KDC Event 14 on Windows 2008 R2 Server

We are seeing numerous events on 2008R2 DCs similar to the following

While processing an AS request for target service krbtgt, the account xxxxxx did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 2). The requested etypes : 18. The accounts available etypes : 23  -133  -128. Changing or resetting the password of xxxxxx will generate a proper key.

The clients are Windows 7, there are only 2008R2 DCs in the domain.  The DFL/FFL is 2008R2.

I can understand the client requesting etype 18 (AES default for Windows 7) but I don't undertsand why the account only has available etype of 23 (RC4) or the negative ones, whatever they are.

Also, what does the missing key ID of 2 bit mean?

I'm pretty sure that these events are harmless enough as we're not getting a slew of calls for people not being able to log on, I'm just curious why an account in a 2008R2 domain on a Win7 client doesn't have etype 18 available.

Any help much appreciated,
Stan
Stanner-UKAsked:
Who is Participating?
 
Dan McFaddenConnect With a Mentor Systems EngineerCommented:
You need to reset the password of the account referenced in the message.  The solution is in the error message, also a TechNet reference to the event id:

http://technet.microsoft.com/en-us/library/cc733991(v=ws.10).aspx

Dan
0
 
BahloulCommented:
Hi,

to fulfill this you must delete the stored password on the client machine then reset their password the root cause here because many users saved there password in some integrated applications .
0
All Courses

From novice to tech pro — start learning today.