There's a warning coming up on our Server 2008 boxes and it says:"The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate."I've tried to request a certificate from the CA server but when I go to request a new certificate (with the Certificate addin in mmc), it says:"The permissions on the certificate template do not allow the current user to enroll for this type of certificate. You do not have the permission to view this type of certificate."I'm logged into a domain controller while logged in as administrator so I should have the permissions, shouldn't I? The CA is on a domain member (also logged into administrator) if that helps.

Hello,i assume you talk about Event id 29:http://technet.microsoft.com/en-us/library/cc734096(WS.10).aspxIf you don't have a Certification Authority in your domain you can safely ignore the warning.Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.

I have a CA on my domain. When I try to request a certificate, it won't list any certificate typesand says:"You cannot request a certificate type at this time because no certificate types are available. If you need a certificate, please contact your administrator.Then whenI check off "Show all templates" at the bottom of the window, it says the following under each template:"The permissions on the certificate template do not allow the current user to enroll for this type of certificate. You do not have the permission to view this type of certificate."I'm logged into administrator though.

Hi,To better understand the issue, please collec the following information:1. On the CA server, please run certutil -dstemplate -v domaincontroller > domaincontroller.txt2. On the DC, please enable CAPI2 log and reproduce the issue.To enable CAPI2 log, please refer to "Enabling and Saving the CAPI2 Log" section of the following article:Troubleshooting PKI Problems on Windows Vistahttp://technet.microsoft.com/en-us/library/cc749296(WS.10).aspxAfter the error message occurs, please export the System, Application and CAPI2 operational event from the Event Viewer on the DC, and then upload the events and domaincontroller.txt to Windows Live SkyDrive (http://www.skydrive.live.com/)This posting is provided "AS IS" with no warranties, and confers no rights.

I enabled the CAPI2.log however nothing appeared when I went to try and enroll for a certificate. I took a screenshot of what I see though. Here's a link to the skydrive.http://cid-a4f128ec8b2d7918.skydrive.live.com/browse.aspx/.Public

Hi,According to the file, the secrity setting for the certificate template is correct. I suspect that there is something wrong with the pKIEnrollmentService object. Please run the following comamnd on a domain controllerand upload the pki.txt file to skydrive forfurther research:ldifde -f pki.txt -d "cn=public key services,cn=services,cn=configuration,dc=<domain component>,dc=<domain component>.Note: Please change the domain component to the exact forest name. For exmaple, dc=domain,dc=local. This posting is provided "AS IS" with no warranties, and confers no rights.

There you go. I've uploaded the results. Thanks again for all the help!http://cid-a4f128ec8b2d7918.skydrive.live.com/browse.aspx/.Public

At the risk of sounding foolish - Is it possible that because the CA is not a domain controller that maybe when the domain controllers on the networktry to enroll for a certificate, they don't know who the CA is?I found out how to auto enroll for a certificate but I've run into a different error and I've uploaded it to my skydrive as well.AutoEnroll1.jpg- it shows where I went to auto enroll for the certificateAutoEnroll2.jpg - this shows the interesting message I got.Maybe this will help you find out what I'm doing wrong.

Hi,According to the file, I found that the value of flags attributein the pKIEnrollmentService object is 5. It seems you installed a Standalone CA. Please remember that you need a Enterprise CA if you want to request certificate via MMC or use autoenrollment.For more information, please refer to: Defining CA Types and Roleshttp://technet.microsoft.com/en-us/library/cc756989(WS.10).aspx This posting is provided "AS IS" with no warranties, and confers no rights.