Solved

Event id 27 (Kerberos) errors in mixed (Win2003/Win2008R2) AD

Posted on 2010-09-23
4
1,648 Views
Last Modified: 2012-05-10
We have implemented a Win2008R2 DC in our Win2003 environment.
Now we are getting lots of these Event iD 27 errors from Win7 clients.
"While processing a TGS request for the target server krbtgt/WWW.YYY.ZZZ, the account XXXX did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 8). The requested etypes were 18.  The accounts available etypes were 23  -133  -128  3  1."

I understand that it's an encryption problem but don't know what's the best solution to cure this.
1. Hotfix for Win2008R2 like here:
http://support.microsoft.com/kb/978055
or
2. Set a GPO for Win2008/Win7 computers, like here:
http://support.microsoft.com/kb/977321

Some suggest that I would need to reset computer?/user? accounts as well:
http://social.technet.microsoft.com/Forums/en/winserversecurity/thread/ecf15eb9-26cf-483b-b1e3-1b1c7e4901e8

I would be grateful for any advice.
Our mixed environment will stay like this maybe a year onwards but Win7 clients coming in our environment increasingly the following winter.
0
Comment
Question by:einari
  • 2
  • 2
4 Comments
 
LVL 29

Assisted Solution

by:Rich Weissler
Rich Weissler earned 250 total points
ID: 33743610
I was just researching this in my environment last week, and determined it's almost entirely a cosmetic error on the 2003 servers.  (Confirming, you see the messages on the 2003 domain controllers... and it's basically caused by 2008 offering tickets the 2003 servers aren't prepared to honor.  Give me a few minutes, and I'll see if I can find the article which led me to believe I can safely ignore it until I can replace the 2003 DCs.)
0
 
LVL 29

Accepted Solution

by:
Rich Weissler earned 250 total points
ID: 33744012
This was the expert-exchange entry which led me to believe this will go away when I upgrade the DCs (which I can't yet...)

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_24906105.html

Of course, if the errors referenced an etype other than 18 as missing, I'll start worrying more.

http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/29f55875-f3ee-476c-9d74-94f1b74edb31
"The error that is being logged on the Windows 2003 domain controller can safely be ignored as it is by design. The domain controller is just informing the client what Etypes it supports. Vista clients are then falling back to the supported types."
0
 

Author Comment

by:einari
ID: 33776039
Okay.
I put this question in another forum and got the advice solution #2 would be advisable.
I guess this happens when you get a second opinion.

But I think we can live with these cosmetic errors.
I'm just puzzled why Msoft couldn't fix this when they know that there must be numerous cases of these mixed environment.
At least the events could be warnings instead of errors.
0
 

Author Closing Comment

by:einari
ID: 33776043
Can live with this cosmetic problem.
0

Join & Write a Comment

I was supporting a handful of Windows 2008 (non-R2) 2 node clusters with shared quorum disks. Some had SQL 2008 installed and some were just a vendor application that we supported. For the purposes of this article it doesn’t really matter which so w…
Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now