Revocation Status of Domain Controller Certificate Could Not Be Determined

This issue prevents smart card logins from functioning correctly due to the domain controller certificate failing revocation checks.

  • Error shown to the user: The revocation status of the domain controller certificate used for the smart card authentication could not be determined.
  • Windows Event Log: The client has failed to validate the domain controller certificate for dc.example.com. The following error was returned from the certificate validation process: A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider.

The target host cannot validate the domain controller certificate. This can occur due to:

  • DNS or network issues that prevent fetching the CRL or OCSP response.
  • Expired certificates in the chain or an expired CRL.
  • The KDC certificate lacking HTTP-accessible CRL Distribution Points or OCSP URLs. It may contain only an LDAP path to the CRL, which is inaccessible if anonymous binds are disallowed.

Potential Solution

Run the following command on the affected host to test the certificate validation:

certutil -verify -urlfetch C:\Users\exampleuser\Desktop\kdccert.cer

To export the KDC certificate to your desktop:

  1. Open mmc.exe.
  2. Add the Certificates snap-in for the Computer account and select Local computer.
  3. Locate the DC certificate that includes Smart Card Logon and KDC Authentication in its Intended Purposes.
  4. Right-click the certificate and select All Tasks > Export.
  5. Choose No, do not export the private key.
  6. Select DER encoded binary and save the file as kdccert.cer on the desktop.

If the validation fails:

  • Ensure the host has network access to the URLs specified in the certificate's CRL Distribution Point (DP) and Authority Information Access fields.
  • Verify that the CRL or OCSP responder is reachable and the data is not expired.
  • If the certificate only includes an LDAP path in the CRL DP:
    • Ensure the LDAP path is accessible.
    • Confirm the CRL object allows read access to the querying machine.

Active Directory doesn't support anonymous binds, and CRL object permissions may block access for ANONYMOUS LOGON. To test access to the CRL in an LDAP path, use a bind method (such as ldapsearch). In environments with a two-way trust, this should work. If not, configure the CA to publish the CRL to an HTTP path accessible to all relevant hosts, and renew the domain controller's KDC certificate.

Was this page helpful?