So I'm seeing this on my DC's: The currently selected KDC certificate was once valid, but now is invalid and no suitable replacement was found. Smartcard logon may not function correctly if this problem is not remedied. Have the system administrator check on the state of the domain's public key infrastructure. The chain status is in the error data.
So I saw this as a possible solution: A problematic CA and old data in the Active Directory PKI Container may also cause this problem on a Windows 2003 domain. Use PKIview.msc from the Windows 2003 Resource kit to check the status of the CA. This can occur if the CA is removed from the network and a new one is added. 1) Install rktools, run the Microsoft Management Console, and add the standalone snap-in "Enterprise PKI". 2) Expand the console tree in the scope pane, click on your CA, and verify that all entries report OK. If there is a problem, then this may be the cause. If the ones reporting bad are http://, verify that IIS 6.0 is configured properly and that anonymous access is granted to the CertEnroll website. 3) Next, right click "Enterprise PKI" in the scope pane and choose "Manage AD Containers". Check each tab and remove any old CA information. 4) Reboot your server. So when I look in there, under the CDP container, there is a CA called Trace3 CA that is expired. Now what will happen if I delete this thing for real? Is there going to be a problem? Why isn't there a new one? What is this thing for? Questions, questions.. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
