KCD: NTAuth Store is Missing Root CA Certificate


Error D: NTAuth Store is Missing Root CA Certificate.

The same issue can also be depicted as a Build Chain error.  It is observed in same-domain KCD configurations and is can be found in the CAPI2 logs of the SEG Server. Information on gathering these logs can be found here.  



For Kerberos configuration with the Secure Email Gateway, a customer's Active Directory needs to trust their Certificate Authority. If it does not, then we get this error. Sometimes if one of the certificates within the certificate chain is missing, you also see this error.



1. Export the root and any intermediate certificate of the CA in .cer file and import them to the server certificate store on the SEG Server. The following file formats are supported:

  • DER encoded binary X.509 (.cer)
  • Base-64 encoded X.509 (.cer)

2. In the command prompt, type the following commands, and then press ENTER:

certutil -dspublish -f filename NTAuthCA

certutil -enterprise -addstore NTAuth CA_CertFilename.cer

Have more questions? Submit a request


Article is closed for comments.