KDC Event ID 27 errors on Server 2003 in Server 2008 R2 domain

I am getting frequent KDC Event ID 27 errors on a Server 2003 DC in a Server 2008 R2 domain.

While processing a TGS request for the target server krbtgt/DOMAIN, the account COMPUTER@DOMAIN did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 8). The requested etypes were 18.  The accounts available etypes were 23  -133  -128  3  1.

These errors are only generated for my Win 7 clients. According to my research, this is by default and the errors can be ignored. But is there a way to easily eliminate the errors?

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.


Check this article, That may provide some insight. It basically means that the encryption type between the client and server for kerberos is not same.

Navdeep v-2nas
fisher_kingAuthor Commented:
Thanks for the reply.

I found that article previously. I understand what causes the problem, but I want to get rid of the errors. I found an explanantion and hotfix for user accounts causing this error: http://support.microsoft.com/kb/978055. Most of my errors are computer account, but some are users on Win 7 machines. When I tried to install the hotfix, it said it was not compatible with my OS.
That hotfix doesn't mention about the EventiD 27.
You can refer to the following post

Also check the follow KB article

Hope this helps.

Navdeep v-2nas

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

fisher_kingAuthor Commented:
I found both of those articles previously - I had obtained the hotfix link under the workaround section of the KB article. But I re-read the KB article more closely and applied the GP changes outlined at the bottom of it. I will test for a day and let you know.

Thanks for your help.
fisher_kingAuthor Commented:
The GP changes in the MS KB article appear to have fixed the problem. Thanks for the help.
I am experiencing the same symptoms.  I applied the GPO and forced a policy update, but that seems to have nto resolved the issue.

I did not apply the HotFix.  Ficher King, sis you apply the HotFix as well to your 2008R2 DC?  Is the fix a combination of both the GPO and the HF?
fisher_kingAuthor Commented:
Actually, the problems returned a short time after I thought the GP change had fixed it, but I did not post any new comments. The hotfix is supposed to be for Server 2k8 R2, but when I tried to install it, a message reported that it was not compatible with my OS. It is possible that adding the DefaultEncryptionType reg key as outlined in this thread will actually prevent the error:


But my 2008 DC is also running Exchange 2k7 and adding the key prevented Exchange from sending emails. So, I continue to get the errors.
And you experience no loss of functionality due to the error, just events to ignore in your2k3 DC System log?  Are you planning or able to demote that 2k3 machine anytime soon?  Thanks for the response, I truly appreciate it.
fisher_kingAuthor Commented:
There is no loss of functionality that I have seen. The 2k3 DC is just informing the client that it cannot support the newer encryption types in use by Win 7. The client either renegotiates with the 2k3 DC at a supported encryption type, or negotiates with the 2k8 r2 DC. From what I read, the error can be safely ignored. I was interested in eliminating it because I don't like ignoring errors as a solution.

I am able to demote the 2k3 server, but am intentionally keeping it as a second DC for redundancy. The client is too small to justify the new hardware required for a second 2k8 DC.

Are you able to try the DefaultEncryptionType reg key solution? I would be interested to hear if it works.
I, like you, don't like having errors to parse through that don't need to be there.

That being said, we are a ski area and are about to open our mountain for winter operations, so I'm disinclined to disjoin the 2k3R2 machine.  Since the errors are benign, I'll wait until April, at which time I will likely go straight to 2k12.

I didn't try the DefaultEncryptionType mod, but I may setup a lab in a sandboxed VM environment and give that a try, reg mods aren't my favorite thing to do in a production enviroment unless they are tested first.  I will report back on findings, if any.

Thanks for your responses, I sincerely appreciate them.  Best regards.
fisher_kingAuthor Commented:
My pleasure. Good luck with your season.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.