KDC Event-ID 11 - Windows Hello for Business

Question

KDC Event-ID 11 - Windows Hello for Business

Kristof Van Woensel 41

I'm trying to configure Windows Hello For Business with the help of this guide.

my certificates are hosted on a local IIS server and are reachable by my clients.
my cdp seems to be correctly configured:

Even so, my client computers don't seem to download the correct certificates when I log in with pincode.
System log tells me that:
The Distinguished Name in the subject field of your smartcard logon certificate does not contain enough information to locate the appropriate domain on an unjoined machine. Please contact your system administrator. (Event-Id: 11)

Could it be that my client computer is still using an old certificate?

Givary-MSFT 35,626 Reputation points Microsoft Employee Moderator

2022-11-08T07:51:51.557+00:00

@Kristof Van Woensel Apologies for the delay in reviewing this post, I am researching on the Event id - 11 The Distinguished Name in the subject field of your smartcard logon certificate does not contain enough information to locate the appropriate domain on an unjoined machine. Please contact your system administrator, will revert back with my findings.

Accepted answer

6 additional answers

Your answer

Givary-MSFT 35,626 Reputation points Microsoft Employee Moderator

2022-11-08T07:51:51.557+00:00

@Kristof Van Woensel Apologies for the delay in reviewing this post, I am researching on the Event id - 11 The Distinguished Name in the subject field of your smartcard logon certificate does not contain enough information to locate the appropriate domain on an unjoined machine. Please contact your system administrator, will revert back with my findings.

Answer 1

Nagappan Veerappan 651 Microsoft Employee

if your client machines are AADJ (cloud joined). They trust your domain name present by the KDC certificate
your KDC certificate should contain subject with "Distinguishname" -where it can extract "DC=contoso, Dc=Com" i.e if your domain is contoso.com
Else if you have CA template 2012R2 and above , default Subject alternative names populate domain name in it.
i.e dns name =DC1.contoso.com , DNS name =contoso.com

we already listed this in our known issue (I was the one updated the doc :)) . This would often happen if they used third party CAs too.

https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-deployment-issues#identifying-on-premises-resource-access-issues-with-third-party-cas

Kristof Van Woensel 41 Reputation points

2022-11-08T16:24:11.567+00:00

I changed my KDC Template to include the subject. It now contains CN, OU and DC values

CN = KB-DC4
OU = Domain Controllers
DC = leerlingen
DC = smiks
DC = int

The alternative subject contains the DNS values

DNS-naam=KB-DC4.leerlingen.smiks.int
DNS-naam=leerlingen.smiks.int
DNS-naam=SMIKS

I still get the same error when logging on.
Nagappan Veerappan 651 Reputation points Microsoft Employee

2022-11-08T17:44:20.26+00:00

Sorry, you have one more step to validate DC taken the new cert you put in place.

This would happen whenever you restart the "KDC" aka "Kerberos Key Distribution Center" Service
OR reboot of the box (not preferred)

you can track what cert KDC using by enabling this event logs (default not enabled) , also remember if you have multiple DCs. make sure all of them meet requirements as client can reach any DCs in the site.

Attaching the sample here

===========================

Log Name: Microsoft-Windows-Kerberos-Key-Distribution-Center/Operational
Source: Microsoft-Windows-Kerberos-Key-Distribution-Center
Date: 10/18/2022 6:33:13 PM
Event ID: 302
Task Category: KDC
Level: Information
Keywords:
User: SYSTEM
Computer: win2019VMDC02.bazinga.com
Description:
The Key Distribution Center (KDC) uses the below KDC certificate for smart card or certificate authentication.

Kdc Certificate Information:
Issuer Name: bazinga-WIN2019VMDC02-CA
Serial Number: 2D00000027CAA992DD1A1F98AC000000000027
Thumbprint: 394FAFCF068917FEA6CF881A5588806A37C16BBC
Template: DomainController
Raghu Sharma 1 Reputation point

2023-05-11T12:19:37.96+00:00

Thanks for the reply. Our domain functional level is 2012R2 and server is 2012R2. I am also getting the same error, will these steps work for us? I thought we have to have DC on server 2019 to get cloud to on-prem working without VPN. Please point me to correct direction.
Nagappan Veerappan 651 Reputation points Microsoft Employee

2023-05-11T13:11:52.5733333+00:00

Hi Raghu,

I am not aware of what deployment model you have in your org WHFB Key/cert/Cloud trust? what device your org using HAADJ/AADJ ?
based on that you can decide event id 11 actions. if you don't have WHFB at all. you don't need to concern event id 11.

If you only have 2012R2 DCs in your org. the only choice left is WHFB Certificate trust (along with ADFS /Intune based SCEP ) deployment
Raghu Sharma 1 Reputation point

2023-05-11T22:08:57.4166667+00:00

Hey mate, thanks for responding. We have WHfB with Device Cert coming from Internal CA via NDES, SCEP Profile in intune. We have mix of both HAADJ and AAD, but we are slowing moving to AAD only. Yeah devices are getting certs just fine but I do see errors and I am not able to access the onprem resources over the internet, as the OP mentioned. We also want to have this working.

Answer 2

Ok, your solution resolved event 11.

Now I'm stuck on event 3, the logs give me KDC_ERR_PREAUTH_REQUIRED.
I read on the internet that I can ignore this error, but it prevents me to open on prem drives.
When I try to open a folder on the server, it gives me

-- LOG EVENT 3 ----

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Kerberos" Guid="{98E6CFCB-EE0A-41E0-A57B-622D4E1B30B1}" EventSourceName="Kerberos" />
<EventID Qualifiers="32768">3</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2022-11-09T07:30:26.0236466Z" />
<EventRecordID>84754</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>System</Channel>
<Computer>*****</Computer>
<Security />
</System>
<EventData>
<Data Name="LogonSession">leerlingen.smiks.int\VWOK</Data>
<Data Name="ClientTime" />
<Data Name="ServerTime">7:30:22.0000 11/9/2022 Z</Data>
<Data Name="ErrorCode">0x19</Data>
<Data Name="ErrorMessage">KDC_ERR_PREAUTH_REQUIRED</Data>
<Data Name="ExtendedError" />
<Data Name="ClientRealm" />
<Data Name="ClientName" />
<Data Name="ServerRealm">leerlingen.smiks.int</Data>
<Data Name="ServerName">krbtgt/leerlingen.smiks.int</Data>
<Data Name="TargetName">krbtgt/******@leerlingen.smiks.int</Data>
<Data Name="ErrorText" />
<Data Name="File">onecore\ds\security\protocols\kerberos\client2\logonapi.cxx</Data>
<Data Name="Line">e18</Data>
<Binary>30663043A103020113A23C043A3038302FA003020112A1281B264C4545524C494E47454E2E534D494B532E494E546B726973746F662E76616E776F656E73656C3005A0030201173009A103020102A20204003009A103020110A20204003009A10302010FA2020400</Binary>
</EventData>
</Event>

Answer 3

Glad to hear that it resolved error 11.

you can ignore Error 3 "Pre-auth required" that is how destination machine demand auth before letting the access.

1.Do you know you received Kerberos ticket successfully with your WHFB sign-in?. you need LOS to DC. if remote make sure VPN there.
you can run "klist" from user prompt to see the kerberos ticket.

2.Do you access share folder by FQDN name? if not , it may fall back to NTLM and server level NTLM restriction can block your access.

If you try on file explorer \leerlingen.smiks.int\Sysvol - Do you able to access without prompt or without prompt to enter credential? -

Answer 4

It seems indeed that my ticket is not received.

klist returns

Current LogonId is 0:0x16c606e0

Cached Tickets: (0)

klist tgt returns

Current LogonId is 0:0x16c606e0
Error calling API LsaCallAuthenticationPackage (Ticket Granting Ticket substatus): 1312

klist failed with 0x8009030e/-2146893042: Geen referenties beschikbaar in het beveiligingspakket

Accessing with FQDN still gives me the prompt message.
Using certlm.msc I find the certificate in the list of trusted certificates on my client

Answer 5

Nagappan Veerappan 651 Microsoft Employee

You are right. you didn't have any Kerberos ticket. you cannot access any on-prem resources. the prompt you see is expected.

If you are familiar with Kerberos troubleshooting. take a network trace. you would be able to figure out
make sure while accessing on-prem share folder, you have line of sight to DC to authenticate, if you are on remote, make sure VPN available to reach on-prem DCs.

Share via

KDC Event-ID 11 - Windows Hello for Business

6 additional answers

Your answer