question

bobdee-4338 avatar image
0 Votes"
bobdee-4338 asked rr-4098 published

Certificate Authority (CA) untrusted - KDC_ERROR_CLIENT_NOT_TRUSTED

I have 2 CAs configured, 1 on the DC (KDC) and 1 on an arbitrary AD-connected server. I installed the secondary CA on a different server as I couldn't find a way to have 2 CAs running off the same server. If this is wrong please let me know.

DC issued certs work fine. However, when trying to authenticate with certs issued by the arbitrary server, I get the following error:
Kerberos SessionError: KDC_ERROR_CLIENT_NOT_TRUSTED(Reserved for PKINIT)

Under adsi.msc and dsa.msc on the DC, I see no entries for:
CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration,DC=xxx,DC=xxx

'certutil' output from the DC shows both CAs, but it appears like I'm missing a step to trust certs from CAs issued from servers other than the KDC/DC.

Appreciate any assistance here.

windows-active-directory
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

rr-4098 avatar image
0 Votes"
rr-4098 answered rr-4098 published

Is the DC the enterprise root CA, and the other server the subordinate? Also be careful on installing CA services on a DC. You may set yourself up for issues later on as listed in the following article:

https://www.securew2.com/blog/should-i-install-ad-cs-on-domain-controller

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.