Event ID 21 found after manual map computer certificate.

Question

Hi;

I do manual map computer certificate to computer object of altSecurityIdentities attribute in Active Directory. I saw Event ID 21 warning in Event Viewer. What should I do?

The client certificate for the user DOMAIN\LAPTOP01$ is not valid, and resulted in a failed smartcard logon. Please contact the user for more information about the certificate they're attempting to use for smartcard logon. The chain status was : The operation completed successfully.

- System 

  - Provider 

   [ Name]  Microsoft-Windows-Kerberos-Key-Distribution-Center 
   [ Guid]  {3FD9DA1A-5A54-46C5-9A26-9BD7C0685056} 
   [ EventSourceName]  KDC 
 
  - EventID 21 

   [ Qualifiers]  32768 
 
   Version 0 
 
   Level 3 
 
   Task 0 
 
   Opcode 0 
 
   Keywords 0x80000000000000 
 
  - TimeCreated 

   [ SystemTime]  2023-04-26T16:18:52.000000000Z 
 
   EventRecordID 3366323 
 
   Correlation 
 
  - Execution 

   [ ProcessID]  0 
   [ ThreadID]  0 
 
   Channel System 
 
   Computer dc1.domain.com
 
   Security 
 

- EventData 

  Domain DOMAIN.COM
  Username DOMAIN\LAPTOP01$
  Status The operation completed successfully.  
   00000000000000000000000000000000 

Answer 1

Hello,

The warning is very explicit that the "client certificate for the user is not valid".

Please check the next official article, in the section "Certificate mappings" to ensure that the format and process is done correctly.

https://support.microsoft.com/en-us/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16

--If the reply is helpful, please Upvote and Accept as answer--