?
Solved

Event ID 27 KDC Help

Posted on 2011-10-21
9
Medium Priority
?
838 Views
Last Modified: 2012-11-06
Any idea what this type of error is? Is it critical if not or if so how can I resolve it? I hate seeing this on my event logs

While processing a TGS request for the target server krbtgt/ABC.COM, the account HM4G1$@ABC.COM did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 8). The requested etypes were 18.  The accounts available etypes were 23  -133  -128  3  1.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
0
Comment
Question by:IT_Fanatic
9 Comments
 
LVL 13

Expert Comment

by:Govvy
ID: 37007762
0
 

Author Comment

by:IT_Fanatic
ID: 37007785
I already saw this site. This site just tells you info on it but not how to fix it. It this error critical or ignorable?
0
 
LVL 24

Accepted Solution

by:
Sandeshdubey earned 2000 total points
ID: 37010470
The problem is that the client is sending a TGS request using the Etype of 18  (AES). Windows 2003 does not support this etype for Kerberos where 2008  does. The error that is being logged on the domain controller can safely be  ignored as it is by design. The domain controller is just informing the  client what etypes it does support. The 2008 servers are then falling back  to one of the supported types. Idid find out that there is a way to modify  the default etype that Windows 2008 uses. This will prevent the error from  being logged on the domain controller. You will have to add the following  registry value to the Windows 2008 servers. No reboot is required for this  change to take effect. Let me know if you have any additional questions or  concerns.

Navigate to  HKLM\System\CurrentControlSet\Control\LSA\Kerberos\Parameters

Add the  following registry value.
Value Name = DefaultEncryptionType
Type =  Reg_DWORD
Value Data = 0x17(23)

Note:
VKB: error: 27 source: KDC Windows server 2008
VKB:  SRX080630601218
Windows OS Bugs 1488195
They say its OS bug.


0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 

Author Comment

by:IT_Fanatic
ID: 37010880
Ok so I navigate to this path and put this value on the registry and thats it not reboot and event logs will no longer show those errors on my 2003 server? Also I how can i find out which domain controller to put this code on? I have 2 DC of windows server 2008.

Navigate to  HKLM\System\CurrentControlSet\Control\LSA\Kerberos\Parameters

Add the  following registry value.
Value Name = DefaultEncryptionType
Type =  Reg_DWORD
Value Data = 0x17(23)
0
 
LVL 24

Expert Comment

by:Sandeshdubey
ID: 37012737
Add the key to both 2008 DC.
0
 

Author Comment

by:IT_Fanatic
ID: 37062893
Is this error ignorable or critical.
0
 

Author Closing Comment

by:IT_Fanatic
ID: 37063031
Thanks for your help that worked.
0
 

Author Comment

by:IT_Fanatic
ID: 37066658
Sorry I had to reopen this but it infact did not work. It still appears on my win 2003 server
0
 

Expert Comment

by:PaidToSki
ID: 38573149
It is on my 2003R2 BDC servers as well.  I tried the GPO solution set forth by Microsoft in KB977321, that seems to not help either.  I haven't tried the HotFix yet as it doesn't seem to entirely fit my criteria.

Please let me know if you ever resolved this, and if so, what worked.
0

Featured Post

Granular recovery for Microsoft Exchange

With Veeam Explorer for Microsoft Exchange you can choose the Exchange Servers and restore points you’re interested in, and Veeam Explorer will present the contents of those mailbox stores for browsing, searching and exporting.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question