none
EventID 26 & 27 : KDC: suitable keys

    Question

  • I've inherited a test Active Directory setup with Server 2008, forest & domains are at Server 2003 functional level.  I've added a second domain controller running Server 2003 R2.  The 2003R2 server now reports errors from Vista clients like below.  A similar error (EventID 27) is also generated for TGS requests.  Windows XP clients do not generate the error and the 2008 Server reports no errors. 

    Event Type:    Error
    Event Source:    KDC
    Event Category:    None
    Event ID:    26
    Date:        11/11/2008
    Time:        7:33:29 AM
    User:        N/A
    Computer:    ADGREENTEST2
    Description:
    While processing an AS request for target service krbtgt, the account MITC0312$ did not  have a suitable key for generating a Kerberos ticket (the missing key has an ID of 2). The requested etypes were 18.  The accounts available etypes were 23  -133  -128  3  1  -140.

    I suspect Kerberos (from the Vista clients) is defaulting to some encryption type that Server 2003 does not understand.  What is happening and how do I fix it?

    Dr.Furrfu



    Tuesday, November 11, 2008 1:01 PM

Answers

  •   

    Hi,


    According the following article, this error was caused by different Encryption Type between KDC and Vista client.

     

    Event ID 26 — KDC Encryption Type Configuration

    http://technet.microsoft.com/en-us/library/cc734055.aspx

     

    Kerberos authentication protocol is significantly improved in Windows Vista with the following features

     

    1. AES support

     

    1. Improved security for Kerberos Key Distribution Centers (KDCs) located on branch office domain controllers

     

    Typically, when the parties are operating systems running Windows Vista or Windows Server 2008, the exchange will use AES. However, if one of the parties is an operating system running Windows 2000 Professional, Windows 2000 Server, Windows XP, or Windows Server 2003, the exchange will not use AES.

     

    For more detailed information, please refer to the following article.

     

    Kerberos Enhancements

    http://technet.microsoft.com/en-us/library/cc749438.aspx

     

    Based on your configuration, Vista client,  Windows Server 2003 DC as KDC, the cause of the KDC event 26/27 is the client computer sends the service ticket request with Etype which is not supported by Windows 2003 DC but supported by Windows 2008 DC. The error that is being logged on the Windows 2003 domain controller can safely be ignored as it is by design. The domain controller is just informing the client what Etypes it supports. Vista clients are then falling back to the supported types.

     

    Thanks

    Wednesday, November 12, 2008 8:59 AM
    Moderator

All replies

  •   

    Hi,


    According the following article, this error was caused by different Encryption Type between KDC and Vista client.

     

    Event ID 26 — KDC Encryption Type Configuration

    http://technet.microsoft.com/en-us/library/cc734055.aspx

     

    Kerberos authentication protocol is significantly improved in Windows Vista with the following features

     

    1. AES support

     

    1. Improved security for Kerberos Key Distribution Centers (KDCs) located on branch office domain controllers

     

    Typically, when the parties are operating systems running Windows Vista or Windows Server 2008, the exchange will use AES. However, if one of the parties is an operating system running Windows 2000 Professional, Windows 2000 Server, Windows XP, or Windows Server 2003, the exchange will not use AES.

     

    For more detailed information, please refer to the following article.

     

    Kerberos Enhancements

    http://technet.microsoft.com/en-us/library/cc749438.aspx

     

    Based on your configuration, Vista client,  Windows Server 2003 DC as KDC, the cause of the KDC event 26/27 is the client computer sends the service ticket request with Etype which is not supported by Windows 2003 DC but supported by Windows 2008 DC. The error that is being logged on the Windows 2003 domain controller can safely be ignored as it is by design. The domain controller is just informing the client what Etypes it supports. Vista clients are then falling back to the supported types.

     

    Thanks

    Wednesday, November 12, 2008 8:59 AM
    Moderator
  • recently I also run into this problem. I also noticed that Vista can fallback to mutual-accepted encryption (RC4_HMAC_NT). But the error messages in DC log simply annyed me. So I found a way to prevent their root case by using a custom Group Policy Administrative Template. You can read about it here: Kerberos Encryption Type (etype) compatibility between different Windows Versions and download my ADMX template from here: Managing Kerberos Encryption Type (etype) in Windows — Custom Solution.

    Hope this helps someone.

    Sunday, June 14, 2009 11:30 AM
  • Pronichkin,
    I tried to access the links you mention above but they ask for login information to an ISA server, can you provide some different links or another method of viewing this information.

    Thanks,
    Justin
    Tuesday, January 12, 2010 4:54 PM
  • Pronichkin, the links you have provided require a login.
    Wednesday, April 21, 2010 2:21 PM
  • Monday, December 20, 2010 1:05 PM
  • In an effort to consolidate the great troubleshooting solutions offered in this thread, we have summarized the information contained here into a Technet Wiki article at the following location:

    Please feel free to provide feedback on the article at the Wiki site, or you can edit the article itself.

    Thanks,

    Davanand Bahall - MSFT

    Tuesday, March 22, 2011 11:31 PM
  • Friday, October 28, 2011 6:10 AM
  • Ok,

    I understand the following KB:

    http://support.microsoft.com/kb/978055  -  2008 AD boxes coming up in an enviornment with 2003 AD's still active

    However, why do only a few accounts pop this error?  Wouldnt all accounts recieve this error?  I just reset the password on my accout on a 2003 box and no error was logged.  It seems to be only a small number.  Is the hotfix the only work-a-round?  Resetting the users password on the 2008 box with a temp and requiring the user to change password on login does not help.

    **EDIT

    There are no VISTA boxes in our enviornment as sugessted above.

    • Edited by Nexcompac Monday, April 02, 2012 5:43 PM
    Monday, April 02, 2012 5:42 PM