KDC Certificate Could Not Be Validated Error
This article never received a clear answer yet it is an issue that can still easily happen:
https://social.technet.microsoft.com/forums/office/en-US/08361cfd-0c9b-4481-9cc7-00920e374b01/kdc-certificate-could-not-be-validated-error
As I experienced it today on my Server 2022 hosted DCs.
This fix is known, you probably see error 19 in your DCs eventlogs:
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc733944(v=ws.10)
Bruce-Liu also mentions the fix here: https://social.msdn.microsoft.com/Forums/en-US/7d416107-bff4-45ab-876a-81fe56a68e25/kdc-can-not-find-a-suitable-certificate-for-smart-card-logon
In my case in Migrating our DCs I saw we also have a CA so migrated it as well that seemed happy but I started getting Windows Hello with KDC Cetificate errors, I then noticed the other DCs seemed to point to the old CA server in the subject of one of the root certificates and it seems the admins at the time spun multiple CAs and removed them without decommissioning them properly so was pretty messy the Root Certificate store was full of old CA servers (also explains the KDC errors before the CA was even migrated).
So it actually was pretty easy fix:
- Cleanup any Root Certificates that point to non existing CAs within you Local Certificate Store certlm.msc only leaving your active CA server, these can be found in your Trusted Root Certification Authorities and Intermediate Certification Authorities.
- Remove the DCs certificate using certlm.msc (Local Certificate Store) Personal you will see the hostname of the DC delete them all.
- Right Click on Personal, choose All Tasks and Request New Certificate following the steps adding the certificates deleted in step 2 or just add all the templates.
- Do these same steps for all your DCs.
Now your DCs and CA speak the same encypted language and you should notice no more KDC errors in the eventlogs of the DCs. :)