KDC error Event ID 27
We are using Windows 2003 Std server SP2, it is our DC. In Event Viewer under system I found the following Error,
Event ID: 27
Source: KDC
While processing a TGS request for the target server krbtgt/domain, the account username @Domain did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 8). The requested etypes were 18. The accounts available
etypes were 23 -133 -128 3 1.
November 10th, 2011 4:12am
The cause of the event is that the client requests a service ticket with a etype 18 (aes256-cts-hmac-sha1-96), which is not supported by Windows Server 2003 but supported by Windows Server 2008 R2. If the Kerberos authentication works properly, you can safely
ignore the events. It just informs the clients what etypes it supports.
Regards
Milos
Free Windows Admin Tool Kit Click here and download it now
November 10th, 2011 4:45am
Hi,
Kerberos allows certain encryption types that can be used to encrypt Kerberos tickets. If other encryption types do not support the default encryption types, this
error may occur.
You can configure an available encryption type to solve this issue:
Kerberos supports several encryption types that are used to encrypt the tickets. If you are using a non-Microsoft Kerberos client to request a ticket from a Windows-based
Kerberos server, the Kerberos client must support the same encryption type. Use the event log message to determine the available encryption type and configure the Kerberos client accordingly. After determining what application or services do not support the
default encryption types, we can configure an available encryption type to solve this issue.
For example, some mail servers may cause this event to be logged, because they use AES encryption method to request tickets, while windows server does not support AES
for ticket
request.
In addition, to verify that the Kerberos client is configured with an available encryption type, you should ensure that a Kerberos ticket was received from the
Key Distribution Center (KDC) and cached on the local computer. You can view cached Kerberos tickets on the local computer by using the Klist.exe command-line tool.
Note: Klist.exe is not included with Windows Vista, Windows Server 2003, Windows XP, or Windows 2000. You must download and install the Windows Server Resource
Kit before you can use Klist.exe.
To view cached Kerberos tickets by using Klist:
1.
Log on to a Kerberos client computer within your domain.
2.
Click Start, point to All Programs, click Accessories, and then click Command Prompt.
3.
Type klist tickets, and then press ENTER.
4.
Verify that a cached Kerberos ticket is available.
5.
Ensure that the Client field displays the client on which you are running Klist.
6.
Ensure that the Server field displays the domain in which you are connecting.
7.
Close the command prompt.
see this http://social.technet.microsoft.com/Forums/en-US/winservergen/thread/c7816f42-c109-4b8d-af65-fb6887492071
ashraf
November 10th, 2011 4:57am
Thanks Milos for the reply, we do have a 2003 and 2008 R2 DC's, I remember this error started after installing the 2008 R2 but is there any fix with which
we can stop this errors.
Free Windows Admin Tool Kit Click here and download it now
November 10th, 2011 6:03am
Enclosed you will find more on this problem. Function klist is the right tool to find the encryption type.
http://technet.microsoft.com/en-us/library/cc733974(WS.10).aspx
http://blogs.msdn.com/b/openspecification/archive/2011/05/31/windows-configurations-for-kerberos-supported-encryption-type.aspx
http://support.microsoft.com/kb/977321
http://msdn.microsoft.com/en-us/library/cc233855(v=prot.13).aspx
November 10th, 2011 10:08am
Hi,
Kerberos allows certain encryption types that can be used to encrypt Kerberos tickets. If other encryption types do not support the default encryption types, this
error may occur.
You can configure an available encryption type to solve this issue:
Kerberos supports several encryption types that are used to encrypt the tickets. If you are using a non-Microsoft Kerberos client to request a ticket from a Windows-based
Kerberos server, the Kerberos client must support the same encryption type. Use the event log message to determine the available encryption type and configure the Kerberos client accordingly. After determining what application or services do not support the
default encryption types, we can configure an available encryption type to solve this issue.
For example, some mail servers may cause this event to be logged, because they use AES encryption method to request tickets, while windows server does not support AES
for ticket
request.
In addition, to verify that the Kerberos client is configured with an available encryption type, you should ensure that a Kerberos ticket was received from the
Key Distribution Center (KDC) and cached on the local computer. You can view cached Kerberos tickets on the local computer by using the Klist.exe command-line tool.
Note: Klist.exe is not included with Windows Vista, Windows Server 2003, Windows XP, or Windows 2000. You must download and install the Windows Server Resource
Kit before you can use Klist.exe.
To view cached Kerberos tickets by using Klist:
1.
Log on to a Kerberos client computer within your domain.
2.
Click Start, point to All Programs, click Accessories, and then click Command Prompt.
3.
Type klist tickets, and then press ENTER.
4.
Verify that a cached Kerberos ticket is available.
5.
Ensure that the Client field displays the client on which you are running Klist.
6.
Ensure that the Server field displays the domain in which you are connecting.
7.
Close the command prompt.
see this http://social.technet.microsoft.com/Forums/en-US/winservergen/thread/c7816f42-c109-4b8d-af65-fb6887492071
ashraf
Free Windows Admin Tool Kit Click here and download it now
November 10th, 2011 12:50pm
Hello,
Actually, those links to view klist type, extensions and it won't solve the issue.
Anyone knows how to remove the error id 27?
Please help.
December 29th, 2011 10:50am