Kerberos ticket etypes (eventID 27 on 2003 DCs)

Our 2003 DCs are seeing these errors (not the 2008 DCs):
KDC EventID 27
While processing a TGS request for the target server krbtgt/DOMAIN.LOCAL, the account username@DOMAIN.LOCAL did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 8). The requested etypes were 18. The accounts available etypes were 23 -133 -128 3 1.

The reason behind this error is that the client is trying to authenticate with an unknown etype - unknown to the 2003 DC. Once the client finds a 2008 DC, all is well.

Solution is to replace the 2003 DCs with 2008 DCs, it is really just a question of compatibility.

Extended explanation:
Client is asking for a Kerberos ticket with which it will authenticate against domain resources. These tickets are encrypted. XP/2003 has a set list (DES) of supported encryption types (etypes), and Win7/2008/R2 support different etypes (AES/RC4). Since an XP/2003 client does not know about the new etypes, you'll see these errors when a Win7/2008/R2 client tries to request a ticket on a 2003 DC.

Sources:
http://social.technet.microsoft.com/Forums/en/winservergen/thread/8999cc8e-53b6-4b74-a310-167c8adba257
http://support.microsoft.com/kb/977321
http://technet.microsoft.com/en-us/library/cc733974%28WS.10%29.aspx

Comments

Popular posts from this blog

DFSR - eventid 4312 - replication just won't work

Fixing duplicate SPNs (service principal name)

Logstash to Nagios - alerting based on Windows Event ID