Reissue KDC Authentication certificate for domain controllers

0 users found this article helpful


Authentication issues when using single sign-on (SSO).


Expired Kerberos Domain Controller certificate.


  1. On each Microsoft Windows Domain Controller, press [Win] + R.
  2. Enter certlm.msc and press [OK] to launch the management console showing the certificates of the local computer.
  3. Navigate to Personal > Certificates
  4. Check that you have a valid KDC Authentication Certificate for each Domain Controller (it should be listed under the "Intended purposes" column). 
    Make sure the certificate exists and that it has not expired. If it is expired or missing, the Domain Controller needs to be issued new certificate for KDC Authentication.


Was this article helpful?

Tell us how we can improve it.