Article ID: 939088
Article Last Modified on 7/26/2007
APPLIES TO
- Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
- Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
- Microsoft Windows Server 2003, Standard Edition (32-bit x86)
SYMPTOMS
Consider the following scenario. You are using a Microsoft Windows Server 2003-based domain controller. The domain controller is part of a domain that does not have a certification authority (CA) installed. You receive the following event message in the Event Viewer System log:
Event Type: Warning
Event Source: KDC
Event Category: None
Event ID: 20
Date: date
Time: time
User: N/A
Computer: computer name
Description: The currently selected KDC certificate was once valid, but now is invalid. No suitable replacement was found. Smartcard logon may not function correctly if this problem is not remedied. Have the system administrator check on the state of the domain's public key infrastructure. The chain status is in the error data.
CAUSE
This issue may occur because of invalid domain controller certificates. Domain controller certificates may become invalid if you remove a CA that was installed in the domain. After you remove the CA, the domain controller still tries to contact the CA. Therefore, you receive the error message that is mentioned in the "Symptoms" section.
RESOLUTION
To resolve this issue, remove all the invalid domain controller certificates, as follows:
- At a command prompt, type the following command, and then press ENTER:
Certutil -dcinfo deleteBad
- At the command prompt, type exit, and then press ENTER to close the command prompt.
- Remove all the Key Distribution Center (KDC) "Event ID: 20" instances from the Event Viewer System log.
- Restart the domain controller.
MORE INFORMATION
For more information about related issues, click the following article numbers to view the articles in the Microsoft Knowledge Base:
887578 You receive a "Logon failure" message when you use a smart card on a Windows Server 2003-based computer
892090 Group Policy settings are not applied when a user in an external Kerberos realm logs on to a Windows XP Professional-based or to a Windows 2000 Professional-based computer in a child domain
929272 Interactive logon styles and Key Distribution Center account lookup in Windows Server 2003
Keywords: kbexpertiseinter kbtshoot kbprb KB939088