KDC certificate for the domain controller - Windows Event Log

AdamTyler-3590 275 Reputation points
2024-06-07T19:16:26.5766667+00:00

We are seeing this event log entry in some of our Windows clients.

User's image

After investigating, the SAN field of the certificate currently installed is confirmed to have not included the domain name.. domain.local in this example.

When we built our Root Certificate Authority, we cloned an existing template named "Domain Controller Authentication" for the purpose of issuing Domain Controller certificates.

User's image

After some research, it seems like the template "Kerberos Authentication" should have been used instead. Anyone familiar with this caveat and aware of what is best practice in this case?

https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust#supersede-existing-domain-controller-certificates

User's image

User's image

Regards
Adam Tyler

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,420 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Daisy Zhou 20,301 Reputation points Microsoft Vendor
    2024-06-10T05:11:58.5166667+00:00

    Hello AdamTyler-3590,

    Thank you for posting in Q&A forum.

    I think you are right. As the description in event ID 20 you mentioned and the description in screenshot or below.

    By default, the Active Directory CA provides and publishes the Kerberos Authentication certificate template. The cryptography configuration included in the template is based on older and less performant cryptography APIs. To ensure domain controllers request the proper certificate with the best available cryptography, use the Kerberos Authentication certificate template as a baseline to create an updated domain controller certificate template.

    The Kerberos Authentication certificate template is the most current certificate template designated for domain controllers and should be the one you deploy to all your domain controllers.

    Also, I have done a test in my lab.

    This certificate is issued using Domain Controller Authentication certificate template.
    User's image

    This certificate is issued using Kerberos Authentication certificate template.
    Here are three DNS names in the SAN field of the certificate
    User's image

    I hope the information above is helpful.

    If you have any questions or concerns, please feel free to let us know.

    Best Regards,

    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments No comments