This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(83.2, 14.000000000000002%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBG%3C/text%3E%3C/svg%3E)
Running Windows Server 2019. In the early morning of Sept 16, 2021 this update auto-installed and restarted the server (September 14, 2021—KB5005568). Now, the event noted below has began to appear anytime a user signs in to their computer. None of our users use Smartcards, but we do run hybrid Azure AD with Windows Hello for Business enabled. Doesn't seem to be causing any issues, but I'd still like to know what the underlying issue is and correct it.
Any ideas?
Kerberos-Key-Distribution-Center
The client certificate for the user "DOMAIN\user" is not valid, and resulted in a failed smartcard logon. Please contact the user for more information about the certificate they're attempting to use for smartcard logon. The chain status was : A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(204.8, 37%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAP%3C/text%3E%3C/svg%3E)
II see the same behavior in my infrastructure as ell. Several domain controllers running Windows Server 2019, after being patched earlier this month this event started to pop up on each dc used by users. Also running hybrid Azure AD with WHfB. No recent changes to CA or GPOs.
No issue with users log on at the moment, but those warnings are messing with our monitoring.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(153.6, 28.000000000000004%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EB%3C/text%3E%3C/svg%3E)
Glad to here no issues with anything for you as well! But I would like to know why these are popping up for sure. Don't want them to become failures down the road.
Agreed. I would have normally posted on TechNet, but it seems that platform has been discontinued... although somehow users are still posting their questions. I'm wondering if the Microsoft techs ignore this platform since none of them have responded. So very disappointing.
Did anyone find any kind of solution to this?
I was waiting to see if maybe some hotfix would be released during last week's Patching Tuesday, installed all the updates on our servers last weekend, but I still see the warnings in the logs of all domain controllers hit by authentication requests.
I'm still having the same issue as well. Very frustrating.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(230.39999999999998, 93%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EW%3C/text%3E%3C/svg%3E)
I see the same behavior here. I added a Server 2022 DC within the last days, but it looks like this was not the source of the issue.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(294.40000000000003, 66%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAP%3C/text%3E%3C/svg%3E)
Hello,
I hame the same problem on my 2016 DC. IT's linked to a certificate for Windows HEllo for Business.
At the initialization of Hello, a certificate (public one) is generated and put on the personal certificate store of the user. The problem is, the Root CA for this certificate is not present, and we don't know which Root CA is.
the way i found to solve the warning is to put the certificate (issued for hello from a public certificate) (in my screenshot), into the Trusted Root Certificate Authorities in the user part.
Hello,
Some news about this issue. I open a case to Microsoft some time ago, after providing some logs, the product group has been notify about the "issue".
It seems related to an update, a rare condition. I keep you informed when i have more information.
Hi. Unfortunately, all of this is already in place for our server. We only have one server and it is a domain controller and Windows Hello works perfectly for everyone. We're experiencing no issues except the Warning Messages.
Also, the Windows Update I'm referring to was released Sept 14, 2021. The update referenced in the link you provided is dated October 2016. So it doesn't really apply to me, but thank you anyway.
This warning pops for my Windows Hello users as well as for a couple of my VMs that I have credential guard and TPM enabled. I've been trying to figure out if it is something to be concerned about or not, as nothing has actually stopped working! The computer ones happen around once per hour, and the Windows Hello ones when they sign in.
Example Event ID 21 for the COMPUTER accounts:
The client certificate for the user DOMAIN\COMPUTER$ is not valid, and resulted in a failed smartcard logon.
Please contact the user for more information about the certificate they're attempting to use for smartcard logon.
The chain status was : A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
It definitely started directly following the update on September 14th - KB5005102
We utilize AD CS and it is a trusted root authority on the DCs. Everything looks fine, nothing expired, and no changes were made to the CS setup recently. I checked the NTAuthCertificates store and the CA cert is there as well.
I'm not seeing this error anymore. I don't know if the 2021-10 Cumulative Updates corrected it, but I didn't see this error logged any times during the month of October.
I'm still seeing the error. Unfortunately.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(204.8, 27%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDT%3C/text%3E%3C/svg%3E)
I just noticed the same error yesterday after troubleshooting another CA certificate issue which was unreleated. We implemented WHfB via Hybrid Azure AD joined Certificate Trust method back in 2019. Looking through the event log on the DC, I see the error all the way back into May 2021 so this doesn't look to be related to a recent Update. May have been longer but event log stops in May 2021. Fortunately, doesn't look to be affecting WHfB at this time, perhaps because we don't use Smart Cards. Will investigate and respond if I find anything.
Interesting. My error didn't appear until that update. And yah... doesn't seem to be causing any issues at the moment. We don't use smartcards either.
Correction, we use the Key Trust model not Certificate Trust. Interestingly, if I use a FIDO2 key to login, I do not receive the error. I'm going back to look at the properties of the Kerberos Authentication template. I generated this 2 years back so perhaps something is out of date.
Ok, I was able to resolved the issue by creating a new Kerberos certificate and deploying it. The older cert was using an older template. I just created the new Kerberos template/certificate following these instructions: https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki
Good luck,
-Doug
I spoke to soon, I'm still seeing this event.
On my side i have open a case to Microsoft support, i will share the solution when i have it.
These warning event is flooding my log on domain controller.
There will be one event for every login sequence be it from start or lock screen. What I don't understand is how WHfb is working given this error doesn't pertain to the WHfB. But based upon the outupt of this:
H:\>certutil -scinfo
They seem to be related.
That would be incredibly helpful. Thank you.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(304, 39%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EW%3C/text%3E%3C/svg%3E)
Any news from support on these?
Confirmation that the November Cumulative Updates didn't fix this for anyone?
Confirmed. No change.
What I also find interesting is tha several people had supposely opened a ticket with Microsoft but yet there has been no follow-up......
I have already open a case to Microsoft about this sometime ago, and the issue has been raise to the Product department. No more information about when this issue will be solved.
Did they confirm it was a bug or what is triggering this event since it seems to be isolated to a few customers.
The support confirm to me that yes some customer have the issue, not all, and the Microsoft is working on a bugfix. A "condition" has been change by a security Patch and that change make the warning message.
Thank you for the update. At least we know it's a bug. Did they tell you the specific Security Patch? Is this a vulnerability since they are keeping this hush hush?
