David
asked on
Event ID 27 Source KDC
Hi there
We have 2 DCs, one running 2008 and the other 2003
We keep getting these event ID 27 errors on DC2 everyday
All i can establish is the machines and users in question are the ones using VISTA or Windows 7
Any ideas how i can sort this?
Event Type: Error
Event Source: KDC
Event Category: None
Event ID: 27
Date: 16/11/2009
Time: 15:31:33
User: N/A
Computer: DC2
Description:
While processing a TGS request for the target server krbtgt/mydomain.SCHOOL, the account myuser.STAFF@mydomain.SCHO OL did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 8). The requested etypes were 18. The accounts available etypes were 23 -133 -128 3 1.
Description:
While processing a TGS request for the target server krbtgt/ mydomain.SCHOOL, the account LAPTOP$@mydomain.SCHOOL did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 8). The requested etypes were 18. The accounts available etypes were 23 -133 -128 3 1.
We have 2 DCs, one running 2008 and the other 2003
We keep getting these event ID 27 errors on DC2 everyday
All i can establish is the machines and users in question are the ones using VISTA or Windows 7
Any ideas how i can sort this?
Event Type: Error
Event Source: KDC
Event Category: None
Event ID: 27
Date: 16/11/2009
Time: 15:31:33
User: N/A
Computer: DC2
Description:
While processing a TGS request for the target server krbtgt/mydomain.SCHOOL, the account myuser.STAFF@mydomain.SCHO
Description:
While processing a TGS request for the target server krbtgt/ mydomain.SCHOOL, the account LAPTOP$@mydomain.SCHOOL did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 8). The requested etypes were 18. The accounts available etypes were 23 -133 -128 3 1.
ASKER
yes i have read that before, but it doesnt really provide a solution of what to do if the certificates are there, which i think in my case they are
Reason:
The Windows Server 2008 member server is sending a TGS request using the encryption
type of 18 (AES). Windows Server 2003 does not support this encryption type for
Kerberos.
Resolution
The Event ID 27 error that is being logged on the Windows Server 2003 domain
controller can safely be ignored as it is by design. The domain controller is just
informing the client what encryption types it supports. The Windows Server 2008
servers are then falling back to one of the supported encryption types.
It is possible to modify the default encryption type that Windows Server 2008 uses.
This will prevent the error from being logged on the Windows Server 2003 domain
controller. You will have to add the following registry value to the Windows Server
2008 servers.
HKLM\System\CurrentControl Set\Contro l\LSA\Kerb eros\Param eters
Value Name: DefaultEncryptionType
Value Type: Reg_DWORD
Value Data: 0x17(23)
The Windows Server 2008 member server is sending a TGS request using the encryption
type of 18 (AES). Windows Server 2003 does not support this encryption type for
Kerberos.
Resolution
The Event ID 27 error that is being logged on the Windows Server 2003 domain
controller can safely be ignored as it is by design. The domain controller is just
informing the client what encryption types it supports. The Windows Server 2008
servers are then falling back to one of the supported encryption types.
It is possible to modify the default encryption type that Windows Server 2008 uses.
This will prevent the error from being logged on the Windows Server 2003 domain
controller. You will have to add the following registry value to the Windows Server
2008 servers.
HKLM\System\CurrentControl
Value Name: DefaultEncryptionType
Value Type: Reg_DWORD
Value Data: 0x17(23)
ASKER
Ok thanks
So i affect if we were to upgrade the 2nd Dc to 2008 then the error would not show up at all?
So i affect if we were to upgrade the 2nd Dc to 2008 then the error would not show up at all?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
ok problem ignored, and seems ok since
hi
i know this is closed.. but i was wondering if anyone knows is this error can cause SAM erros?
i know this is closed.. but i was wondering if anyone knows is this error can cause SAM erros?
http://technet.microsoft.com/en-us/library/cc733974(WS.10).aspx