2025-02-20T18:27:44.3366667+00:00

Yeah I am having the same issue right now. I can login to every Windows computer just fine. But when I use anything that uses Cisco ISE and ISE uses AD. Then it will not work, why? Because it cannot talk to Active Directory BECAUSE of this issue. So I don't know if there is any workaround because I need to get everything working again as soon as possible!
Trevor Haagsma 1 Reputation point

2025-02-20T22:52:05.3266667+00:00

Ian G Sully

try the following:

From gpedit:

Domain Controller Policy

===Computer Configuration

======Policies

=========Windows Settings

============Security Settings

===============Local Policies

==================Security Options

=====================Domain controller: LDAP server channel binding token requirements: "When Supported"

=====================Domain controller: LDAP server signing requirements: "None"

=====================Domain controller: LDAP server Enforce signing requirements: "Disabled"

=====================Network security: LDAP client encryption requirements: "Negotiate Sealing"

=====================Network security: LDAP client signing requirements: "Negotiate Signing"

Source: https://forum.netgate.com/topic/187453/ldap-authentication-with-active-directory-windows-server-2025-bind-fails/3

3 answers

Your answer

Ian Wall 0 Reputation points

2024-12-31T00:26:56.06+00:00

Apologies, this was meant as a response to the answer.
Ahmed Alsayed Ibrahim 0 Reputation points

2025-01-05T14:43:40.5+00:00

i have same issue, and now Windows Hello for Business Cloud Kerberos stop working
O HICKMOTT 10 Reputation points

2025-01-08T14:29:04.28+00:00

Same for us also, including broken WHfB cloud trust
Nicolas Lavisse 10 Reputation points

2025-01-13T13:10:33.93+00:00

I have the same problem on a 2025 that has just been installed and the installation of updates...
Nicolas Lavisse 10 Reputation points

2025-01-13T13:15:38.9666667+00:00

I have the same problem on a 2025 that has just been installed and the installation of updates...
Nicolas Lavisse 10 Reputation points

2025-01-13T14:50:07.46+00:00

Uninstall KB5048667... and Uuable to login and black screen...

Pfff ...
O HICKMOTT 10 Reputation points

2025-01-15T13:18:19.41+00:00

2025-01 Cumulative Update makes no difference on 24H2 client or server. Nor does making the required KDC Strong Cert binding changes suggested in KB5014754.

We have this behaviour now on more than 2k client devices and have had to remove Windows Hello for Business across our estate.
David Hoeft 11 Reputation points

2025-01-17T15:51:05.6466667+00:00

Same trouble here. Have not found a solution.
Koopman 1 Reputation point

2025-01-18T00:08:50.0633333+00:00

After upgrading I cannot sign in unless I turn that service OFF!! 2025 is extremely buggy and had costs me 2 broken sites now. Rebuilding back to 2022 :(
Nicolas Lavisse 10 Reputation points

2025-01-18T15:43:42.2233333+00:00

I do that and everything works fine !

https://batcmd.com/windows/11/services/localkdc/
O HICKMOTT 10 Reputation points

2025-01-29T15:41:56.7433333+00:00

I think the bigger picture is being missed here - this is an issue that is present in both 24h2 server and client. It's one thing have your DC's unable to leverage Kerberos but the issue is compounded when all your client devices also cannot leverage it. Especially where Microsoft has now deprecated RPC and NTLM in favour of Kerberos. Which is great unless the very services that allows this auth process is broken and won't start.
tfc 15 Reputation points

2025-01-29T18:05:49.7166667+00:00

@O HICKMOTT Agree with your technical assessment of the issue but I think the bigger picture is that we are being ignored by Microsoft but that's nothing new...
Michael B Allen 0 Reputation points

2025-02-05T01:22:13.0433333+00:00

LocalKDC is just not enabled yet. Allegedly it will be in a few months. Presumably with IAKerb.

For now, NTLM is still very much required for clients that can't get tickets.

@O HICKMOTT RPC is not deprecated. RPC over HTTP transport (ncacn_http) is deprecated but other transports like RPC over TCP (ncacn_tcp_ip) and RPC over SMB (ncacn_np) are still used extensively on prem.
O HICKMOTT 10 Reputation points

2025-02-05T07:48:50.4366667+00:00

Thanks for the info @Michael B Allen please could you advise on your thoughts as to why it was enabled prior to the November CU and why WuFB no longer functions post this update?
Michael B Allen 0 Reputation points

2025-02-05T13:00:00.98+00:00

@O HICKMOTT Please correct me but my understanding is that Local KDC has never been enabled. My guess is that using Local KDC will require a client to use IAKerb which is not available yet. And until clients can do IAKerb, they can't "disable" NTLM. So, it seems we're waiting on IAKerb I think.

I think maybe all of the announcements about disabling NTLM and introducing Local KDC / IAKerb were meant to motivate and placate certain folks. But these things always take twice as long as you think so ... just chill.
tfc 15 Reputation points

2025-02-08T21:10:36.74+00:00

@Michael B Allen if true then it is still a bug that MS is not acknowledging. After the last patches they mysteriously set the service to Automatic startup but as we all can attest it does not start which results in a event log failures. They should acknowledge their error and publish a KB article telling us to disregard the error and set the service to manual. As usual they continue to release buggy updates and not address the issues that arise from them.
Mela Germier 96 Reputation points

2025-02-13T10:27:38.1733333+00:00

OS build: 26100.3194

And The Problem persist...

It's unbelievable how bad Microsoft support has become these days.

Here another issue where we are Fighting with Microsoft..... interesting for this who is as ADDS (https://techcommunity.microsoft.com/discussions/WindowsServerInsiders/when-is-network-profile-issue-for-domain-controllers-going-to-be-at-least-acknow/4156679)
Paul 15 Reputation points

2025-02-15T20:28:38.66+00:00

Exact same Service Status report here on all 2025 member servers and DCs

I found this video very useful https://youtu.be/nJ3gGNv8aZI

LocalKDC overview at time point 13.05 so from what I can ascertain this service that is reporting as not started should have no impact on your current DC/Client Kerberos setup and is a new additional Kerberos Implementation between local clients and workgroups to eliminate NTLM auths. Just my interpretation so I would reccomend watching the video and coming to your own conclusions

One of three on this blog and worth a watch https://techcommunity.microsoft.com/blog/windowsosplatform/active-directory-improvements-in-windows-server-2025/4202383

Furthermore according to this blog from Steve Syfuhs (Windows Cryptography, Identity, and Authentication team at Microsoft. https://syfuhs.net/steve) the LocalKDC and IAKerb aren't enabled "The lack of documentation is intentional. I have not enabled this feature yet. The fact that you see the service present is just an artifact of feature gating. https://www.reddit.com/r/sysadmin/comments/1d0xmms/local_kdc_service_on_windows_server_2025/

My DCs are now all migrated to Server 2025, show this Service not started warning as each one was migrated but AD and authentication are functioning as expected.

Not to say we all have the same environments of course..... so definitely test test test!
Olivier Hefti 0 Reputation points

2025-02-19T13:35:32.1533333+00:00

We have the same problem/warning on all Win 2025 Server version 24H2 (Build 26100.3194)... Some servers have been deleted for this reason and are now running on Windows Server 2022 again. It would be good if we just knew if the problem can be ignored for now and it has no consequences on the functions....
Ian G. Sully 21 Reputation points

2025-02-20T18:27:44.3366667+00:00

Yeah I am having the same issue right now. I can login to every Windows computer just fine. But when I use anything that uses Cisco ISE and ISE uses AD. Then it will not work, why? Because it cannot talk to Active Directory BECAUSE of this issue. So I don't know if there is any workaround because I need to get everything working again as soon as possible!
Trevor Haagsma 1 Reputation point

2025-02-20T22:52:05.3266667+00:00

Ian G Sully

try the following:

From gpedit:

Domain Controller Policy

===Computer Configuration

======Policies

=========Windows Settings

============Security Settings

===============Local Policies

==================Security Options

=====================Domain controller: LDAP server channel binding token requirements: "When Supported"

=====================Domain controller: LDAP server signing requirements: "None"

=====================Domain controller: LDAP server Enforce signing requirements: "Disabled"

=====================Network security: LDAP client encryption requirements: "Negotiate Sealing"

=====================Network security: LDAP client signing requirements: "Negotiate Signing"

Source: https://forum.netgate.com/topic/187453/ldap-authentication-with-active-directory-windows-server-2025-bind-fails/3

Answer 1

I opened a case with Microsoft on this. The answer I received did not make me feel warm and fuzzy, but I include it below. They could not give a clear answer on when this service will start working, what will happen if it is left disabled, or anything else of that nature. Without further ado...

Incident Description:

Local KDC service failing to start on Windows Server 2025 after December 2024 updates.

Expected Outcome:

Understand why the service is failing to start and what actions are needed to resolve the issue.

Environment:

Company had implemented around 7 Windows Servers 2025.

Company already promoted at least one of the servers as Domain Controllers and the goal is to continue refreshing DCs with the latest version of Windows Server.

Company discovered that other customers are also facing the same issue with Local KDC service as published in the link (link is to this thread).

Troubleshooting

MS Support performed internal research and discovered similar incidents reported.

As per Product Group analysis from previous cases, the local KDC feature is currently not in General Availability (GA), even though the service may be shown in OS.

Microsoft Product Group is actively working on this feature. Once it is ready for public preview, there will be more communication and updates provided via public article.

MS Support recommendation:

Disable the service on all your Windows Server 2025 servers, as this is a new feature that shouldn’t impact applications or other services.
Continue applying Updates to your Windows Servers.

tfc 15 Reputation points

2025-03-08T19:18:32.9566667+00:00

Thank you for the update Randy. I've just been setting the service to Manual on all my installs for now to prevent the event log errors on boot-up.
Trevor Haagsma 1 Reputation point

2025-03-08T22:41:04.8666667+00:00

Just reset the krb password and the KDC will start working again
Stefano Protopapa 0 Reputation points

2025-06-12T13:15:35.6533333+00:00

Disable the Local KDC service and then run dcpromo???

Answer 2

Mobyx 5

I have found that this service was disabled before the December update, for some reason it has gone to automatic and cannot be started, maybe this behavior is normal if you are not using this feature. After the January security patch the service still does not start, I think microsoft should report this problem.

Randy Smith 15 Reputation points

2025-01-28T19:04:28.2433333+00:00

I have seen this on all Server 2025 servers I have after both the December and January updates. Rolling back to November updates fixes it.

Answer 3

Anonymous

Hello,

Based on the information available, there are no officially documented issues specifically related to the Kerberos Local Key Distribution Center (LocalKDC) service in the KB5048667 update

https://support.microsoft.com/en-us/topic/december-10-2024-kb5048667-os-build-26100-2605-eb529853-d3a2-4c8d-bd0b-5fc6becb629c

You can send feedback to Microsoft by referring to this link:

https://support.microsoft.com/en-us/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332

Best Regards,

Hania Lian

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.

Ian Wall 0 Reputation points

2024-12-31T00:27:24.5933333+00:00

There may be no documented issues, but there are a decent number of people experiencing the issue. Please search Google for KB5048667 NTLM errors.
Wojciech 0 Reputation points

2025-01-02T12:05:29.5666667+00:00

Hello,

Issue exist for sure.
After clean installation and updates, new win 2025 server has the same problem.
tfc 15 Reputation points

2025-01-04T22:57:22.2266667+00:00

Dear Hania Lian- I can confirm the issue is real. Please stop gaslighting us and get the developers to fix it ASAP.
Michael Ryan 6 Reputation points

2025-01-06T02:47:58.38+00:00

Just saw this after patching, removed the update and the ADFS server was back. Hopefully we will see a fix soon.
Michael Ryan 6 Reputation points

2025-01-06T03:39:56.51+00:00

Same issue, I've just uninstalled the update and the ADFS server has returned as expected. Hopefully a proper fix soon.
STANWICK, JERALD 25 Reputation points

2025-01-09T14:35:51.5866667+00:00

Having the same issue, seems a growing issue Microsoft needs to address and fix
Ahmed Alsayed Ibrahim 0 Reputation points

2025-01-10T02:38:06.4266667+00:00

i have same issue, and now Windows Hello for Business Cloud Trust stop working.
tfc 15 Reputation points

2025-01-18T01:29:14.73+00:00

Microsoft ARE YOU LISTNEING YET!?!?!? Everyone is saying the same thing, you broke server 2025 with another botched update and you're ignoring your sys admins cries for help (as usual). FIX IT ASAP

Share via

Windows Server 2025 | Kerberos Local Key Distribution Center (LocalKDC) service fails to start

3 answers

Your answer