Event ID 27 While processing a TGS request for the target server krbtg
Hey all,We have 2x W2K3 R2 DCs and 1x W2K8 R2 DC with majority of our clients running Windows 7. On about 20 computers we are getting While processing a TGS request for the target server krbtgt/BLAHBLAH.com, the accounSMCSTAFFNB43$@\BLAHBLAH.com did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 8). The requested etypes were 18. The accounts available etypes were 23 -133 -128 3 1.What would be causing this and what is the best way to resolve this? Should I try rejoining the computers to the domain?Regards,Mark
January 18th, 2010 12:08am
Hi Mark, The cause of the event is that the client requests a service ticket with a etype 18 (aes256-cts-hmac-sha1-96), which is not supported by Windows Server 2003 but supported by Windows Server 2008 R2. If the Kerberos authentication works properly, you can safely ignore the events. It just informs the clients what etypes it supports. For more information, please refer to the following articles: The security principals and the services that use only DES encryption for Kerberos authentication are incompatible with the default settings on a computer that is running Windows 7 or Windows Server 2008 R2 http://support.microsoft.com/kb/977321 Event ID 27 — KDC Encryption Type Configuration http://technet.microsoft.com/en-us/library/cc733974(WS.10).aspx Joson Zhou TechNet Subscriber Support in forum If you have any feedback on our support, please contact firstname.lastname@example.orgThis posting is provided "AS IS" with no warranties, and confers no rights.
January 18th, 2010 10:23am
Hi Mark,How's everything going? We have not heard back from you in a few days and wanted to check if you need any further assistance. If there is anything unclear, please do not hesitate to respond back.Thanks.This posting is provided "AS IS" with no warranties, and confers no rights.
January 22nd, 2010 4:48am
Hi, have the same issue. Should I uncheck aes256... and future encrption types and check the rest (4)?
January 25th, 2010 5:03pm
Hey All, I believe the issue may have been caused by post imaging process. I have rejoined the Windows 7 laptops to the domain after removing the old computer accounts from AD. All of our servers are running Windows 2003 R2 and Windows 2008 R2. So far we are having no logon issues yet. I will be checking the event logs again in a couple of days. Thanks. Mark
January 25th, 2010 11:19pm