Kerberos Service Ticket Operations Audit Failure
Looking for some advice. We recently upgraded our Domain Controllers to Windows Server 2008 R2 and are running in the Windows Server 2008 R2 functional levels. However;
we still have XP client machines.
I started noticing a large number of the following audit failures:
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 4/27/2010 10:29:28 AM
Event ID: 4769
Task Category: Kerberos Service Ticket Operations
Level: Information
Keywords: Audit Failure
User: N/A
Computer:
Description:
A Kerberos service ticket was requested.
Account Information:
Account Name:
Account Domain:
Logon GUID: {00000000-0000-0000-0000-000000000000}
Service Information:
Service Name:
Service ID: NULL SID
Network Information:
Client Address: 172.16.21.44
Client Port: 1650
Additional Information:
Ticket Options: 0x40800000
Ticket Encryption Type: 0xffffffff
Failure Code: 0xe
Transited Services: -
Doing some research I found that this is the KDC granting tickets through Kerberos. It would seem that everyone is getting their tickets with no problems however it appears that
the Failure Code: 0xe is related to KDC has no support for encryption type.
What can I do to fix this? From what I understand encryption really changed for Kerberos in Windows Server 2008 R2. Also if this is not a issue how can I suppress these
events so they will no longer fill up the event log.
Any help would be greatly appreciated.
Thank you
April 27th, 2010 6:06pm
Also...
I am not sure if this makes any difference but we have a High Security GPO for all of our Windows XP clients that has the following setting:
Network Security: LDAP client signing requiremnets Require Signing
Domain controller: LDP server signing requirements Require Signing
However these settings are NOT on the defualt DC policy.
I imagine this means that this sitting is ingorned but thought it may be related.
Thank you
Free Windows Admin Tool Kit Click here and download it now
April 27th, 2010 8:12pm
I found out how to surpress the auditing of the failure events. I used the following command on both of my DCs:
auditpol /set /category:"Account Logon" /subcategory:"Kerberos Service Ticket Operations" /failure:disable
However I am still not sure why these failures were showing up.
April 27th, 2010 10:40pm
Hi,
This error 4768 is normal if you have new DC and old client systems. If no other problem, we can safely ignore it.
The Failure Code 0xe means "KDC has no support for encryption type". This error was caused by Kerberos Enhancements in Windows Server 2008. The base Kerberos protocol in Windows Server 2008 supports AES for encryption of ticket-granting tickets (TGTs),
service tickets, and session keys.
But old systems don't support this new encryption type. So the first try failed and you can find a Success 4768 after this failure.
For more information about Kerberos Enhancements, please refer to the following article.
http://technet.microsoft.com/en-us/library/cc749438.aspx
Thanks.This posting is provided "AS IS" with no warranties, and confers no rights.
Free Windows Admin Tool Kit Click here and download it now
April 29th, 2010 12:30pm
What do we do if this is causing us issues?
We have Mac and Linux Machines that are loosing their AD connection after a little while. I believe this is because of Kerberos Authentication issues. We are seeing the above Event on our 2008 R2 DC's for our linux / Mac computers.
How can we fix this?
April 12th, 2011 2:19pm