Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Kerberos Key Distribution Center service hung on starting, ID 7022.

1,702 views
Skip to first unread message

luc...@gmail.com

unread,
Dec 13, 2007, 8:46:20 AM12/13/07
to
Hi all,

I got this message on a DC (Win 2k3 R2 SP2):
=============================================
Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7022
Date: 13/12/2007
Time: 12.55.29
User: N/A
Computer: SRV01
Description:
The Kerberos Key Distribution Center service hung on starting.
=============================================

Beside the error, everything is working fine and all the services are
positively working locally and remotely.

The error originates AFTER I installed two web certificates in IIS to
have the two sites working on SSL (ports 443, 444 respectively). These
two digital certificates has been issued by a "virtual" enterprise
root CA (pratically a VM with a stand alone W2k3 Standard with AD
installed) which is, indeed, NOT online.

First, I installed the "vm" enterprise CA certificate under the MMC-
>CERTIFICATE snap-in -> local computer -> Trusted CA ... I
rebooted ... and I did NOT get any error from the Kerberos Key
Distribution Center.
Then I installed the pending certificates under IIS and I rebooted
again. ONLY AFTER installing the web certificates, I started getting
that error from The Kerberos Key Distribution Center service :-(

Any hints? :-) TIA :-)

L/S

Willsher@discussions.microsoft.com Jim Willsher

unread,
Feb 24, 2008, 1:45:00 AM2/24/08
to
I realise this message is two months old, but I'm repyling SOLELY for the
benefit of search-engine indexing. I also know that the OP has Win2003 and I
have SBS 2003, but I suspect the root cause is the same.

I've spent the last 12 hours with this problem, on a SBS 2003 machine, and
I've finally solved it (for me, anyway).

I did a clean install of 2003 SBS, and applied the patches etc. I then ran
inetmgr and replaced the server certificate with my GoDaddy commercial
certificate. It is *this* stage which causes the proglem (as the OP
suggested). This is my 5th SBS 2003 installation, and the FIRST time I've
installed the cert directly rather than first creating a self-signed cert
using CEICW.

My solution?

Run inetmgr again and remove the certificate. Then run CEICW and choose to
create a new certificate. Of course this will be self-signed. THEN run
inetmgr and replace the certificate with the GoDaddy cert. And that's it! No
more Kerberos hung 7022 error!

My guess is that the CEICW sets up the inetmgr certificate *AND* also does
something with Kerberos, but inetmgr on its own does not touch Kerberos.

So in a nutshell - even if you're going to be installing a commercial
certificate, make sure you run CEICW to generate a certificate at least once.

Hop this helps others in the future!


Jim

newyear...@googlemail.com

unread,
Mar 3, 2008, 3:10:54 PM3/3/08
to
On Feb 24, 6:45 am, Jim Willsher <Jim

Wills...@discussions.microsoft.com> wrote:
> I realise this message is two months old, but I'm repyling SOLELY for the
> benefit of search-engine indexing. I also know that the OP has Win2003 and I
> have SBS 2003, but I suspect the root cause is the same.
>
> I've spent the last 12 hours with this problem, on a SBS 2003 machine, and
> I've finally solved it (for me, anyway).
>
> I did a clean install of 2003 SBS, and applied the patches etc. I then ran
> inetmgr and replaced the server certificate with my GoDaddy commercial
> certificate. It is *this* stage which causes the proglem (as the OP
> suggested). This is my 5th SBS 2003 installation, and the FIRST time I've
> installed the cert directly rather than first creating a self-signed cert
> using CEICW.
>
> My solution?
>
> Run inetmgr again and remove the certificate. Then run CEICW and choose to
> create a new certificate. Of course this will be self-signed. THEN run
> inetmgr and replace the certificate with the GoDaddy cert. And that's it! No
> more Kerberos hung 7022 error!
>
> My guess is that the CEICW sets up the inetmgr certificate *AND* also does
> something with Kerberos, but inetmgr on its own does not touch Kerberos.
>
> So in a nutshell - even if you're going to be installing a commercial
> certificate, make sure you run CEICW to generate a certificate at least once.
>
> Hop this helps others in the future!
>
> Jim
>
>
thanks Jim. i had exactly same issue with GoDaddy cert and your method
has taken care of it. many thanks!

rw...@yahoo.com

unread,
Mar 21, 2014, 7:37:07 PM3/21/14
to
Thanks, I had a similar issue.

I was getting the kerberos service not starting on the domain controller. And I was also getting Error 20 "the currently selected KDC certificate was once valid ..."


This was the fix for me:
http://support.microsoft.com/kb/939088

I used the command line suggestion to get rid of the old KDC certificate and that cleared up both items, as the kerberos item was hanging due to the KDC service item.


0 new messages