WHFB - Sign-in failed. Contact your system administrator and tell them that the KDC certificate could not be validated.

Mtengmo 1 Reputation point
2022-12-20T08:04:10.13+00:00

I got some users with Win10, that got this error "KDC certificate could not be validated issue." if they try to logon with Face/PIN (WHFB). It seems to be related that if they wait a couple of minutes until DirectAccess or wifi is connected is working fine.
No issues in eventlog on DCs.
The CRL is public internet facing and working both external/internal for the users.
Related to https://social.technet.microsoft.com/Forums/office/en-US/08361cfd-0c9b-4481-9cc7-00920e374b01/kdc-certificate-could-not-be-validated-error?forum=winserversecurity

Have someone got solved it?

Windows for business | Windows Client for IT Pros | Devices and deployment | Configure application groups
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Limitless Technology 44,776 Reputation points
    2022-12-20T16:59:18.74+00:00

    Hi,

    Thank you for posting your query.

    Kindly follow the steps provided below to resolve your issue.

    Cleanup any Root Certificates that point to non existing CAs within you Local Certificate Store certlm.msc only leaving your active CA server, these can be found in your Trusted Root Certification Authorities and Intermediate Certification Authorities.

    Remove the DCs certificate using certlm.msc (Local Certificate Store) Personal you will see the hostname of the DC delete them all.

    Right Click on Personal, choose All Tasks and Request New Certificate following the steps adding the certificates deleted in step 2 or just add all the templates.

    Do these same steps for all your DCs.

    Go to this link for your reference and other troubleshooting procedures https://learn.microsoft.com/answers/questions/958146/kdc-certificate-could-not-be-validated-error.html

    Do not hesitate to message us if you need further assistance.

    If the answer is helpful kindly click "Accept as Answer" and up vote it.

    1 person found this answer helpful.
    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.