Event ID 27 Source KDC

Hi there

We have 2 DCs, one running 2008 and the other 2003

We keep getting these event ID 27 errors on DC2 everyday

All i can establish is the machines and users in question are the ones using VISTA or Windows 7

Any ideas how i can sort this?


Event Type:      Error
Event Source:      KDC
Event Category:      None
Event ID:      27
Date:            16/11/2009
Time:            15:31:33
User:            N/A
Computer:      DC2
Description:
While processing a TGS request for the target server krbtgt/mydomain.SCHOOL, the account myuser.STAFF@mydomain.SCHOOL did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 8). The requested etypes were 18.  The accounts available etypes were 23  -133  -128  3  1.


Description:
While processing a TGS request for the target server krbtgt/ mydomain.SCHOOL, the account LAPTOP$@mydomain.SCHOOL did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 8). The requested etypes were 18.  The accounts available etypes were 23  -133  -128  3  1.
DavidAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

dfkeCommented:
DavidAuthor Commented:
yes i have read that before, but it doesnt really provide a solution of what to do if the certificates are there, which i think in my case they are
AwinishCommented:
Reason:

The Windows Server 2008 member server is sending a TGS request using  the encryption
type of 18 (AES). Windows Server 2003 does not support this  encryption type for
Kerberos.

Resolution

The Event ID 27  error that is being logged on the Windows Server 2003 domain
controller can  safely be ignored as it is by design. The domain controller is just  
informing the client what encryption types it supports. The Windows Server  2008
servers are then falling back to one of the supported encryption types.  
It is possible to modify the default encryption type that Windows Server  2008 uses.
This will prevent the error from being logged on the Windows  Server 2003 domain
controller. You will have to add the following registry  value to the Windows Server
2008 servers.  

HKLM\System\CurrentControlSet\Control\LSA\Kerberos\Parameters
Value  Name: DefaultEncryptionType
Value Type: Reg_DWORD
Value Data: 0x17(23)
Maximize Customer Retention with Superior Service

The IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more to help build customer satisfaction and retention.

Download the guide
DavidAuthor Commented:
Ok thanks

So i affect if we were to upgrade the 2nd Dc to 2008 then the error would not show up at all?
AwinishCommented:

Yes , i think it should not occur as the reason given bby them.

The detais.

Error messages:
--------------------------

Source: KDC
Event-ID: 27
Type: Error
While processing a TGS  request for the target server krbtgt/WEISHAUPT.INT, the
account  WMAILDBB$@WEISHAUPT.INT did not have a suitable key for generating a  
Kerberos ticket (the missing key has an ID of 8). The requested etypes were 18.
The  accounts available etypes were 23 -133 -128 3 1.

Assessment
---------------------------
The problem is that the client is sending a TGS request using the Etype of 18  
(AES). Windows 2003 does not support this etype for Kerberos where 2008  does. The
error that is being logged on the domain controller can safely be  ignored as it is
by design. The domain controller is just informing the  client what etypes it does
support. The 2008 servers are then falling back  to one of the supported types. I
did find out that there is a way to modify  the default etype that Windows 2008
uses. This will prevent the error from  being logged on the domain controller. You
will have to add the following  registry value to the Windows 2008 servers. No
reboot is required for this  change to take effect. Let me know if you have any
additional questions or  concerns.

Navigate to  HKLM\System\CurrentControlSet\Control\LSA\Kerberos\Parameters

Add the  following registry value.

Value Name = DefaultEncryptionType
Type =  Reg_DWORD
Value Data = 0x17(23)
VKB: error: 27 source: KDC Windows server 2008
VKB:  SRX080630601218

Windows OS Bugs 1488195

They say its OS bug.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
DavidAuthor Commented:
ok problem ignored, and seems ok since
jackbensonCommented:
hi

i know this is closed.. but i was wondering if anyone knows is this error can cause SAM erros?
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.