KDC Event-ID 11 - Windows Hello for Business

Kristof Van Woensel 41 Reputation points
2022-11-03T18:51:56.693+00:00

I'm trying to configure Windows Hello For Business with the help of this guide.

  • my certificates are hosted on a local IIS server and are reachable by my clients.
  • my cdp seems to be correctly configured:

256847-naamloos.jpg
256907-naamloos2.jpg

Even so, my client computers don't seem to download the correct certificates when I log in with pincode.
System log tells me that:
The Distinguished Name in the subject field of your smartcard logon certificate does not contain enough information to locate the appropriate domain on an unjoined machine. Please contact your system administrator. (Event-Id: 11)

Could it be that my client computer is still using an old certificate?

Microsoft Security | Microsoft Entra | Microsoft Entra ID
Windows for business | Windows Server | User experience | Other
Windows for business | Windows Server | Devices and deployment | Configure application groups
Microsoft Security | Microsoft Entra | Other
{count} votes

Accepted answer
  1. Nagappan Veerappan 651 Reputation points Microsoft Employee
    2022-11-08T14:48:05.887+00:00

    if your client machines are AADJ (cloud joined). They trust your domain name present by the KDC certificate
    your KDC certificate should contain subject with "Distinguishname" -where it can extract "DC=contoso, Dc=Com" i.e if your domain is contoso.com
    Else if you have CA template 2012R2 and above , default Subject alternative names populate domain name in it.
    i.e dns name =DC1.contoso.com , DNS name =contoso.com

    we already listed this in our known issue (I was the one updated the doc :)) . This would often happen if they used third party CAs too.

    https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-deployment-issues#identifying-on-premises-resource-access-issues-with-third-party-cas

    1 person found this answer helpful.

6 additional answers

Sort by: Most helpful
  1. Kristof Van Woensel 41 Reputation points
    2022-11-09T09:08:49.783+00:00

    Ok, your solution resolved event 11.

    Now I'm stuck on event 3, the logs give me KDC_ERR_PREAUTH_REQUIRED.
    I read on the internet that I can ignore this error, but it prevents me to open on prem drives.
    When I try to open a folder on the server, it gives me

    258702-windowserror.png

    -- LOG EVENT 3 ----

    • <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    • <System>
      <Provider Name="Microsoft-Windows-Security-Kerberos" Guid="{98E6CFCB-EE0A-41E0-A57B-622D4E1B30B1}" EventSourceName="Kerberos" />
      <EventID Qualifiers="32768">3</EventID>
      <Version>0</Version>
      <Level>2</Level>
      <Task>0</Task>
      <Opcode>0</Opcode>
      <Keywords>0x80000000000000</Keywords>
      <TimeCreated SystemTime="2022-11-09T07:30:26.0236466Z" />
      <EventRecordID>84754</EventRecordID>
      <Correlation />
      <Execution ProcessID="0" ThreadID="0" />
      <Channel>System</Channel>
      <Computer>*****</Computer>
      <Security />
      </System>
    • <EventData>
      <Data Name="LogonSession">leerlingen.smiks.int\VWOK</Data>
      <Data Name="ClientTime" />
      <Data Name="ServerTime">7:30:22.0000 11/9/2022 Z</Data>
      <Data Name="ErrorCode">0x19</Data>
      <Data Name="ErrorMessage">KDC_ERR_PREAUTH_REQUIRED</Data>
      <Data Name="ExtendedError" />
      <Data Name="ClientRealm" />
      <Data Name="ClientName" />
      <Data Name="ServerRealm">leerlingen.smiks.int</Data>
      <Data Name="ServerName">krbtgt/leerlingen.smiks.int</Data>
      <Data Name="TargetName">krbtgt/******@leerlingen.smiks.int</Data>
      <Data Name="ErrorText" />
      <Data Name="File">onecore\ds\security\protocols\kerberos\client2\logonapi.cxx</Data>
      <Data Name="Line">e18</Data>
      <Binary>30663043A103020113A23C043A3038302FA003020112A1281B264C4545524C494E47454E2E534D494B532E494E546B726973746F662E76616E776F656E73656C3005A0030201173009A103020102A20204003009A103020110A20204003009A10302010FA2020400</Binary>
      </EventData>
      </Event>
    0 comments No comments

  2. Nagappan Veerappan 651 Reputation points Microsoft Employee
    2022-11-09T14:01:40.08+00:00

    Glad to hear that it resolved error 11.

    you can ignore Error 3 "Pre-auth required" that is how destination machine demand auth before letting the access.

    1.Do you know you received Kerberos ticket successfully with your WHFB sign-in?. you need LOS to DC. if remote make sure VPN there.
    you can run "klist" from user prompt to see the kerberos ticket.

    2.Do you access share folder by FQDN name? if not , it may fall back to NTLM and server level NTLM restriction can block your access.

    1. If you try on file explorer \leerlingen.smiks.int\Sysvol - Do you able to access without prompt or without prompt to enter credential? -
    0 comments No comments

  3. Kristof Van Woensel 41 Reputation points
    2022-11-09T16:16:34.837+00:00
    • It seems indeed that my ticket is not received.

    klist returns

    Current LogonId is 0:0x16c606e0

    Cached Tickets: (0)

    klist tgt returns

    Current LogonId is 0:0x16c606e0
    Error calling API LsaCallAuthenticationPackage (Ticket Granting Ticket substatus): 1312

    klist failed with 0x8009030e/-2146893042: Geen referenties beschikbaar in het beveiligingspakket

    • Accessing with FQDN still gives me the prompt message.
    • Using certlm.msc I find the certificate in the list of trusted certificates on my client
    0 comments No comments

  4. Nagappan Veerappan 651 Reputation points Microsoft Employee
    2022-11-10T15:55:51.207+00:00

    You are right. you didn't have any Kerberos ticket. you cannot access any on-prem resources. the prompt you see is expected.

    If you are familiar with Kerberos troubleshooting. take a network trace. you would be able to figure out
    make sure while accessing on-prem share folder, you have line of sight to DC to authenticate, if you are on remote, make sure VPN available to reach on-prem DCs.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.