locked
Multiple "Credentials" and other problems RRS feed

  • Question

  • Let me try to go through the history a bit and perhaps someone can answer this question.

    One day we restarted our domain controller and suddenly, nothing would authenticate. we couldn't even login to the domain controller. The second DC was accessible and we were getting massive Kerberos errors.

    I resolved it by going into directory services mode, stoping the KDC. restarting, then resetting the password for the administrator (don't remember the exact command) and then restarting the KDC and a couple other restarts later, the domain was back up and running.

    Now, here is the problem. Ever since that day all the windows 7 computers (including those newly built) and newly built 2008 server all complain with this message upon login:

    Windows requires your current credentials. Please lock the computer and unlock it with the most recent password... etc

    I have tried several things here looking all over but none of the proposed solutions are working.

    Today I decided to change my own password to find out if perhaps it needs to be re-created and when I attempted that complained saying: "The encryption type requested is not supported by the KDC"

    So, i don't know if these are two separate issues but it's really killing me. Does anyone have any suggestions for me?

    Thursday, April 19, 2012 2:41 PM

Answers

  • Aiden, I already did that weeks ago, that didn't fix it.

    But I can tell you all what did fix it!

    If you remember in my first post I mentioned a month ago that I was having problems with the domain and it hasn't been the same since.

    While I was debugging the issue during the 6-hour outage i was throwing stuff against the wall and seeing what would stick. During that time I went into the Local Security Policies  Local Policies->Security Options and found: Network security: Configure encryption types allowed for Kerberos

    On the AD Server (and several other servers) I checked the first three (the two DES and the RC4) but not the rest. The other machines I chose all of the encryption types.  I had forgotten I had done this, it was a very stressful day.

    Monday of this week I was on a tech support call (which was ultimately 6:45 long) and at the end I remembered I had done this. The reason I was on support is because my exchange servers were failing and it was due to the KDC error mentioned above.

    After removing the setting on the Local Security Policies for all servers, everything started working and all windows 7 computers have also stopped bugging me.

    I am completely back to normal now after a week.

    • Marked as answer by CMAOhio480 Thursday, April 26, 2012 6:08 PM
    Thursday, April 26, 2012 6:08 PM

All replies

  • Hello,

    Start by that: http://social.technet.microsoft.com/Forums/en/winserverDS/thread/a0f9bf4d-8c00-4caf-a72a-3a6796f7009f


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.   

    Microsoft Student Partner 2010 / 2011
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows 7, Configuring
    Microsoft Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations
    Microsoft Certified IT Professional: Enterprise Administrator
    Microsoft Certified IT Professional: Server Administrator
    Microsoft Certified Trainer

    • Proposed as answer by Meinolf Weber Thursday, April 19, 2012 5:20 PM
    Thursday, April 19, 2012 2:58 PM
    • Proposed as answer by Meinolf Weber Thursday, April 19, 2012 5:19 PM
    Thursday, April 19, 2012 3:04 PM
  • I'll have to read these more closely. I didn't see a lot that pertained to me but perhaps  I missed it. i will get back.
    Thursday, April 19, 2012 5:43 PM
  • DES Encryption is not turned on for any user in my domain. I have already checked that.
    Thursday, April 19, 2012 5:43 PM
  • I forgot to mention that I am running at Domain Functional Level 2008 R2.
    Thursday, April 19, 2012 5:44 PM
  • The first URL for you Awinish, the "Always wait for the network at computer startup" I did that already and it hasn't fixed it.

    For the Second URL entitled: "Windows Configurations for Kerberos Supported Encryption Type" the first thing, all those DES and AES values are turned off on my user. The second thing I haven't done. The third thing with the group policy, mine was set to accept all of them. 

    I tried turning off the GPO setting (unchecking all the options in the GPO) and that didn't help my problem.

    Thursday, April 19, 2012 5:50 PM
  • I may have fixed the problem myself by removing the computer from the domain and re-adding it.

    This doesn't completely explain why other computers on their first login get the credentials message. As far as i can tell, they don't get the credentials message after the first login.

    • Marked as answer by CMAOhio480 Thursday, April 19, 2012 7:16 PM
    • Unmarked as answer by CMAOhio480 Friday, April 20, 2012 12:26 PM
    Thursday, April 19, 2012 7:16 PM
  • Well, I spoke too soon. Right after removing and then Adding the computer back to the domain. I didn't get the credentials request and I could change my password.

    This morning (after having logged out but leaving the computer on all night) everything is back and I cannot change my password again.

    Friday, April 20, 2012 12:30 PM
  • Is all the you system has been updated with latest SP and patches because with windows 2008 R2/Win 7 SP1 almost 800 fixes has been released. I would target to update system with latest SP and patches, it will not guarantee to resolve all the issue but surely rule out issues due to incompatibility and others.


    Awinish Vishwakarma - MVP - Directory Services

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Friday, April 20, 2012 3:17 PM
  • Yes, my system is kept up to date as soon as patches come out and the Server was just updated when I had the problem I describe in the first post. All are up to date.
    Friday, April 20, 2012 4:26 PM
  • Hello,

    as you where talking about rejoining helps, how are the machines created? From an image that is NOT prepared with sysprep?

    If you agree that we check the domain/DCs please upload the following files:

    ipconfig /all >c:\ipconfig.txt [from each DC/DNS Server]
    dcdiag /v /c /d /e /s:dcname >c:\dcdiag.txt
    repadmin /showrepl dc* /verbose /all /intersite >c:\repl.txt  ["dc* is a place holder for the starting name of the DCs if they all begin the same (if more then one DC exists)]
    dnslint /ad /s "DCipaddress" (http://support.microsoft.com/kb/321045)

    As the output will become large, DON'T post them into the thread, please use Windows Sky Drive (skydrive.live.com) [with open access!] and add the link from it here. Also the /e in dcdiag scans the complete forest, so better run it on COB.


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Saturday, April 21, 2012 1:43 PM
  • Have you checked the client PC for any error or warning message in system log.Check the same you may get evidence to troubleshoot further.Also check the health of DC as well and post the log.

    Also have look at this KB too.
    http://support.microsoft.com/kb/978055


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Sunday, April 22, 2012 3:26 PM
  • Well, today I logged in and didn't get the credentials problem and could change my password! I have done NOTHING to change any setting. Except one thing... on the servers, I am having a separate issue of the Exchange Servers not finding the DC's and it was suggested to disable Chimney Offloading. That is the only change I have made on my network. I fully expect tomorrow I will have the credentials problem again.

    Nonetheless, the computer I'm current debugging was not sysprepped. it was my computer I built from scratch with a fresh windows 7 install. SP2

    I will attach the files as soon as I can figure out how.

    Monday, April 23, 2012 2:12 PM
  • Okay, files for DC 1 (infrastructure master, etc)

    Files for DC 2

    Monday, April 23, 2012 2:32 PM
  • I have looked in the system log, there are no errors that indicate anything is wrong.

    The KB you listed, Sandesh, is not the issue. The domain is all windows 2008 R2 at a 2008 functional level. Nobody is using DES encryption as their login method under the user account settings and everything was working perfectly fine until I had the server outage a few weeks back. also, I can still log in just fine. I get the encryption error message when trying to change my password and I know it's going to happen when I get prompted to have to lock and unlock the computer to enter in the updated credentials.

    Monday, April 23, 2012 2:35 PM
  • Hello,

    i cannot see something serious as error in the output files for DC1 and DC2, i assume DC3 is the same and also use similar ip settings?

    What about the cloning question, does the problems exist with the fresh installed machine?


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Monday, April 23, 2012 5:27 PM
  • DC3 is a read only DC at another site so I didn't include that.

    While this machine is not sysprepped (an installed from scratch machine) The others are products of a sysprep operation. I use an unattend.xml file and do sysprep the mahcines OOBE, etc.

    While I have not had time to extensively test the other machines, it seems to me I get the credentials complaint the first time after rebooting after adding it to the domain. It is as if the group policies fail to apply. Then after a second reboot later, I don't recall having the error but that is where I haven't done extensive testing. We are preparing a roll-out of Windows 7 throughout our company and I want to solve this problem before I actually roll them out.

    Monday, April 23, 2012 7:11 PM
  • Hi,

    Please try to enable the following domain group policy:

    Computer configuration\Administrator templates\System\Logon

    Select the “Always wait for the network at computer startup and logon” value. Set this to On.

    Then, disjoin the machine from domain and rejoin to the domain, to see if the issue still persists.


    Best Regards,

    Aiden


    Aiden Cao

    TechNet Community Support

    Wednesday, April 25, 2012 5:29 AM
  • Aiden, I already did that weeks ago, that didn't fix it.

    But I can tell you all what did fix it!

    If you remember in my first post I mentioned a month ago that I was having problems with the domain and it hasn't been the same since.

    While I was debugging the issue during the 6-hour outage i was throwing stuff against the wall and seeing what would stick. During that time I went into the Local Security Policies  Local Policies->Security Options and found: Network security: Configure encryption types allowed for Kerberos

    On the AD Server (and several other servers) I checked the first three (the two DES and the RC4) but not the rest. The other machines I chose all of the encryption types.  I had forgotten I had done this, it was a very stressful day.

    Monday of this week I was on a tech support call (which was ultimately 6:45 long) and at the end I remembered I had done this. The reason I was on support is because my exchange servers were failing and it was due to the KDC error mentioned above.

    After removing the setting on the Local Security Policies for all servers, everything started working and all windows 7 computers have also stopped bugging me.

    I am completely back to normal now after a week.

    • Marked as answer by CMAOhio480 Thursday, April 26, 2012 6:08 PM
    Thursday, April 26, 2012 6:08 PM