Event id 27 (Kerberos) errors in mixed (Win2003/Win2008R2) AD
We have implemented a Win2008R2 DC in our Win2003 environment.
Now we are getting lots of these Event iD 27 errors from Win7 clients.
"While processing a TGS request for the target server krbtgt/WWW.YYY.ZZZ, the account XXXX did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 8). The requested etypes were 18. The accounts available etypes were 23 -133 -128 3 1."
I understand that it's an encryption problem but don't know what's the best solution to cure this.
1. Hotfix for Win2008R2 like here:
http://support.microsoft.com/kb/978055
or
2. Set a GPO for Win2008/Win7 computers, like here:
http://support.microsoft.com/kb/977321
Some suggest that I would need to reset computer?/user? accounts as well:
http://social.technet.microsoft.com/Forums/en/winserversecurity/thread/ecf15eb9-26cf-483b-b1e3-1b1c7e4901e8
I would be grateful for any advice.
Our mixed environment will stay like this maybe a year onwards but Win7 clients coming in our environment increasingly the following winter.
Now we are getting lots of these Event iD 27 errors from Win7 clients.
"While processing a TGS request for the target server krbtgt/WWW.YYY.ZZZ, the account XXXX did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 8). The requested etypes were 18. The accounts available etypes were 23 -133 -128 3 1."
I understand that it's an encryption problem but don't know what's the best solution to cure this.
1. Hotfix for Win2008R2 like here:
http://support.microsoft.com/kb/978055
or
2. Set a GPO for Win2008/Win7 computers, like here:
http://support.microsoft.com/kb/977321
Some suggest that I would need to reset computer?/user? accounts as well:
http://social.technet.microsoft.com/Forums/en/winserversecurity/thread/ecf15eb9-26cf-483b-b1e3-1b1c7e4901e8
I would be grateful for any advice.
Our mixed environment will stay like this maybe a year onwards but Win7 clients coming in our environment increasingly the following winter.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Can live with this cosmetic problem.
ASKER
I put this question in another forum and got the advice solution #2 would be advisable.
I guess this happens when you get a second opinion.
But I think we can live with these cosmetic errors.
I'm just puzzled why Msoft couldn't fix this when they know that there must be numerous cases of these mixed environment.
At least the events could be warnings instead of errors.