We help IT Professionals succeed at work.

Kerberos Key Distribution Center Hung On Starting - and a certificate error

rharland2009
rharland2009 asked
on
1,325 Views
Last Modified: 2012-05-06
Hi there.
I'm running main and backup DCs for our domain - both boxes running 2k3 Standard w/ SP 2. When I reboot these boxes, I get long pauses during reboot and the event 7022 message that 'The Kerberos Key Distribution Center hung on starting.'. Kerberos services are running successfully on both boxes, and can be stopped and started without an issue. When I run certutil -dcinfo verify, the error I see is the following:

Element.dwErrorStatus = CERT_TRUST_IS_NOT_VALID_FOR_USAGE (0x10)

with the ending message being:

The certificate is not valid for the requested usage. 0x800b0110 (-2146762480)

I've gotten fresh certificates from my local CA (which is one of the boxes in question) and all seems normal when viewing them with the Certificates snap-in, but I'm really at a loss for an appropriate next step. The CERTSVC_DCOM_ACCESS group has the appropriate membership and I'm a bit puzzled.

Any info or words of wisdom would be greatly appreciated.
thanks!
Russ
Comment
Watch Question

Cryptographic Engineer
CERTIFIED EXPERT
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Author

Commented:
Thanks for your reply. The plot thickens! I was checking a few things out and was about to run these commands when I noticed that there are *two* boxes set up as CAs right now on this network! One is the 'original' CA - a non-DC Windows 2000 Server box that I understood was the only CA in the building. The second CA is one of the DCs! This is a tad confusing, but I inherited this network and its foibles some time ago, and weirdness pops up from time to time.
I've never really encountered something like this. PKI Health Tool shows two old offline CAs and the present ones - with errors downloading one of the CRLs. Man, what a mess.
At this point, I'm beginning to think that I need to start over with one clean CA. Not even sure where to start. Gah!
ParanormasticCryptographic Engineer
CERTIFIED EXPERT
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.