I do not like it when a newly installed environment has event log entries with other than informational events, especially if these warnings are recurring. But I guess this one is an example which can be safely ignored. By design the KDC service periodically tries to locate a Certificate Authority to request a certificate. When no CA is present, warnings are logged.
The event: event id 29, source: Microsoft-Windows-Kerberos-Key-Distribution-Center
The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate.
Additional information KB967623
3 Response to The Key Distribution Center (KDC) cannot find a suitable certificate
In KB967623, there should be an alternative solution posted to replace "you can ignore these events", with instructions on how to suppress these events from being logged.
While it may be recommended to implement a CA solution, it is a far poorer practice to foster the ignorant behavior of ignoring persistent event logs.
You are absolutely right. It would be nice if you can configure a GPO for your domain controllers which would configure them for an environment with no CA present. Allthough these are getting more rare nowadays I think.
I agree with both comments. I very much dislike seeing any events in my logs that are warning or errors. I much prefer a fix or workaround other than installing a CA. However, I am glad I found a lot of information stating the same reasons for this event entry.
Add Your Comment