Event ID - 21

Event Id21
SourceMicrosoft-Windows-Kerberos-Key-Distribution-Center
DescriptionThe client certificate for the user %1\%2 is not valid, and resulted in a failed smartcard logon. Please contact the user for more information about the certificate they're attempting to use for smartcard logon. The chain status was : %3
Event Information According to Microsoft :

Cause :

This event is logged when client certificate for the user is not valid, and resulted in a failed smartcard logon.

Resolution :

Reissue a smart card logon certificate

When logging on to a computer or a virtual private network (VPN) by using a smart card, the client certificate must be valid. If the client certificate is not valid, the smart card logon will fail. To resolve this issue, you must reissue the smart card logon certificate.

Note : The user who has a smart card logon certificate that is no longer valid is identified in the event log message.
To perform this procedure, you must be an enrollment agent for the domain, or you must have been delegated the appropriate authority.

To reissue a smart card logon certificate:
  1. In a Web browser, navigate to the certification authority (CA) that issues smart card certificates for your organization.
  2. Click Request a certificate , and then click Advanced certificate request .
  3. Click Request a certificate for a smart card on behalf of another user using the smart card certificate enrollment station . If you are prompted to accept the smart card signing certificate, click Yes .
  4. On the Smart Card Certificate Enrollment Station Web page, in Certificate Template , click Smart Card Logon .
  5. In Certification Authority , click the name of the CA you want to issue the smart card certificate.
  6. In Cryptographic Service Provider , select the cryptographic service provider (CSP) of the smart card's manufacturer.
  7. In Administrator Signing Certificate , click the Enrollment Agent certificate that will sign the enrollment request.
  8. In User To Enroll , click Select User , select the appropriate user account, and then click Enroll .
  9. When prompted, insert the smart card into the smart card reader on your computer, and then click OK .
  10. Enter the personal identification number (PIN) for the smart card.
  11. Click Yes , confirming that you want to replace the existing credentials on the smart card.
Verify :

To verify that the certificate on the smart card is valid, log on to a computer by using smart card authentication. If authentication is successful, the certificate on the smart card is working properly.
Reference LinksEvent ID 21 from Microsoft-Windows-Kerberos-Key-Distribution-Center

Catch threats immediately

We work side-by-side with you to rapidly detect cyberthreats
and thwart attacks before they cause damage.

See what we caught

Did this information help you to resolve the problem?

Yes: My problem was resolved.
No: The information was not helpful / Partially helpful.
 Refresh