Solved

krbtgt service errors

Posted on 2011-03-16
16
1,430 Views
Last Modified: 2012-08-13
We've been having multiple errors with on our performance report.

Source
   Security

Pre-authentication failed:
 	User Name:	"COMPUTER NAME"$
 	User ID:	"DOMAIN"\"COMPUTER NAME"$
 	Service Name:	krbtgt/Domain.local
 	Pre-Authentication Type:	0x0
 	Failure Code:	0x19
 	Client Address:	"COMPUTER IP"

I had seen something that said you might get these errors when the domain isn't all caps. It is all caps under "User ID" but not "Service Name" as described above. Is that why I am getting that error and if so why did it just start this week? We had a server crash this weekend that we think was from someone trying to hack the administrator account, is that maybe why?
0
Comment
Question by:rpmccly
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
16 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35148255
Did you check if the kerberos service is running?
0
 
LVL 58

Accepted Solution

by:
Cliff Galiher earned 167 total points
ID: 35148361
What you posted us a pre-authentication, and in some cases these are normal behavior. Specifically, if your domain controller is a 2003 server, it only supports 3DES encryption for processing logins.. If you have Vista or win7 clients, they support AES and will attempt to use it. Since 2003 doesn't support AES, that attempt fails, is logged, and Vista/win7 will reattempt with 3DES and succeed, so you don't see login problems. That is also why it is only a pre-auth error...it all happens during the initial encryption negotiation phase. Unless you are also seeing other errors that you didn't post, these can be safely ignored.

-Cliff
0
 
LVL 1

Author Comment

by:rpmccly
ID: 35149134
Kerberos Key Districution Center is running.

Well it just started happening though. I have seen the errors on mostly Windows 7/Vista machines but there was 1 XP machine that had it.

For now I am going to ignore them and look more in depth at a later point.

Thanks
0
Salesforce Has Never Been Easier

Improve and reinforce salesforce training & adoption using WalkMe's digital adoption platform. Start saving on costly employee training by creating fast intuitive Walk-Thrus for Salesforce. Claim your Free Account Now

 
LVL 1

Author Comment

by:rpmccly
ID: 35243659
Ok, we've had the errors on multiple XP machines so its pretty random, any other ideas?
0
 
LVL 1

Author Comment

by:rpmccly
ID: 35377571
I looked at the server and the krbtgt user account is disabled. When I try to enable it, it says it can't perform this action on built-in accounts.

Is this related?
0
 
LVL 1

Author Comment

by:rpmccly
ID: 35391811
According to:
http://support.microsoft.com/kb/229909

the krbtgt account should be disabled as it doesn't need to be enabled for authentication? So why did we randomly start getting the errors?
0
 
LVL 58

Assisted Solution

by:tigermatt
tigermatt earned 333 total points
ID: 35411638

rpmccly,

As noted by cgaliher earlier in the thread, what you are seeing is quite common.

The krbtgt account's sole purpose is used by the Kerberos service to produce ticket-granting ticket keys, and thus it should not be enabled or modified in any other way (Windows will prevent you doing this).

The error messages you experience are simply pre-authentication failures. It could suggest that someone is attempting to brute force a user's password but that's unlikely; in any event the whole point of pre-authentication is to increase the security and resilience of the Kerberos implementation.

-Matt
0
 
LVL 1

Author Comment

by:rpmccly
ID: 35415909
All the krbtgt problems just started occuring which is why I kept on it. Are you saying to ignore the issues? We do get the errors on XP machines, not only Vista/7 machines.
0
 
LVL 1

Author Comment

by:rpmccly
ID: 36097490
There was an option in AD that said to force the authentication. I unchecked it so I obviously don't get that error for the person anymore. Was this a good or bad idea?
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 36122048

Sorry, I missed the notification for your earlier comment.

Which option specifically was it that you unchecked?

-Matt
0
 
LVL 1

Author Comment

by:rpmccly
ID: 36141229
"Do not require Kerberos pre-authentication"
0
 
LVL 58

Assisted Solution

by:tigermatt
tigermatt earned 333 total points
ID: 36141816

I suspected that was the option you enabled, but thought I ought to check first.

The pre-authentication feature is a security feature added over the standard Kerberos implementation and I would therefore advise you leave it switched on - if you can ignore the error messages.

Essentially, a Kerberos logon first involves obtaining a Ticket Granting Ticket (or Ticket to Get Tickets - TGT) from the Key Distribution Centre (KDC) on a Domain Controller. Without pre-authentication, the KDC simply sends back to the client a TGT encrypted with the user's password hash as stored on the DC; the client hashes the password supplied and, if the hash decrypts the TGT data, the user is considered valid and can pass the TGT back to the KDC to obtain a service ticket. When they have a service ticket, they can access network services.

Pre-authentication mitigates an attack in the above scenario whereby a malicious person replays an earlier request by a user to obtain a TGT. If the KDC simply issues a TGT by request without checking for valid credentials, the malicious person can easily obtain a TGT and brute-force attack the encrypted data to obtain the user's password - an unpleasant security situation. With pre-authentication enabled, a small piece of data (typically the current timestamp on the machine) is encrypted using the password provided at the client. If the DC/KDC decrypts this with the stored password hash and the time is the proper time (within a small interval), then the user is valid and a TGT is issued. If the time is not correct, the password supplied must be invalid so a TGT is not issued - and the above attack cannot occur.

So... as you can see, pre-authentication is a significant security benefit to a network. Turning it off definitely pokes some holes in your security and it is ultimately your decision as to whether this is a huge risk to you.

In terms of the error messages you see, yes, I was suggesting to ignore them. They are simply pre-authentication failures which, as you can see above, are a relatively good thing; the errors indicate pre-authentication was preventing a TGT being issued. It could simply indicate a mix-up of encryption types as noted by cgaliher or potentially a service trying to authenticate with those credentials which does not implement pre-authentication (this would be a valid case for disabling pre-auth for a user account).

-Matt
0
 
LVL 1

Author Comment

by:rpmccly
ID: 36145434
AND.....unchecked!

Thanks! It was checked to get rid of the error in the performance log which isn't a concern at all so I would rather see the error and be secure!
0
 
LVL 1

Author Closing Comment

by:rpmccly
ID: 36145449
Error will be ignored as its not a concern!
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 36149501

Fantastic! Glad to be of assistance.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Exchange 2010 fails to send outgoing email 7 89
MS Endpoint Protection 2 76
Cannot join Win10 client  to SBS 2011 Standard domain... 20 87
VPN problems 4 68
I work for a company that primarily works with small businesses as their outsourced IT vendor. As such the majority of these customers utilize some version of Small Business Server. Due to the economics of running a small business, many of these cus…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question