none
Event ID 27 While processing a TGS request for the target server krbtg

    Question

  • Hey all,

    We have 2x W2K3 R2 DCs and 1x W2K8 R2 DC with majority of our clients running Windows 7. On about 20 computers we are getting

    While processing a TGS request for the target server krbtgt/BLAHBLAH.com, the accounSMCSTAFFNB43$@\BLAHBLAH.com did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 8). The requested etypes were 18. The accounts available etypes were 23 -133 -128 3 1.

    What would be causing this and what is the best way to resolve this? Should I try rejoining the computers to the domain?

    Regards,

    Mark

    Sunday, January 17, 2010 9:08 PM

Answers

  • Hey All,

    I believe the issue may have been caused by post imaging process. I have rejoined the Windows 7 laptops to the domain after removing the old computer accounts from AD. All of our servers are running Windows 2003 R2 and Windows 2008 R2. So far we are having no logon issues yet.

    I will be checking the event logs again in a couple of days.

    Thanks.

    Mark
    Monday, January 25, 2010 8:19 PM

All replies

  • Hi Mark,

     

    The cause of the event is that the client requests a service ticket with a etype 18 (aes256-cts-hmac-sha1-96), which is not supported by Windows Server 2003 but supported by Windows Server 2008 R2. If the Kerberos authentication works properly, you can safely ignore the events. It just informs the clients what etypes it supports.

     

    For more information, please refer to the following articles:

     

    The security principals and the services that use only DES encryption for Kerberos authentication are incompatible with the default settings on a computer that is running Windows 7 or Windows Server 2008 R2

    http://support.microsoft.com/kb/977321

     

    Event ID 27 — KDC Encryption Type Configuration

    http://technet.microsoft.com/en-us/library/cc733974(WS.10).aspx

     

    Joson Zhou

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfb@microsoft.com


    This posting is provided "AS IS" with no warranties, and confers no rights.
    • Proposed as answer by Meitzi Monday, March 07, 2011 10:22 AM
    Monday, January 18, 2010 7:23 AM
    Moderator
  • Hi Mark,

    How's everything going? We have not heard back from you in a few days and wanted to check if you need any further assistance. If there is anything unclear, please do not hesitate to respond back.

    Thanks.
    This posting is provided "AS IS" with no warranties, and confers no rights.
    Friday, January 22, 2010 1:48 AM
    Moderator
  • Hi, have the same issue. Should I uncheck aes256... and future encrption types and check the rest (4)?
    Monday, January 25, 2010 2:03 PM
  • Hey All,

    I believe the issue may have been caused by post imaging process. I have rejoined the Windows 7 laptops to the domain after removing the old computer accounts from AD. All of our servers are running Windows 2003 R2 and Windows 2008 R2. So far we are having no logon issues yet.

    I will be checking the event logs again in a couple of days.

    Thanks.

    Mark
    Monday, January 25, 2010 8:19 PM