Solved

Event id 27 (Kerberos) errors in mixed (Win2003/Win2008R2) AD

Posted on 2010-09-23
4
1,653 Views
Last Modified: 2012-05-10
We have implemented a Win2008R2 DC in our Win2003 environment.
Now we are getting lots of these Event iD 27 errors from Win7 clients.
"While processing a TGS request for the target server krbtgt/WWW.YYY.ZZZ, the account XXXX did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 8). The requested etypes were 18.  The accounts available etypes were 23  -133  -128  3  1."

I understand that it's an encryption problem but don't know what's the best solution to cure this.
1. Hotfix for Win2008R2 like here:
http://support.microsoft.com/kb/978055
or
2. Set a GPO for Win2008/Win7 computers, like here:
http://support.microsoft.com/kb/977321

Some suggest that I would need to reset computer?/user? accounts as well:
http://social.technet.microsoft.com/Forums/en/winserversecurity/thread/ecf15eb9-26cf-483b-b1e3-1b1c7e4901e8

I would be grateful for any advice.
Our mixed environment will stay like this maybe a year onwards but Win7 clients coming in our environment increasingly the following winter.
0
Comment
Question by:einari
  • 2
  • 2
4 Comments
 
LVL 30

Assisted Solution

by:Rich Weissler
Rich Weissler earned 250 total points
ID: 33743610
I was just researching this in my environment last week, and determined it's almost entirely a cosmetic error on the 2003 servers.  (Confirming, you see the messages on the 2003 domain controllers... and it's basically caused by 2008 offering tickets the 2003 servers aren't prepared to honor.  Give me a few minutes, and I'll see if I can find the article which led me to believe I can safely ignore it until I can replace the 2003 DCs.)
0
 
LVL 30

Accepted Solution

by:
Rich Weissler earned 250 total points
ID: 33744012
This was the expert-exchange entry which led me to believe this will go away when I upgrade the DCs (which I can't yet...)

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_24906105.html

Of course, if the errors referenced an etype other than 18 as missing, I'll start worrying more.

http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/29f55875-f3ee-476c-9d74-94f1b74edb31
"The error that is being logged on the Windows 2003 domain controller can safely be ignored as it is by design. The domain controller is just informing the client what Etypes it supports. Vista clients are then falling back to the supported types."
0
 

Author Comment

by:einari
ID: 33776039
Okay.
I put this question in another forum and got the advice solution #2 would be advisable.
I guess this happens when you get a second opinion.

But I think we can live with these cosmetic errors.
I'm just puzzled why Msoft couldn't fix this when they know that there must be numerous cases of these mixed environment.
At least the events could be warnings instead of errors.
0
 

Author Closing Comment

by:einari
ID: 33776043
Can live with this cosmetic problem.
0

Featured Post

Networking for the Cloud Era

Join Microsoft and Riverbed for a discussion and demonstration of enhancements to SteelConnect:
-One-click orchestration and cloud connectivity in Azure environments
-Tight integration of SD-WAN and WAN optimization capabilities
-Scalability and resiliency equal to a data center

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
This article runs through the process of deploying a single EXE application selectively to a group of user.
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

821 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question