0XC000040F

Fix 0XC000040F: Smart card cert revoked on login

Cybersecurity & Malware Intermediate 👁 0 views 📅 May 26, 2026

Your domain controller's certificate for smart card logon got revoked. Here's how to fix it, starting with the quick check and moving to deeper fixes.

Fix 0XC000040F: The domain controller certificate used for smart card logon has been revoked

You're trying to log in with a smart card, and instead of getting in, you see STATUS_KDC_CERT_REVOKED (0XC000040F). The message says the domain controller certificate used for smart card logon has been revoked.

This usually happens after someone—maybe an admin—revoked the certificate that the Key Distribution Center (KDC) on your domain controller uses for smart card authentication. It can also happen if the certificate authority (CA) reissued a new CA certificate and the old one got revoked, or if the CRL (certificate revocation list) is stale or corrupted.

I've seen this most often after a CA migration or when an admin accidentally revokes the wrong cert. Don't panic. We'll fix it step by step.

Start with the simplest fix (30 seconds)

Check if the cert is actually revoked

Before you do anything drastic, check whether the certificate is really revoked or if it's a CRL issue.

  1. On a domain controller (or any machine with the smart card reader), open the MMC: press Win + R, type mmc, press Enter.
  2. Go to File > Add/Remove Snap-ins. Add Certificates for the Computer account (Local computer).
  3. In the left pane, expand Personal > Certificates. Look for a certificate issued to the domain controller's name (like DC-01.domain.com) with the Smart Card Logon or Client Authentication purpose.
  4. Double-click that certificate. Go to the Certification Path tab. At the bottom, it'll say "This certificate is OK" or "This certificate has been revoked." If it says revoked, you found the problem.
  5. If it says OK, the issue might be a stale CRL. Check the CRL next.

What you'll see: If the cert is revoked, you'll see a red X over the certificate icon. If it's OK, the icon will look normal.

If the cert is actually revoked, skip to the moderate fix. If it's OK, check the CRL:

  1. In the same certificate properties, go to the Details tab. Scroll down to CRL Distribution Points. You'll see a URL like http://ca-server.domain.com/CertData/ca.crl.
  2. Open a browser and go to that URL. If the file downloads, the CRL is reachable. If you get a 404 or timeout, the CRL is broken.
  3. If the CRL is stale, you can force an update on the domain controller: run certutil -f -urlfetch -verify "certificate.cer" (replace with the actual cert file path). Or just reboot the DC— it'll force a CRL refresh.

Real-world trigger: I once saw this on a Monday morning after a CA admin had revoked the wrong cert the Friday before. Nobody tested logins over the weekend. The quick fix was re-issuing the DC cert.

Moderate fix (5 minutes): Renew the domain controller certificate

If the certificate is revoked and you can't un-revoke it (you can't un-revoke a cert in AD CS—once revoked, it's gone), you need to request a new one.

  1. On the domain controller, open MMC again, add the Certificates snap-in for the Computer account.
  2. Right-click Personal > Certificates. Choose All Tasks > Request New Certificate.
  3. In the wizard, select Active Directory Enrollment Policy. Click Next.
  4. You should see a certificate template called Domain Controller or Domain Controller Authentication. Check the box next to it. Click Enroll.
  5. Wait for the process to finish. You should see a new certificate with a later expiration date in the Personal store.
  6. Close MMC. Reboot the domain controller. This ensures the KDC picks up the new cert.

What you'll see: After step 4, you'll get a green checkmark and a message saying "Certificate enrolled successfully." After the reboot, try a smart card login.

If you don't see the Domain Controller template, your CA might not have it published. That's a bigger problem—see the advanced fix.

Advanced fix (15+ minutes): Rebuild the CA or fix CRL infrastructure

If renewing the DC cert doesn't help, or if you can't enroll because the template is missing, you've got deeper issues.

Check the CA's CRL publication

Sometimes the CA itself is publishing a revoked CA certificate. Or the CRL isn't being published correctly.

  1. Log into your CA server (the one that issued the DC's cert). Open the Certification Authority MMC.
  2. Right-click Revoked Certificates and choose All Tasks > Publish. This forces a new CRL.
  3. Check the CA's certificate: In CA Properties > General tab, check the CA cert's expiration. If it's expired, you need to renew the CA itself.
  4. To renew the CA certificate, right-click the CA name, choose All Tasks > Renew CA Certificate. You'll have two options: generate a new key pair (recommended) or keep the same key. Pick new keys.

What you'll see: After publishing the CRL, you'll get a confirmation message. After renewing the CA, all subordinate certificates (including DC certs) need to be re-issued.

Re-issue domain controller certificates en masse

If the CA's own cert was revoked or expired, all DC certs signed by it are invalid. You'll need to re-issue them for every domain controller.

  1. On each domain controller, run the cert request wizard (same steps as the moderate fix) to enroll a new cert.
  2. If auto-enrollment is set up, you can force it by running gpupdate /force on each DC, then rebooting.
  3. Verify the new certs are in the Personal store and have a valid chain.

Real-world trigger: I had a client whose CA certificate was accidentally revoked by a junior admin while cleaning up expired certs. Every single DC stopped accepting smart card logins. We had to renew the CA cert and re-issue every DC cert. Took about 30 minutes for a small environment.

Still stuck? Check the KDC logs

If none of these fix it, the KDC logs will tell you exactly which certificate it tried to use and why it failed.

  1. On the domain controller, open Event Viewer. Go to Applications and Services Logs > Microsoft > Windows > Kerberos-Key-Distribution-Center > Operational.
  2. Look for event IDs 21 or 25. They'll say something like "The KDC certificate selection failed" and include the certificate thumbprint.
  3. Use that thumbprint to find the cert in the Certificate MMC. Then check its revocation status manually.

That log entry is your best friend. It tells you exactly which cert the KDC wants to use but can't.

One last thing: if you're using a third-party certificate (like from a public CA) for smart card logon, the certificate might have been revoked by the CA itself. That's rare but possible. In that case, you'd need to buy a new one from the CA and re-issue it to the DC.

Was this solution helpful?

STATUS_KDC_CERT_REVOKED 0XC000040F smart card logon failed domain controller certificate revoked KDC certificate revoked smart card authentication error Windows smart card login fix certificate revocation check AD CS certificate renewal NPS certification authority smart card PKI issue domain controller cert renewal CRL check failed Windows Server 2019 smart card error 0xC000040F fix