This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(83.2, 14.000000000000002%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBG%3C/text%3E%3C/svg%3E)
Running Windows Server 2019. In the early morning of Sept 16, 2021 this update auto-installed and restarted the server (September 14, 2021—KB5005568). Now, the event noted below has began to appear anytime a user signs in to their computer. None of our users use Smartcards, but we do run hybrid Azure AD with Windows Hello for Business enabled. Doesn't seem to be causing any issues, but I'd still like to know what the underlying issue is and correct it.
Any ideas?
Kerberos-Key-Distribution-Center
The client certificate for the user "DOMAIN\user" is not valid, and resulted in a failed smartcard logon. Please contact the user for more information about the certificate they're attempting to use for smartcard logon. The chain status was : A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(204.8, 37%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAP%3C/text%3E%3C/svg%3E)
II see the same behavior in my infrastructure as ell. Several domain controllers running Windows Server 2019, after being patched earlier this month this event started to pop up on each dc used by users. Also running hybrid Azure AD with WHfB. No recent changes to CA or GPOs.
No issue with users log on at the moment, but those warnings are messing with our monitoring.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(153.6, 28.000000000000004%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EB%3C/text%3E%3C/svg%3E)
Glad to here no issues with anything for you as well! But I would like to know why these are popping up for sure. Don't want them to become failures down the road.
Agreed. I would have normally posted on TechNet, but it seems that platform has been discontinued... although somehow users are still posting their questions. I'm wondering if the Microsoft techs ignore this platform since none of them have responded. So very disappointing.
Did anyone find any kind of solution to this?
I was waiting to see if maybe some hotfix would be released during last week's Patching Tuesday, installed all the updates on our servers last weekend, but I still see the warnings in the logs of all domain controllers hit by authentication requests.
I'm still having the same issue as well. Very frustrating.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(230.39999999999998, 93%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EW%3C/text%3E%3C/svg%3E)
I see the same behavior here. I added a Server 2022 DC within the last days, but it looks like this was not the source of the issue.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(294.40000000000003, 66%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAP%3C/text%3E%3C/svg%3E)
Hello,
I hame the same problem on my 2016 DC. IT's linked to a certificate for Windows HEllo for Business.
At the initialization of Hello, a certificate (public one) is generated and put on the personal certificate store of the user. The problem is, the Root CA for this certificate is not present, and we don't know which Root CA is.
the way i found to solve the warning is to put the certificate (issued for hello from a public certificate) (in my screenshot), into the Trusted Root Certificate Authorities in the user part.
Hello,
Some news about this issue. I open a case to Microsoft some time ago, after providing some logs, the product group has been notify about the "issue".
It seems related to an update, a rare condition. I keep you informed when i have more information.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(204.8, 27%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDT%3C/text%3E%3C/svg%3E)
Confirmed, no joy, still seeing errors. I still think it's related to Secure Hardware Key which we don't use.
For users seeing this issue:
If so, look at this these two pages:
For myself, I enabled FIDO2 back in Feburary 2021. I do not see this event when logging in with a Security Key. I do not see this event when logging into a Windows Server via password.
-Doug
We don't use security keys. The events are generated only when our users sign in via WHfB (PIN, Facial Recognition, etc.). The event is not generated if they sign in with a password... which they rarely do, thus the plethora of events being recorded.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(304, 39%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EW%3C/text%3E%3C/svg%3E)
I also get them for computer accounts for some reason, but only for a couple of servers.
The client certificate for the user DOMEAIN\COMPUTER$ is not valid, and resulted in a failed smartcard logon. Please contact the user for more information about the certificate they're attempting to use for smartcard logon. The chain status was : A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Hey everyone, I have the same issue but we use AADJ devices. Furthermore we see in CAPI2 log:
Subject name is: 
Do you have an idea what is wrong?
Best regards
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(25.6, 89%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
It's definitely Windows Hello for Business related, we started seeing these error messages as soon as we began implementing WHfB (Hybrid Azure AD Key-Trust deployment) a couple months ago. It does seem to drop this self-signed certificate onto every machine where a user has enabled WHfB. WHfB is functioning normally for everyone, not sure if this is just one of those "by-design" errors you can safely ignore or if we botched the rollout at some point.
I tried deleting the cert and rebooting and was still able to sign in using my WHfB PIN. I checked certificates again after logging back in and saw that a new self-signed cert had been added back in. I next tried moving the cert into the Trusted Root store, rebooted and signed back in. When I checked certificates again, it had once more added the self-signed cert back into the personal store. This time it didnt show any errors about being untrusted, but I still got a Kerberos KDC event 21 error on the domain controller for that sign in. Not sure what to do at this point, other than ignore these errors...?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(217.60000000000002, 0%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESF%3C/text%3E%3C/svg%3E)
Hi there,
we too are seeing the same log entries for our Azure only joined devices.
I've been directed by my manager to log a ticket with MS just to confirm that these can be safely ignored.
I'll update this thread with whatever MS come back with.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(51.2, 37%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMB%3C/text%3E%3C/svg%3E)
Any Updates @Shane Foley ?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(38.4, 59%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMB%3C/text%3E%3C/svg%3E)
Did anyone find a solution for this, or did you choose to ignore the warning messages?
I can confirm that everything works fine - but as more and more users start using WHfB this will flood the logs ... :-)
No solution that I am aware of, yet.
I think all of us went with successfully ignoring it - until it will miraculously and automagically disappear from the logs :)
There were several people who had opened a case with MS but I don't recall receiving a follow-up. After my experience with MS support lately, I have no expectations we will get one.