Looking for some advice. We recently upgraded our Domain Controllers to Windows Server 2008 R2 and are running in the Windows Server 2008 R2 functional levels. However;
we still have XP client machines.

I started noticing a large number of the following audit failures:
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 4/27/2010 10:29:28 AM
Event ID: 4769
Task Category: Kerberos Service Ticket Operations
Level: Information
Keywords: Audit Failure
User: N/A
Computer:
Description:
A Kerberos service ticket was requested.
Account Information:
Account Name:
Account Domain:
Logon GUID: {00000000-0000-0000-0000-000000000000}
Service Information:
Service Name:
Service ID: NULL SID
Network Information:
Client Address: 172.16.21.44
Client Port: 1650
Additional Information:
Ticket Options: 0x40800000
Ticket Encryption Type: 0xffffffff
Failure Code: 0xe
Transited Services: -

Doing some research I found that this is the KDC granting tickets through Kerberos. It would seem that everyone is getting their tickets with no problems however it appears that
the Failure Code: 0xe is related to KDC has no support for encryption type.
What can I do to fix this? From what I understand encryption really changed for Kerberos in Windows Server 2008 R2. Also if this is not a issue how can I suppress these
events so they will no longer fill up the event log.
Any help would be greatly appreciated.


Thank you

Need to support users over the internet? click here try our remote control online beta

Also...
I am not sure if this makes any difference but we have a High Security GPO for all of our Windows XP clients that has the following setting:

Network Security: LDAP client signing requiremnets Require Signing
Domain controller: LDP server signing requirements Require Signing
However these settings are NOT on the defualt DC policy.
I imagine this means that this sitting is ingorned but thought it may be related.

Thank you

Need to support users over the internet? click here try our remote control online beta

I found out how to surpress the auditing of the failure events. I used the following command on both of my DCs:

auditpol /set /category:"Account Logon" /subcategory:"Kerberos Service Ticket Operations" /failure:disable

However I am still not sure why these failures were showing up.

There is an amazing pack of free network admin tools. click here to download it

Hi,
This error 4768 is normal if you have new DC and old client systems. If no other problem, we can safely ignore it.
The Failure Code 0xe means "KDC has no support for encryption type". This error was caused by Kerberos Enhancements in Windows Server 2008. The base Kerberos protocol in Windows Server 2008 supports AES for encryption of ticket-granting tickets (TGTs),
service tickets, and session keys.
But old systems don't support this new encryption type. So the first try failed and you can find a Success 4768 after this failure.
For more information about Kerberos Enhancements, please refer to the following article.


http://technet.microsoft.com/en-us/library/cc749438.aspx

Thanks.This posting is provided "AS IS" with no warranties, and confers no rights.

There is an amazing pack of free network admin tools. click here to download it

What do we do if this is causing us issues?
We have Mac and Linux Machines that are loosing their AD connection after a little while. I believe this is because of Kerberos Authentication issues. We are seeing the above Event on our 2008 R2 DC's for our linux / Mac computers.
How can we fix this?

There is an amazing pack of free network admin tools. click here to download it