Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Event id 27 (Kerberos) errors in mixed (Win2003/Win2008R2) AD

Posted on 2010-09-23
4
Medium Priority
?
1,662 Views
Last Modified: 2012-05-10
We have implemented a Win2008R2 DC in our Win2003 environment.
Now we are getting lots of these Event iD 27 errors from Win7 clients.
"While processing a TGS request for the target server krbtgt/WWW.YYY.ZZZ, the account XXXX did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 8). The requested etypes were 18.  The accounts available etypes were 23  -133  -128  3  1."

I understand that it's an encryption problem but don't know what's the best solution to cure this.
1. Hotfix for Win2008R2 like here:
http://support.microsoft.com/kb/978055
or
2. Set a GPO for Win2008/Win7 computers, like here:
http://support.microsoft.com/kb/977321

Some suggest that I would need to reset computer?/user? accounts as well:
http://social.technet.microsoft.com/Forums/en/winserversecurity/thread/ecf15eb9-26cf-483b-b1e3-1b1c7e4901e8

I would be grateful for any advice.
Our mixed environment will stay like this maybe a year onwards but Win7 clients coming in our environment increasingly the following winter.
0
Comment
Question by:einari
  • 2
  • 2
4 Comments
 
LVL 31

Assisted Solution

by:Rich Weissler
Rich Weissler earned 1000 total points
ID: 33743610
I was just researching this in my environment last week, and determined it's almost entirely a cosmetic error on the 2003 servers.  (Confirming, you see the messages on the 2003 domain controllers... and it's basically caused by 2008 offering tickets the 2003 servers aren't prepared to honor.  Give me a few minutes, and I'll see if I can find the article which led me to believe I can safely ignore it until I can replace the 2003 DCs.)
0
 
LVL 31

Accepted Solution

by:
Rich Weissler earned 1000 total points
ID: 33744012
This was the expert-exchange entry which led me to believe this will go away when I upgrade the DCs (which I can't yet...)

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_24906105.html

Of course, if the errors referenced an etype other than 18 as missing, I'll start worrying more.

http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/29f55875-f3ee-476c-9d74-94f1b74edb31
"The error that is being logged on the Windows 2003 domain controller can safely be ignored as it is by design. The domain controller is just informing the client what Etypes it supports. Vista clients are then falling back to the supported types."
0
 

Author Comment

by:einari
ID: 33776039
Okay.
I put this question in another forum and got the advice solution #2 would be advisable.
I guess this happens when you get a second opinion.

But I think we can live with these cosmetic errors.
I'm just puzzled why Msoft couldn't fix this when they know that there must be numerous cases of these mixed environment.
At least the events could be warnings instead of errors.
0
 

Author Closing Comment

by:einari
ID: 33776043
Can live with this cosmetic problem.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
Wouldn't it be nice if objects in Active Directory automatically moved into the correct Organizational Units? This is what AutoAD aims to do and as a plus, it automatically creates Sites, Subnets, and Organizational Units.
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

572 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question