Event ID - 19

Event Id19
SourceMicrosoft-Windows-Kerberos-Key-Distribution-Center
DescriptionThis event indicates an attempt was made to use smartcard logon, but the KDC is unable to use the PKINIT protocol because it is missing a suitable certificate.
Event Information According to Microsoft :

Cause :

This event is logged when the event indicates an attempt was made to use smartcard logon, but the KDC is unable to use the PKINIT protocol because it is missing a suitable certificate.

Resolution :

Request a new domain controller certificate

Kerberos uses a domain controller certificate to ensure that the authentication information sent over the network is encrypted. If the certificate is missing or is no longer valid, you must delete the domain controller certificate and then request a new one.

To resolve this issue:

Delete the domain controller certificate that is no longer valid.

Request a new certificate.

To perform these procedures, you must be a member of the Domain Admins group, or you must have been delegated the appropriate authority.

Delete the domain controller certificate that is no longer valid

To delete the domain controller certificate that is no longer valid:
  1. On the domain controller in which the issue is occurring, click Start , and then click Run .
  2. Type mmc.exe , and then press ENTER.
  3. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue .
  4. Click File , and then click Add/Remove Snap-in .
  5. Click Certificates , and then click Add .
  6. Click Computer account , click Next , and then click Finish .
  7. Click OK to open the Certificates snap-in.
  8. Expand Certificates (Local computer) , expand Personal , and then click Certificates .
  9. Right-click the old domain controller certificate, and then click Delete .
  10. Click Yes , confirming that you want to delete the certificate.
  11. After the certificate is deleted, follow the procedure in the "Request a new certificate" section.
Request a new certificate

To request a new certificate:
  1. Expand Certificates (Local computer) , right-click Personal , and then click Request New Certificate .
  2. Complete the appropriate information in the Certificate Enrollment Wizard for a domain controller certificate.
  3. Close the Certificates snap-in.
Verify :

To perform this procedure, you must be a member of the Domain Admins group, or you must have been delegated the appropriate authority.

To verify that the Kerberos Key Distribution Center (KDC) certificate is available and working properly:
  1. Log on to a computer within your domain.
  2. Click Start , point to All Programs , click Accessories , right-click Command Prompt , and then click Run as administrator .
  3. If the User Account Contro l dialog box appears, confirm that the action it displays is what you want, and then click Continue .
  4. At the command prompt, type certutil -dcinfo verify , and then press ENTER.
  5. If you receive a successful verification, the Kerberos KDC certificate is installed and operating correctly.
Reference LinksEvent ID 19 from Microsoft-Windows-Kerberos-Key-Distribution-Center

Catch threats immediately

We work side-by-side with you to rapidly detect cyberthreats
and thwart attacks before they cause damage.

See what we caught

Did this information help you to resolve the problem?

Yes: My problem was resolved.
No: The information was not helpful / Partially helpful.
 Refresh