Forum Discussion
PIN authentication error after hybrid join
I have just rolled out hybrid join to several older devices in my company, which worked pretty well at first and those devices also joined Intune right away. However, for some reason only today, ...
https://social.technet.microsoft.com/Forums/sharepoint/en-US/19759374-c928-450a-96a0-39a7a6003e74/kdc-event-id-29-the-kdc-cannot-find-a-suitable-certificate-to-use-for-smart-card-logons#:~:text=The%20Key%20Distribution%20Center%20%28KDC%29%20cannot%20find%20a,certutil.exe%20or%20enroll%20for%20a%20new%20KDC%20certificate.hannessyZv
Thank you for your efforts in working closely with us.
We were able to repro this event ourselves by taking a CA offline. We noticed that when starting the KDC service, an attempt to validate the DC cert is made and that attempt fails with KDC_ERR_KDC_NOT_TRUSTED since the revocation server was offline along with the CA.
This is likely what is happening with you as well. To confirm the same, please create the following registry value on your Windows Server 2008 servers and restart the KDC to see if the warning event goes away.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\kdc]
"UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors"=dword:00000001
After you set this DWORD value to 1, the Kerberos clients will ignore "Revocation unknown" errors that are caused by an expired CRL.
After you perform the test, please revert the registry value back and let us know the result:
1. Does the warning go away after you configure the above registry value?
2. Where do you put the CRL to?
Please feel free to let us know if anything is unclear.
