Solved

krbtgt service errors

Posted on 2011-03-16
16
1,428 Views
Last Modified: 2012-08-13
We've been having multiple errors with on our performance report.

Source
   Security

Pre-authentication failed:
 	User Name:	"COMPUTER NAME"$
 	User ID:	"DOMAIN"\"COMPUTER NAME"$
 	Service Name:	krbtgt/Domain.local
 	Pre-Authentication Type:	0x0
 	Failure Code:	0x19
 	Client Address:	"COMPUTER IP"

I had seen something that said you might get these errors when the domain isn't all caps. It is all caps under "User ID" but not "Service Name" as described above. Is that why I am getting that error and if so why did it just start this week? We had a server crash this weekend that we think was from someone trying to hack the administrator account, is that maybe why?
0
Comment
Question by:rpmccly
16 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35148255
Did you check if the kerberos service is running?
0
 
LVL 57

Accepted Solution

by:
Cliff Galiher earned 167 total points
ID: 35148361
What you posted us a pre-authentication, and in some cases these are normal behavior. Specifically, if your domain controller is a 2003 server, it only supports 3DES encryption for processing logins.. If you have Vista or win7 clients, they support AES and will attempt to use it. Since 2003 doesn't support AES, that attempt fails, is logged, and Vista/win7 will reattempt with 3DES and succeed, so you don't see login problems. That is also why it is only a pre-auth error...it all happens during the initial encryption negotiation phase. Unless you are also seeing other errors that you didn't post, these can be safely ignored.

-Cliff
0
 
LVL 1

Author Comment

by:rpmccly
ID: 35149134
Kerberos Key Districution Center is running.

Well it just started happening though. I have seen the errors on mostly Windows 7/Vista machines but there was 1 XP machine that had it.

For now I am going to ignore them and look more in depth at a later point.

Thanks
0
Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

 
LVL 1

Author Comment

by:rpmccly
ID: 35243659
Ok, we've had the errors on multiple XP machines so its pretty random, any other ideas?
0
 
LVL 1

Author Comment

by:rpmccly
ID: 35377571
I looked at the server and the krbtgt user account is disabled. When I try to enable it, it says it can't perform this action on built-in accounts.

Is this related?
0
 
LVL 1

Author Comment

by:rpmccly
ID: 35391811
According to:
http://support.microsoft.com/kb/229909

the krbtgt account should be disabled as it doesn't need to be enabled for authentication? So why did we randomly start getting the errors?
0
 
LVL 58

Assisted Solution

by:tigermatt
tigermatt earned 333 total points
ID: 35411638

rpmccly,

As noted by cgaliher earlier in the thread, what you are seeing is quite common.

The krbtgt account's sole purpose is used by the Kerberos service to produce ticket-granting ticket keys, and thus it should not be enabled or modified in any other way (Windows will prevent you doing this).

The error messages you experience are simply pre-authentication failures. It could suggest that someone is attempting to brute force a user's password but that's unlikely; in any event the whole point of pre-authentication is to increase the security and resilience of the Kerberos implementation.

-Matt
0
 
LVL 1

Author Comment

by:rpmccly
ID: 35415909
All the krbtgt problems just started occuring which is why I kept on it. Are you saying to ignore the issues? We do get the errors on XP machines, not only Vista/7 machines.
0
 
LVL 1

Author Comment

by:rpmccly
ID: 36097490
There was an option in AD that said to force the authentication. I unchecked it so I obviously don't get that error for the person anymore. Was this a good or bad idea?
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 36122048

Sorry, I missed the notification for your earlier comment.

Which option specifically was it that you unchecked?

-Matt
0
 
LVL 1

Author Comment

by:rpmccly
ID: 36141229
"Do not require Kerberos pre-authentication"
0
 
LVL 58

Assisted Solution

by:tigermatt
tigermatt earned 333 total points
ID: 36141816

I suspected that was the option you enabled, but thought I ought to check first.

The pre-authentication feature is a security feature added over the standard Kerberos implementation and I would therefore advise you leave it switched on - if you can ignore the error messages.

Essentially, a Kerberos logon first involves obtaining a Ticket Granting Ticket (or Ticket to Get Tickets - TGT) from the Key Distribution Centre (KDC) on a Domain Controller. Without pre-authentication, the KDC simply sends back to the client a TGT encrypted with the user's password hash as stored on the DC; the client hashes the password supplied and, if the hash decrypts the TGT data, the user is considered valid and can pass the TGT back to the KDC to obtain a service ticket. When they have a service ticket, they can access network services.

Pre-authentication mitigates an attack in the above scenario whereby a malicious person replays an earlier request by a user to obtain a TGT. If the KDC simply issues a TGT by request without checking for valid credentials, the malicious person can easily obtain a TGT and brute-force attack the encrypted data to obtain the user's password - an unpleasant security situation. With pre-authentication enabled, a small piece of data (typically the current timestamp on the machine) is encrypted using the password provided at the client. If the DC/KDC decrypts this with the stored password hash and the time is the proper time (within a small interval), then the user is valid and a TGT is issued. If the time is not correct, the password supplied must be invalid so a TGT is not issued - and the above attack cannot occur.

So... as you can see, pre-authentication is a significant security benefit to a network. Turning it off definitely pokes some holes in your security and it is ultimately your decision as to whether this is a huge risk to you.

In terms of the error messages you see, yes, I was suggesting to ignore them. They are simply pre-authentication failures which, as you can see above, are a relatively good thing; the errors indicate pre-authentication was preventing a TGT being issued. It could simply indicate a mix-up of encryption types as noted by cgaliher or potentially a service trying to authenticate with those credentials which does not implement pre-authentication (this would be a valid case for disabling pre-auth for a user account).

-Matt
0
 
LVL 1

Author Comment

by:rpmccly
ID: 36145434
AND.....unchecked!

Thanks! It was checked to get rid of the error in the performance log which isn't a concern at all so I would rather see the error and be secure!
0
 
LVL 1

Author Closing Comment

by:rpmccly
ID: 36145449
Error will be ignored as its not a concern!
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 36149501

Fantastic! Glad to be of assistance.
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Backup DHCP Server 8 108
Server Backup on 2016 Essentials Box 1 57
Windows Server 2003 Policy Preventing Updates 6 43
SBS 2007 remove AD ? 10 61
I work for a company that primarily works with small businesses as their outsourced IT vendor. As such the majority of these customers utilize some version of Small Business Server. Due to the economics of running a small business, many of these cus…
While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
In a recent question (https://www.experts-exchange.com/questions/28997919/Pagination-in-Adobe-Acrobat.html) here at Experts Exchange, a member asked how to add page numbers to a PDF file using Adobe Acrobat XI Pro. This short video Micro Tutorial sh…

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question