This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(83.2, 14.000000000000002%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBG%3C/text%3E%3C/svg%3E)
Running Windows Server 2019. In the early morning of Sept 16, 2021 this update auto-installed and restarted the server (September 14, 2021—KB5005568). Now, the event noted below has began to appear anytime a user signs in to their computer. None of our users use Smartcards, but we do run hybrid Azure AD with Windows Hello for Business enabled. Doesn't seem to be causing any issues, but I'd still like to know what the underlying issue is and correct it.
Any ideas?
Kerberos-Key-Distribution-Center
The client certificate for the user "DOMAIN\user" is not valid, and resulted in a failed smartcard logon. Please contact the user for more information about the certificate they're attempting to use for smartcard logon. The chain status was : A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(204.8, 37%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAP%3C/text%3E%3C/svg%3E)
II see the same behavior in my infrastructure as ell. Several domain controllers running Windows Server 2019, after being patched earlier this month this event started to pop up on each dc used by users. Also running hybrid Azure AD with WHfB. No recent changes to CA or GPOs.
No issue with users log on at the moment, but those warnings are messing with our monitoring.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(153.6, 28.000000000000004%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EB%3C/text%3E%3C/svg%3E)
Glad to here no issues with anything for you as well! But I would like to know why these are popping up for sure. Don't want them to become failures down the road.
Agreed. I would have normally posted on TechNet, but it seems that platform has been discontinued... although somehow users are still posting their questions. I'm wondering if the Microsoft techs ignore this platform since none of them have responded. So very disappointing.
Did anyone find any kind of solution to this?
I was waiting to see if maybe some hotfix would be released during last week's Patching Tuesday, installed all the updates on our servers last weekend, but I still see the warnings in the logs of all domain controllers hit by authentication requests.
I'm still having the same issue as well. Very frustrating.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(230.39999999999998, 93%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EW%3C/text%3E%3C/svg%3E)
I see the same behavior here. I added a Server 2022 DC within the last days, but it looks like this was not the source of the issue.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(294.40000000000003, 66%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAP%3C/text%3E%3C/svg%3E)
Hello,
I hame the same problem on my 2016 DC. IT's linked to a certificate for Windows HEllo for Business.
At the initialization of Hello, a certificate (public one) is generated and put on the personal certificate store of the user. The problem is, the Root CA for this certificate is not present, and we don't know which Root CA is.
the way i found to solve the warning is to put the certificate (issued for hello from a public certificate) (in my screenshot), into the Trusted Root Certificate Authorities in the user part.
Hello,
Some news about this issue. I open a case to Microsoft some time ago, after providing some logs, the product group has been notify about the "issue".
It seems related to an update, a rare condition. I keep you informed when i have more information.
If you enable CAPI2 log on the client computer and set the size of the log to at least 4096K
Then ask a user to login using his smartcard
Look for errors in the CAPI2 log.
CAPI2 log
Event Viewer / Applications and Services Logs / Microsoft / Windows / CAPI2
It may give you more information
These three ERRORS are being recorded several times for several different [ProcessName]'s.
Result The revocation function was unable to check revocation for the certificate.
[ value] 80092012
Result The certificate is not valid for the requested usage.
[ value] 800B0110
Result A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
[ value] 800B0109
That there is no changes in your internal PKI ?
Can you validate that there is no issuing CA in the trusted root store ?
You can validate using this PS command:
Get-Childitem cert:\LocalMachine\root -Recurse | Where-Object {$.Issuer -ne $.Subject}
The forum nuked the underscores, hopefully this works:
Get-Childitem cert:\LocalMachine\root -Recurse | Where-Object {$_.Issuer -ne $_.Subject}
First... thank you for your help.
I ran the command (I needed to add underscore after $). It didn't appear to do anything and returned me to the command prompt.
PS C:\Users\Administrator> Get-Childitem cert:\LocalMachine\root -Recurse | Where-Object {$.Issuer -ne $.Subject}
PS C:\Users\Administrator>
Hello @Brian G ,
In fact this new updates have changed how the Key authentication works.
There was a previous thread on this topic, where a community member created an article for a workaround this behavior:
Hope this also helps in your case,
----------------------------------------------------------------------------------------------------------------------
--If the reply is helpful, please Upvote and Accept as answer--