I have 2 CAs configured, 1 on the DC (KDC) and 1 on an arbitrary AD-connected server. I installed the secondary CA on a different server as I couldn't find a way to have 2 CAs running off the same server. If this is wrong please let me know.
DC issued certs work fine. However, when trying to authenticate with certs issued by the arbitrary server, I get the following error:
Kerberos SessionError: KDC_ERROR_CLIENT_NOT_TRUSTED(Reserved for PKINIT)
Under adsi.msc and dsa.msc on the DC, I see no entries for:
CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration,DC=xxx,DC=xxx
'certutil' output from the DC shows both CAs, but it appears like I'm missing a step to trust certs from CAs issued from servers other than the KDC/DC.
Appreciate any assistance here.