[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1445
  • Last Modified:

krbtgt service errors

We've been having multiple errors with on our performance report.

Source
   Security

Pre-authentication failed:
 	User Name:	"COMPUTER NAME"$
 	User ID:	"DOMAIN"\"COMPUTER NAME"$
 	Service Name:	krbtgt/Domain.local
 	Pre-Authentication Type:	0x0
 	Failure Code:	0x19
 	Client Address:	"COMPUTER IP"

I had seen something that said you might get these errors when the domain isn't all caps. It is all caps under "User ID" but not "Service Name" as described above. Is that why I am getting that error and if so why did it just start this week? We had a server crash this weekend that we think was from someone trying to hack the administrator account, is that maybe why?
0
rpmccly
Asked:
rpmccly
3 Solutions
 
Ernie BeekCommented:
Did you check if the kerberos service is running?
0
 
Cliff GaliherCommented:
What you posted us a pre-authentication, and in some cases these are normal behavior. Specifically, if your domain controller is a 2003 server, it only supports 3DES encryption for processing logins.. If you have Vista or win7 clients, they support AES and will attempt to use it. Since 2003 doesn't support AES, that attempt fails, is logged, and Vista/win7 will reattempt with 3DES and succeed, so you don't see login problems. That is also why it is only a pre-auth error...it all happens during the initial encryption negotiation phase. Unless you are also seeing other errors that you didn't post, these can be safely ignored.

-Cliff
0
 
rpmcclyAuthor Commented:
Kerberos Key Districution Center is running.

Well it just started happening though. I have seen the errors on mostly Windows 7/Vista machines but there was 1 XP machine that had it.

For now I am going to ignore them and look more in depth at a later point.

Thanks
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
rpmcclyAuthor Commented:
Ok, we've had the errors on multiple XP machines so its pretty random, any other ideas?
0
 
rpmcclyAuthor Commented:
I looked at the server and the krbtgt user account is disabled. When I try to enable it, it says it can't perform this action on built-in accounts.

Is this related?
0
 
rpmcclyAuthor Commented:
According to:
http://support.microsoft.com/kb/229909

the krbtgt account should be disabled as it doesn't need to be enabled for authentication? So why did we randomly start getting the errors?
0
 
tigermattCommented:

rpmccly,

As noted by cgaliher earlier in the thread, what you are seeing is quite common.

The krbtgt account's sole purpose is used by the Kerberos service to produce ticket-granting ticket keys, and thus it should not be enabled or modified in any other way (Windows will prevent you doing this).

The error messages you experience are simply pre-authentication failures. It could suggest that someone is attempting to brute force a user's password but that's unlikely; in any event the whole point of pre-authentication is to increase the security and resilience of the Kerberos implementation.

-Matt
0
 
rpmcclyAuthor Commented:
All the krbtgt problems just started occuring which is why I kept on it. Are you saying to ignore the issues? We do get the errors on XP machines, not only Vista/7 machines.
0
 
rpmcclyAuthor Commented:
There was an option in AD that said to force the authentication. I unchecked it so I obviously don't get that error for the person anymore. Was this a good or bad idea?
0
 
tigermattCommented:

Sorry, I missed the notification for your earlier comment.

Which option specifically was it that you unchecked?

-Matt
0
 
rpmcclyAuthor Commented:
"Do not require Kerberos pre-authentication"
0
 
tigermattCommented:

I suspected that was the option you enabled, but thought I ought to check first.

The pre-authentication feature is a security feature added over the standard Kerberos implementation and I would therefore advise you leave it switched on - if you can ignore the error messages.

Essentially, a Kerberos logon first involves obtaining a Ticket Granting Ticket (or Ticket to Get Tickets - TGT) from the Key Distribution Centre (KDC) on a Domain Controller. Without pre-authentication, the KDC simply sends back to the client a TGT encrypted with the user's password hash as stored on the DC; the client hashes the password supplied and, if the hash decrypts the TGT data, the user is considered valid and can pass the TGT back to the KDC to obtain a service ticket. When they have a service ticket, they can access network services.

Pre-authentication mitigates an attack in the above scenario whereby a malicious person replays an earlier request by a user to obtain a TGT. If the KDC simply issues a TGT by request without checking for valid credentials, the malicious person can easily obtain a TGT and brute-force attack the encrypted data to obtain the user's password - an unpleasant security situation. With pre-authentication enabled, a small piece of data (typically the current timestamp on the machine) is encrypted using the password provided at the client. If the DC/KDC decrypts this with the stored password hash and the time is the proper time (within a small interval), then the user is valid and a TGT is issued. If the time is not correct, the password supplied must be invalid so a TGT is not issued - and the above attack cannot occur.

So... as you can see, pre-authentication is a significant security benefit to a network. Turning it off definitely pokes some holes in your security and it is ultimately your decision as to whether this is a huge risk to you.

In terms of the error messages you see, yes, I was suggesting to ignore them. They are simply pre-authentication failures which, as you can see above, are a relatively good thing; the errors indicate pre-authentication was preventing a TGT being issued. It could simply indicate a mix-up of encryption types as noted by cgaliher or potentially a service trying to authenticate with those credentials which does not implement pre-authentication (this would be a valid case for disabling pre-auth for a user account).

-Matt
0
 
rpmcclyAuthor Commented:
AND.....unchecked!

Thanks! It was checked to get rid of the error in the performance log which isn't a concern at all so I would rather see the error and be secure!
0
 
rpmcclyAuthor Commented:
Error will be ignored as its not a concern!
0
 
tigermattCommented:

Fantastic! Glad to be of assistance.
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now