This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(268.8, 89%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBD%3C/text%3E%3C/svg%3E)
I have 2 CAs configured, 1 on the DC (KDC) and 1 on an arbitrary AD-connected server. I installed the secondary CA on a different server as I couldn't find a way to have 2 CAs running off the same server. If this is wrong please let me know.
DC issued certs work fine. However, when trying to authenticate with certs issued by the arbitrary server, I get the following error:
Kerberos SessionError: KDC_ERROR_CLIENT_NOT_TRUSTED(Reserved for PKINIT)
Under adsi.msc and dsa.msc on the DC, I see no entries for:
CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration,DC=xxx,DC=xxx
'certutil' output from the DC shows both CAs, but it appears like I'm missing a step to trust certs from CAs issued from servers other than the KDC/DC.
Appreciate any assistance here.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(236.8, 46%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ER4%3C/text%3E%3C/svg%3E)
Is the DC the enterprise root CA, and the other server the subordinate? Also be careful on installing CA services on a DC. You may set yourself up for issues later on as listed in the following article:
https://www.securew2.com/blog/should-i-install-ad-cs-on-domain-controller