?
Solved

Event id 27 (Kerberos) errors in mixed (Win2003/Win2008R2) AD

Posted on 2010-09-23
4
Medium Priority
?
1,657 Views
Last Modified: 2012-05-10
We have implemented a Win2008R2 DC in our Win2003 environment.
Now we are getting lots of these Event iD 27 errors from Win7 clients.
"While processing a TGS request for the target server krbtgt/WWW.YYY.ZZZ, the account XXXX did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 8). The requested etypes were 18.  The accounts available etypes were 23  -133  -128  3  1."

I understand that it's an encryption problem but don't know what's the best solution to cure this.
1. Hotfix for Win2008R2 like here:
http://support.microsoft.com/kb/978055
or
2. Set a GPO for Win2008/Win7 computers, like here:
http://support.microsoft.com/kb/977321

Some suggest that I would need to reset computer?/user? accounts as well:
http://social.technet.microsoft.com/Forums/en/winserversecurity/thread/ecf15eb9-26cf-483b-b1e3-1b1c7e4901e8

I would be grateful for any advice.
Our mixed environment will stay like this maybe a year onwards but Win7 clients coming in our environment increasingly the following winter.
0
Comment
Question by:einari
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 30

Assisted Solution

by:Rich Weissler
Rich Weissler earned 1000 total points
ID: 33743610
I was just researching this in my environment last week, and determined it's almost entirely a cosmetic error on the 2003 servers.  (Confirming, you see the messages on the 2003 domain controllers... and it's basically caused by 2008 offering tickets the 2003 servers aren't prepared to honor.  Give me a few minutes, and I'll see if I can find the article which led me to believe I can safely ignore it until I can replace the 2003 DCs.)
0
 
LVL 30

Accepted Solution

by:
Rich Weissler earned 1000 total points
ID: 33744012
This was the expert-exchange entry which led me to believe this will go away when I upgrade the DCs (which I can't yet...)

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_24906105.html

Of course, if the errors referenced an etype other than 18 as missing, I'll start worrying more.

http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/29f55875-f3ee-476c-9d74-94f1b74edb31
"The error that is being logged on the Windows 2003 domain controller can safely be ignored as it is by design. The domain controller is just informing the client what Etypes it supports. Vista clients are then falling back to the supported types."
0
 

Author Comment

by:einari
ID: 33776039
Okay.
I put this question in another forum and got the advice solution #2 would be advisable.
I guess this happens when you get a second opinion.

But I think we can live with these cosmetic errors.
I'm just puzzled why Msoft couldn't fix this when they know that there must be numerous cases of these mixed environment.
At least the events could be warnings instead of errors.
0
 

Author Closing Comment

by:einari
ID: 33776043
Can live with this cosmetic problem.
0

Featured Post

Want to be a Web Developer? Get Certified Today!

Enroll in the Certified Web Development Professional course package to learn HTML, Javascript, and PHP. Build a solid foundation to work toward your dream job!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A hard and fast method for reducing Active Directory Administrators members.
Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
Suggested Courses
Course of the Month14 days, 23 hours left to enroll

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question