I got this message on a DC (Win 2k3 R2 SP2):
=============================================
Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7022
Date: 13/12/2007
Time: 12.55.29
User: N/A
Computer: SRV01
Description:
The Kerberos Key Distribution Center service hung on starting.
=============================================
Beside the error, everything is working fine and all the services are
positively working locally and remotely.
The error originates AFTER I installed two web certificates in IIS to
have the two sites working on SSL (ports 443, 444 respectively). These
two digital certificates has been issued by a "virtual" enterprise
root CA (pratically a VM with a stand alone W2k3 Standard with AD
installed) which is, indeed, NOT online.
First, I installed the "vm" enterprise CA certificate under the MMC-
>CERTIFICATE snap-in -> local computer -> Trusted CA ... I
rebooted ... and I did NOT get any error from the Kerberos Key
Distribution Center.
Then I installed the pending certificates under IIS and I rebooted
again. ONLY AFTER installing the web certificates, I started getting
that error from The Kerberos Key Distribution Center service :-(
Any hints? :-) TIA :-)
L/S
I've spent the last 12 hours with this problem, on a SBS 2003 machine, and
I've finally solved it (for me, anyway).
I did a clean install of 2003 SBS, and applied the patches etc. I then ran
inetmgr and replaced the server certificate with my GoDaddy commercial
certificate. It is *this* stage which causes the proglem (as the OP
suggested). This is my 5th SBS 2003 installation, and the FIRST time I've
installed the cert directly rather than first creating a self-signed cert
using CEICW.
My solution?
Run inetmgr again and remove the certificate. Then run CEICW and choose to
create a new certificate. Of course this will be self-signed. THEN run
inetmgr and replace the certificate with the GoDaddy cert. And that's it! No
more Kerberos hung 7022 error!
My guess is that the CEICW sets up the inetmgr certificate *AND* also does
something with Kerberos, but inetmgr on its own does not touch Kerberos.
So in a nutshell - even if you're going to be installing a commercial
certificate, make sure you run CEICW to generate a certificate at least once.
Hop this helps others in the future!
Jim