?
Solved

krbtgt service errors

Posted on 2011-03-16
16
Medium Priority
?
1,438 Views
Last Modified: 2012-08-13
We've been having multiple errors with on our performance report.

Source
   Security

Pre-authentication failed:
 	User Name:	"COMPUTER NAME"$
 	User ID:	"DOMAIN"\"COMPUTER NAME"$
 	Service Name:	krbtgt/Domain.local
 	Pre-Authentication Type:	0x0
 	Failure Code:	0x19
 	Client Address:	"COMPUTER IP"

I had seen something that said you might get these errors when the domain isn't all caps. It is all caps under "User ID" but not "Service Name" as described above. Is that why I am getting that error and if so why did it just start this week? We had a server crash this weekend that we think was from someone trying to hack the administrator account, is that maybe why?
0
Comment
Question by:rpmccly
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
16 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35148255
Did you check if the kerberos service is running?
0
 
LVL 59

Accepted Solution

by:
Cliff Galiher earned 668 total points
ID: 35148361
What you posted us a pre-authentication, and in some cases these are normal behavior. Specifically, if your domain controller is a 2003 server, it only supports 3DES encryption for processing logins.. If you have Vista or win7 clients, they support AES and will attempt to use it. Since 2003 doesn't support AES, that attempt fails, is logged, and Vista/win7 will reattempt with 3DES and succeed, so you don't see login problems. That is also why it is only a pre-auth error...it all happens during the initial encryption negotiation phase. Unless you are also seeing other errors that you didn't post, these can be safely ignored.

-Cliff
0
 
LVL 1

Author Comment

by:rpmccly
ID: 35149134
Kerberos Key Districution Center is running.

Well it just started happening though. I have seen the errors on mostly Windows 7/Vista machines but there was 1 XP machine that had it.

For now I am going to ignore them and look more in depth at a later point.

Thanks
0
Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

 
LVL 1

Author Comment

by:rpmccly
ID: 35243659
Ok, we've had the errors on multiple XP machines so its pretty random, any other ideas?
0
 
LVL 1

Author Comment

by:rpmccly
ID: 35377571
I looked at the server and the krbtgt user account is disabled. When I try to enable it, it says it can't perform this action on built-in accounts.

Is this related?
0
 
LVL 1

Author Comment

by:rpmccly
ID: 35391811
According to:
http://support.microsoft.com/kb/229909

the krbtgt account should be disabled as it doesn't need to be enabled for authentication? So why did we randomly start getting the errors?
0
 
LVL 58

Assisted Solution

by:tigermatt
tigermatt earned 1332 total points
ID: 35411638

rpmccly,

As noted by cgaliher earlier in the thread, what you are seeing is quite common.

The krbtgt account's sole purpose is used by the Kerberos service to produce ticket-granting ticket keys, and thus it should not be enabled or modified in any other way (Windows will prevent you doing this).

The error messages you experience are simply pre-authentication failures. It could suggest that someone is attempting to brute force a user's password but that's unlikely; in any event the whole point of pre-authentication is to increase the security and resilience of the Kerberos implementation.

-Matt
0
 
LVL 1

Author Comment

by:rpmccly
ID: 35415909
All the krbtgt problems just started occuring which is why I kept on it. Are you saying to ignore the issues? We do get the errors on XP machines, not only Vista/7 machines.
0
 
LVL 1

Author Comment

by:rpmccly
ID: 36097490
There was an option in AD that said to force the authentication. I unchecked it so I obviously don't get that error for the person anymore. Was this a good or bad idea?
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 36122048

Sorry, I missed the notification for your earlier comment.

Which option specifically was it that you unchecked?

-Matt
0
 
LVL 1

Author Comment

by:rpmccly
ID: 36141229
"Do not require Kerberos pre-authentication"
0
 
LVL 58

Assisted Solution

by:tigermatt
tigermatt earned 1332 total points
ID: 36141816

I suspected that was the option you enabled, but thought I ought to check first.

The pre-authentication feature is a security feature added over the standard Kerberos implementation and I would therefore advise you leave it switched on - if you can ignore the error messages.

Essentially, a Kerberos logon first involves obtaining a Ticket Granting Ticket (or Ticket to Get Tickets - TGT) from the Key Distribution Centre (KDC) on a Domain Controller. Without pre-authentication, the KDC simply sends back to the client a TGT encrypted with the user's password hash as stored on the DC; the client hashes the password supplied and, if the hash decrypts the TGT data, the user is considered valid and can pass the TGT back to the KDC to obtain a service ticket. When they have a service ticket, they can access network services.

Pre-authentication mitigates an attack in the above scenario whereby a malicious person replays an earlier request by a user to obtain a TGT. If the KDC simply issues a TGT by request without checking for valid credentials, the malicious person can easily obtain a TGT and brute-force attack the encrypted data to obtain the user's password - an unpleasant security situation. With pre-authentication enabled, a small piece of data (typically the current timestamp on the machine) is encrypted using the password provided at the client. If the DC/KDC decrypts this with the stored password hash and the time is the proper time (within a small interval), then the user is valid and a TGT is issued. If the time is not correct, the password supplied must be invalid so a TGT is not issued - and the above attack cannot occur.

So... as you can see, pre-authentication is a significant security benefit to a network. Turning it off definitely pokes some holes in your security and it is ultimately your decision as to whether this is a huge risk to you.

In terms of the error messages you see, yes, I was suggesting to ignore them. They are simply pre-authentication failures which, as you can see above, are a relatively good thing; the errors indicate pre-authentication was preventing a TGT being issued. It could simply indicate a mix-up of encryption types as noted by cgaliher or potentially a service trying to authenticate with those credentials which does not implement pre-authentication (this would be a valid case for disabling pre-auth for a user account).

-Matt
0
 
LVL 1

Author Comment

by:rpmccly
ID: 36145434
AND.....unchecked!

Thanks! It was checked to get rid of the error in the performance log which isn't a concern at all so I would rather see the error and be secure!
0
 
LVL 1

Author Closing Comment

by:rpmccly
ID: 36145449
Error will be ignored as its not a concern!
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 36149501

Fantastic! Glad to be of assistance.
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I've often see, or have been asked, the question about the difference between the Exchange 2010 SP1 version, available as part of Small Business Server (SBS) 2011, and the “normal” Exchange 2010 SP1 Standard. The answer to the question is relativ…
I work for a company that primarily works with small businesses as their outsourced IT vendor. As such the majority of these customers utilize some version of Small Business Server. Due to the economics of running a small business, many of these cus…
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question