Event ID:27 Source: KDC Type: Error
We are using Windows 2003 Std server SP2, it is our DC. In Event Viewer under system Ifound the following Error,Event ID: 27Source: KDCWhile processing a TGS request for the target server krbtgt/domain, the account username @Domain did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 8). The requested etypes were 18. The accounts available etypes were 23 -133 -128 3 1.Anyone help me to solve this error and want to know why this error occuring. Sree
October 3rd, 2008 12:54am

Hi, Kerberos allows certain encryption types that can be used to encrypt Kerberos tickets. If other encryption types do not support the default encryption types, this error may occur. You can configure an available encryption type to solve this issue: Kerberos supports several encryption types that are used to encrypt the tickets. If you are using a non-Microsoft Kerberos client to request a ticket from a Windows-based Kerberos server, the Kerberos client must support the same encryption type. Use the event log message to determine the available encryption type and configure the Kerberos client accordingly. After determining what application or services do not support the default encryption types, we can configure an available encryption type to solve this issue. For example, some mail servers may cause this event to be logged, because they use AES encryption method to request tickets, while windows server does not support AES for ticket request. In addition, to verify that the Kerberos client is configured with an available encryption type, you should ensure that a Kerberos ticket was received from the Key Distribution Center (KDC) and cached on the local computer. You can view cached Kerberos tickets on the local computer by using the Klist.exe command-line tool. Note: Klist.exe is not included with Windows Vista, Windows Server 2003, Windows XP, or Windows 2000. You must download and install the Windows Server Resource Kit before you can use Klist.exe. To view cached Kerberos tickets by using Klist: 1. Log on to a Kerberos client computer within your domain. 2. Click Start, point to All Programs, click Accessories, and then click Command Prompt. 3. Type klist tickets, and then press ENTER. 4. Verify that a cached Kerberos ticket is available. 5. Ensure that the Client field displays the client on which you are running Klist. 6. Ensure that the Server field displays the domain in which you are connecting. 7. Close the command prompt.
Free Windows Admin Tool Kit Click here and download it now
October 3rd, 2008 11:52am

hi, i receive regular this kind of error messages, if I log on i can see the tickets, should i worry about this, that is the solution for this error ? thanksaurimas
March 4th, 2010 2:06pm

This does not seem to be a solution just how to gather info. What do I do with this info once I have it?
Free Windows Admin Tool Kit Click here and download it now
April 23rd, 2010 8:48pm

As what Matt said, what do we do with the info if there is or what do we do if there is none?
May 17th, 2010 10:31pm

Same thing. How to resolve this issue?
Free Windows Admin Tool Kit Click here and download it now
December 28th, 2010 7:50am

same here. I have both Windows 2003 and 2008 domain controller in my domain. I start receiving this from my Windows 2003 AD log. It complains all windows 2008 computer account and my domain admin account. Any one has solution. I did find this hotfix, http://support.microsoft.com/kb/978055 but it seems only apply to x64 bit Windows server 2008 AD Prerequisites The following list contains prerequisites for the hotfix: You must have Windows Server 2008 R2 installed. You must have the Active Directory Domain Service role service installed My Win 2008 domain controller is 32bit.
December 29th, 2010 9:22am

Have the same Problem. Did the Hotfix solve the Problem?
Free Windows Admin Tool Kit Click here and download it now
May 5th, 2011 8:03am

Why is the moderator saying that this thread has been answered. " Marked As Answer byMorgan Che [MSFT]<abbr class="affil">Moderator</abbr>Tuesday, October 07, 2008 10:01 AM". This is not even close to being answered. Same issue here.
June 9th, 2011 9:29am

I have same issue with SBS 2008 being PDC + a serv2003 being BDC; this issue happens on my BDC. 'klist tickets' shows 4 entries; the BDC is listed twice, and the domain is listed twice. After searching around seems that older server 2003 doesn't support AES in Kerberos and hence alerts, some suggests ignoring if authentication still works but I don't like these red flags in event log. So I've found that perhaps KB978055 could do the trick .. or get rid of the old 2003 DC so domain will use better AES encryption. I've actually found that if my SBS2008 PDC is down there are issues with domain lookups, so I'm most likely going to make a Win2008 R2 BDC and get rid of the old. But I have to agreed that this isn't completely answered as in the word 'resolved'.Yours Truly Online, Uli the Maui Tech Guru Helping people with computers in Maui Hawaii.
Free Windows Admin Tool Kit Click here and download it now
June 16th, 2011 2:51pm

I'm also having this problem with new 2008 R2 domain controllers introduced into a 2003 domain. It seems odd that I need to install a hotfix on the 2008 boxes to clear up errors on the 2003 servers. Can anyone confirm whether or not that is the correct fix? Also, can anyone comment on what kind of errors might be seen on the client side? We are having extremely random failures with "network name not found" when connecting to shares. Might this be related?
July 6th, 2011 2:05pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics