Solved

Event id 27 (Kerberos) errors in mixed (Win2003/Win2008R2) AD

Posted on 2010-09-23
4
1,652 Views
Last Modified: 2012-05-10
We have implemented a Win2008R2 DC in our Win2003 environment.
Now we are getting lots of these Event iD 27 errors from Win7 clients.
"While processing a TGS request for the target server krbtgt/WWW.YYY.ZZZ, the account XXXX did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 8). The requested etypes were 18.  The accounts available etypes were 23  -133  -128  3  1."

I understand that it's an encryption problem but don't know what's the best solution to cure this.
1. Hotfix for Win2008R2 like here:
http://support.microsoft.com/kb/978055
or
2. Set a GPO for Win2008/Win7 computers, like here:
http://support.microsoft.com/kb/977321

Some suggest that I would need to reset computer?/user? accounts as well:
http://social.technet.microsoft.com/Forums/en/winserversecurity/thread/ecf15eb9-26cf-483b-b1e3-1b1c7e4901e8

I would be grateful for any advice.
Our mixed environment will stay like this maybe a year onwards but Win7 clients coming in our environment increasingly the following winter.
0
Comment
Question by:einari
  • 2
  • 2
4 Comments
 
LVL 30

Assisted Solution

by:Rich Weissler
Rich Weissler earned 250 total points
ID: 33743610
I was just researching this in my environment last week, and determined it's almost entirely a cosmetic error on the 2003 servers.  (Confirming, you see the messages on the 2003 domain controllers... and it's basically caused by 2008 offering tickets the 2003 servers aren't prepared to honor.  Give me a few minutes, and I'll see if I can find the article which led me to believe I can safely ignore it until I can replace the 2003 DCs.)
0
 
LVL 30

Accepted Solution

by:
Rich Weissler earned 250 total points
ID: 33744012
This was the expert-exchange entry which led me to believe this will go away when I upgrade the DCs (which I can't yet...)

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_24906105.html

Of course, if the errors referenced an etype other than 18 as missing, I'll start worrying more.

http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/29f55875-f3ee-476c-9d74-94f1b74edb31
"The error that is being logged on the Windows 2003 domain controller can safely be ignored as it is by design. The domain controller is just informing the client what Etypes it supports. Vista clients are then falling back to the supported types."
0
 

Author Comment

by:einari
ID: 33776039
Okay.
I put this question in another forum and got the advice solution #2 would be advisable.
I guess this happens when you get a second opinion.

But I think we can live with these cosmetic errors.
I'm just puzzled why Msoft couldn't fix this when they know that there must be numerous cases of these mixed environment.
At least the events could be warnings instead of errors.
0
 

Author Closing Comment

by:einari
ID: 33776043
Can live with this cosmetic problem.
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
SHA2 certs for IIS AND Java? 2 85
Export a GPO and import a GPO 3 44
server core and windows updates 3 39
set-aduser powershell command issue 2 28
A safe way to clean winsxs folder from your windows server 2008 R2 editions
This article outlines the process to identify and resolve account lockout in an Active Directory environment.
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question