Discussion:
Kerberos Key Distribution Center service hung on starting, ID 7022.
(too old to reply)
l***@gmail.com
2007-12-13 13:46:20 UTC
Permalink
Hi all,

I got this message on a DC (Win 2k3 R2 SP2):
=============================================
Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7022
Date: 13/12/2007
Time: 12.55.29
User: N/A
Computer: SRV01
Description:
The Kerberos Key Distribution Center service hung on starting.
=============================================

Beside the error, everything is working fine and all the services are
positively working locally and remotely.

The error originates AFTER I installed two web certificates in IIS to
have the two sites working on SSL (ports 443, 444 respectively). These
two digital certificates has been issued by a "virtual" enterprise
root CA (pratically a VM with a stand alone W2k3 Standard with AD
installed) which is, indeed, NOT online.

First, I installed the "vm" enterprise CA certificate under the MMC-
CERTIFICATE snap-in -> local computer -> Trusted CA ... I
rebooted ... and I did NOT get any error from the Kerberos Key
Distribution Center.
Then I installed the pending certificates under IIS and I rebooted
again. ONLY AFTER installing the web certificates, I started getting
that error from The Kerberos Key Distribution Center service :-(

Any hints? :-) TIA :-)

L/S
Jim Willsher
2008-02-24 06:45:00 UTC
Permalink
I realise this message is two months old, but I'm repyling SOLELY for the
benefit of search-engine indexing. I also know that the OP has Win2003 and I
have SBS 2003, but I suspect the root cause is the same.

I've spent the last 12 hours with this problem, on a SBS 2003 machine, and
I've finally solved it (for me, anyway).

I did a clean install of 2003 SBS, and applied the patches etc. I then ran
inetmgr and replaced the server certificate with my GoDaddy commercial
certificate. It is *this* stage which causes the proglem (as the OP
suggested). This is my 5th SBS 2003 installation, and the FIRST time I've
installed the cert directly rather than first creating a self-signed cert
using CEICW.

My solution?

Run inetmgr again and remove the certificate. Then run CEICW and choose to
create a new certificate. Of course this will be self-signed. THEN run
inetmgr and replace the certificate with the GoDaddy cert. And that's it! No
more Kerberos hung 7022 error!

My guess is that the CEICW sets up the inetmgr certificate *AND* also does
something with Kerberos, but inetmgr on its own does not touch Kerberos.

So in a nutshell - even if you're going to be installing a commercial
certificate, make sure you run CEICW to generate a certificate at least once.

Hop this helps others in the future!


Jim
Post by l***@gmail.com
Hi all,
=============================================
Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7022
Date: 13/12/2007
Time: 12.55.29
User: N/A
Computer: SRV01
The Kerberos Key Distribution Center service hung on starting.
=============================================
Beside the error, everything is working fine and all the services are
positively working locally and remotely.
The error originates AFTER I installed two web certificates in IIS to
have the two sites working on SSL (ports 443, 444 respectively). These
two digital certificates has been issued by a "virtual" enterprise
root CA (pratically a VM with a stand alone W2k3 Standard with AD
installed) which is, indeed, NOT online.
First, I installed the "vm" enterprise CA certificate under the MMC-
CERTIFICATE snap-in -> local computer -> Trusted CA ... I
rebooted ... and I did NOT get any error from the Kerberos Key
Distribution Center.
Then I installed the pending certificates under IIS and I rebooted
again. ONLY AFTER installing the web certificates, I started getting
that error from The Kerberos Key Distribution Center service :-(
Any hints? :-) TIA :-)
L/S
n***@googlemail.com
2008-03-03 20:10:54 UTC
Permalink
On Feb 24, 6:45 am, Jim Willsher <Jim
Post by Jim Willsher
I realise this message is two months old, but I'm repyling SOLELY for the
benefit of search-engine indexing. I also know that the OP has Win2003 and I
have SBS 2003, but I suspect the root cause is the same.
I've spent the last 12 hours with this problem, on a SBS 2003 machine, and
I've finally solved it (for me, anyway).
I did a clean install of 2003 SBS, and applied the patches etc. I then ran
inetmgr and replaced the server certificate with my GoDaddy commercial
certificate. It is *this* stage which causes the proglem (as the OP
suggested). This is my 5th SBS 2003 installation, and the FIRST time I've
installed the cert directly rather than first creating a self-signed cert
using CEICW.
My solution?
Run inetmgr again and remove the certificate. Then run CEICW and choose to
create a new certificate. Of course this will be self-signed. THEN run
inetmgr and replace the certificate with the GoDaddy cert. And that's it! No
more Kerberos hung 7022 error!
My guess is that the CEICW sets up the inetmgr certificate *AND* also does
something with Kerberos, but inetmgr on its own does not touch Kerberos.
So in a nutshell - even if you're going to be installing a commercial
certificate, make sure you run CEICW to generate a certificate at least once.
Hop this helps others in the future!
Jim
thanks Jim. i had exactly same issue with GoDaddy cert and your method
has taken care of it. many thanks!
r***@yahoo.com
2014-03-21 23:37:07 UTC
Permalink
Thanks, I had a similar issue.

I was getting the kerberos service not starting on the domain controller. And I was also getting Error 20 "the currently selected KDC certificate was once valid ..."


This was the fix for me:
http://support.microsoft.com/kb/939088

I used the command line suggestion to get rid of the old KDC certificate and that cleared up both items, as the kerberos item was hanging due to the KDC service item.
Loading...