Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 20 Source: KDC

Source
Level
Description
The currently selected KDC certificate was once valid, but now is invalid and no suitable replacement was found. Smartcard logon may not function correctly if this problem is not remedied. Have the system administrator check on the state of the domain's public key infrastructure. The chain status is in the error data.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 18 00 00 00 13 20 09 80
Comments
 
See EV100406 (Deconstructing the KDC certificate processing functionality) - useful to understand the KDC certificate selection.
Have a look at the data in the event, the second word contains the error code - in my case it was 0x80092013 which is CRYPT_E_REVOCATION_OFFLINE, the webserver holding the CRLs was offline.
Regarding the CERTSVC_DCOM_ACCESS security group (see comment from EventID.Net): In our case for some reason, the group did not exist so I had to create it. This must be a Domain Local group. Otherwise, when you try to start the CertSVC it will fail with an error saying it could not find the local group.
This issue may occur because of invalid domain controller certificates. Domain controller certificates may become invalid if you remove a CA that was installed in the domain. After you remove the CA, the domain controller still tries to contact the CA. See ME939088 for information on how to remove all the invalid domain controller certificates.
A problematic CA and old data in the Active Directory PKI Container may also cause this problem on a Windows 2003 domain. Use PKIview.msc from the Windows 2003 Rescource kit to check the status of the CA. This can occur if the CA is removed from the network and a new one is added.

1) Install rktools, run the Microsoft Management Console, and add the standalone snap-in "Enterprise PKI".
2) Expand the console tree in the scope pane, click on your CA, and verify that all entries report OK.  If there is a problem, then this may be the cause. If the ones reporting bad are http://, verify that IIS 6.0 is configured properly and that anonymous access is granted to the CertEnroll website.
3) Next, right click "Enterprise PKI" in the scope pane and choose "Manage AD Containers". Check each tab and remove any old CA information.
4) Reboot your server.


See ME839880 for details on this event.

From a newsgroup post: "I have made a call to Microsoft on this issue. They first suggested setting the RPC Locator service to “Automatic” and then starting it. They also suggested to restart the NetLogon service after this change was made. Seems that upgrading to W2K3 changes the RPC Locator service startup for some reason".

From a newsgroup post: "On the problem DC, open the certificates snap-in, go to Certificates (Local Computer) -> Personal -> Certificates store, and verify that the DC has a valid certificate whose Intended Purpose indicates Client Authentication, Server Authentication. Also, verify that the Certification Chain validates to the root certificate. On the Details tab of the certificate check to see if the Smart Card Logon Object Identifier (1.3.6.1.4.1.311.20.2.2) is listed in the Enhanced Key Usage field. If any of the above is not correct, you will need to correct it".

From a newsgroup post: "Per my research, Event ID 20 and 7022 could occur if the current Win2k3 SP1 machine cannot contact a valid CA (Certificate Authority). CA can issue many different types certificate and smart card is a one among them. For example, you installed CA on one DC and removed CA from it; however, the Win2k3 SP1 machine still wants to contact the original CA. In this case, Event ID 20 is logged.
Once the CA has been taken down, the certificates that have been issued to all the domain controllers need to be removed. This can be done quite easily using DSSTORE.EXE from the Resource Kit. To remove old domain controller certificates, use the following steps.

Step 1:
At the command prompt on a domain controller, type "certutil -dcinfo deleteBad"

To do so:
1. Install the Windows Support Tools from the Support\Tools folder in the Windows Server 2003 DC.
2. Go to command prompt, type "certutil - dcinfo deleteBad" (without the quotation marks)
3. Clean out KDC 20 warnings in the System Event Log.
4. Restart the DC and then check if the issue is fixed.

Step 2:
I suspect that the issue may be related to the DCOM protocol. Windows Server 2003 SP1 introduces enhanced default security settings for the DCOM protocol. Specifically, SP1 introduces more precise rights that give an administrator independent control over local and remote permissions for launching, activating, and accessing COM servers.
Windows Server 2003 SP1 introduces enhanced default security settings for the DCOM protocol. Specifically, SP1 introduces more precise rights that give an administrator independent control over local and remote permissions for launching, activating, and accessing COM servers.
As the Windows Server 2003 Certificate Services provides enrollment and administration services by using the DCOM protocol, I suspect that it may be the cause of the problem.
1. Please check to ensure that a new security group, CERTSVC_DCOM_ACCESS, has been created after applied the SP1.
2. Please add the "Domain Users", "Domain Computers", "Domain Controllers" groups to the new CERTSVC_DCOM_ACCESS security group.
3. Then, we can have Certificate Services update the DCOM security settings by running the following commands:
certutil -setreg SetupStatus -SETUP_DCOM_SECURITY_UPDATED_FLAG
net stop certsvc
net start certsvc
Please check if the problem has been fixed.

Step 3:
Reissue a domain controller certificate:
1. Click Start -> Run -> type "mmc" (without the quotation marks) and press Enter.
2. Click File -> Add/Remove Snap-in. Click the Add button and select Certificate snap-in. Select Computer account.
3. In the certificate console, navigate to Personal\Certificates. Right-click the folder and choose Request new certificate.
4. Follow the wizard to request a Domain Controller certificate.
5. Reboot the computer to see if the problem is resolved".

See MSW2KDB for additional information on this event.
I had the same error on a test domain controller. I checked the Personal branch of "Local Computer" certificates store and found that there were some cetificates issued by a CA with a name that differs from the current CA name. It seems that there once was a CA service which had been removed and then installed back again with a different name. After I removed all the certificates issued by the old CA, the event 20 message stopped occurring.
The certificate of the authority was expired. I renewed it and the problem was solved.
If an Active Directory CA was removed, Domain Controllers will display this error until they get a new certificate from a different CA. Run "certutil -dcinfo deleteBad" to remove the offending certificates. The DCs should then get new ones the next time Autoenrollment runs.
Usually indicates there is no Certificate Authority available.

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net.

Read more...

 

Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.

Read more...