Solved

krbtgt service errors

Posted on 2011-03-16
16
1,420 Views
Last Modified: 2012-08-13
We've been having multiple errors with on our performance report.

Source
   Security

Pre-authentication failed:
 	User Name:	"COMPUTER NAME"$
 	User ID:	"DOMAIN"\"COMPUTER NAME"$
 	Service Name:	krbtgt/Domain.local
 	Pre-Authentication Type:	0x0
 	Failure Code:	0x19
 	Client Address:	"COMPUTER IP"

I had seen something that said you might get these errors when the domain isn't all caps. It is all caps under "User ID" but not "Service Name" as described above. Is that why I am getting that error and if so why did it just start this week? We had a server crash this weekend that we think was from someone trying to hack the administrator account, is that maybe why?
0
Comment
Question by:rpmccly
16 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35148255
Did you check if the kerberos service is running?
0
 
LVL 56

Accepted Solution

by:
Cliff Galiher earned 167 total points
ID: 35148361
What you posted us a pre-authentication, and in some cases these are normal behavior. Specifically, if your domain controller is a 2003 server, it only supports 3DES encryption for processing logins.. If you have Vista or win7 clients, they support AES and will attempt to use it. Since 2003 doesn't support AES, that attempt fails, is logged, and Vista/win7 will reattempt with 3DES and succeed, so you don't see login problems. That is also why it is only a pre-auth error...it all happens during the initial encryption negotiation phase. Unless you are also seeing other errors that you didn't post, these can be safely ignored.

-Cliff
0
 
LVL 1

Author Comment

by:rpmccly
ID: 35149134
Kerberos Key Districution Center is running.

Well it just started happening though. I have seen the errors on mostly Windows 7/Vista machines but there was 1 XP machine that had it.

For now I am going to ignore them and look more in depth at a later point.

Thanks
0
 
LVL 1

Author Comment

by:rpmccly
ID: 35243659
Ok, we've had the errors on multiple XP machines so its pretty random, any other ideas?
0
 
LVL 1

Author Comment

by:rpmccly
ID: 35377571
I looked at the server and the krbtgt user account is disabled. When I try to enable it, it says it can't perform this action on built-in accounts.

Is this related?
0
 
LVL 1

Author Comment

by:rpmccly
ID: 35391811
According to:
http://support.microsoft.com/kb/229909

the krbtgt account should be disabled as it doesn't need to be enabled for authentication? So why did we randomly start getting the errors?
0
 
LVL 58

Assisted Solution

by:tigermatt
tigermatt earned 333 total points
ID: 35411638

rpmccly,

As noted by cgaliher earlier in the thread, what you are seeing is quite common.

The krbtgt account's sole purpose is used by the Kerberos service to produce ticket-granting ticket keys, and thus it should not be enabled or modified in any other way (Windows will prevent you doing this).

The error messages you experience are simply pre-authentication failures. It could suggest that someone is attempting to brute force a user's password but that's unlikely; in any event the whole point of pre-authentication is to increase the security and resilience of the Kerberos implementation.

-Matt
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 1

Author Comment

by:rpmccly
ID: 35415909
All the krbtgt problems just started occuring which is why I kept on it. Are you saying to ignore the issues? We do get the errors on XP machines, not only Vista/7 machines.
0
 
LVL 1

Author Comment

by:rpmccly
ID: 36097490
There was an option in AD that said to force the authentication. I unchecked it so I obviously don't get that error for the person anymore. Was this a good or bad idea?
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 36122048

Sorry, I missed the notification for your earlier comment.

Which option specifically was it that you unchecked?

-Matt
0
 
LVL 1

Author Comment

by:rpmccly
ID: 36141229
"Do not require Kerberos pre-authentication"
0
 
LVL 58

Assisted Solution

by:tigermatt
tigermatt earned 333 total points
ID: 36141816

I suspected that was the option you enabled, but thought I ought to check first.

The pre-authentication feature is a security feature added over the standard Kerberos implementation and I would therefore advise you leave it switched on - if you can ignore the error messages.

Essentially, a Kerberos logon first involves obtaining a Ticket Granting Ticket (or Ticket to Get Tickets - TGT) from the Key Distribution Centre (KDC) on a Domain Controller. Without pre-authentication, the KDC simply sends back to the client a TGT encrypted with the user's password hash as stored on the DC; the client hashes the password supplied and, if the hash decrypts the TGT data, the user is considered valid and can pass the TGT back to the KDC to obtain a service ticket. When they have a service ticket, they can access network services.

Pre-authentication mitigates an attack in the above scenario whereby a malicious person replays an earlier request by a user to obtain a TGT. If the KDC simply issues a TGT by request without checking for valid credentials, the malicious person can easily obtain a TGT and brute-force attack the encrypted data to obtain the user's password - an unpleasant security situation. With pre-authentication enabled, a small piece of data (typically the current timestamp on the machine) is encrypted using the password provided at the client. If the DC/KDC decrypts this with the stored password hash and the time is the proper time (within a small interval), then the user is valid and a TGT is issued. If the time is not correct, the password supplied must be invalid so a TGT is not issued - and the above attack cannot occur.

So... as you can see, pre-authentication is a significant security benefit to a network. Turning it off definitely pokes some holes in your security and it is ultimately your decision as to whether this is a huge risk to you.

In terms of the error messages you see, yes, I was suggesting to ignore them. They are simply pre-authentication failures which, as you can see above, are a relatively good thing; the errors indicate pre-authentication was preventing a TGT being issued. It could simply indicate a mix-up of encryption types as noted by cgaliher or potentially a service trying to authenticate with those credentials which does not implement pre-authentication (this would be a valid case for disabling pre-auth for a user account).

-Matt
0
 
LVL 1

Author Comment

by:rpmccly
ID: 36145434
AND.....unchecked!

Thanks! It was checked to get rid of the error in the performance log which isn't a concern at all so I would rather see the error and be secure!
0
 
LVL 1

Author Closing Comment

by:rpmccly
ID: 36145449
Error will be ignored as its not a concern!
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 36149501

Fantastic! Glad to be of assistance.
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Join & Write a Comment

I’m often asked about newer and larger USB drives connected to SBS2008 and 2011 failing Windows Server Backup vs the older USB drives not failing. As disk space continues to grow and drive technology change SBS2008 and some SBS2011 end up with the f…
A quick step-by-step overview of installing and configuring Carbonite Server Backup.
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now