We are seeing numerous events on 2008R2 DCs similar to the following
While processing an AS request for target service krbtgt, the account xxxxxx did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 2). The requested etypes : 18. The accounts available etypes : 23 -133 -128. Changing or resetting the password of xxxxxx will generate a proper key.
The clients are Windows 7, there are only 2008R2 DCs in the domain. The DFL/FFL is 2008R2.
I can understand the client requesting etype 18 (AES default for Windows 7) but I don't undertsand why the account only has available etype of 23 (RC4) or the negative ones, whatever they are.
Also, what does the missing key ID of 2 bit mean?
I'm pretty sure that these events are harmless enough as we're not getting a slew of calls for people not being able to log on, I'm just curious why an account in a 2008R2 domain on a Win7 client doesn't have etype 18 available.
Any help much appreciated,