Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 556
  • Last Modified:

Windows 2012 R2 DC Event Id 26

This is the error I have been getting all of a sudden over the last week or so

I have two DC's on the parent Domain both Windows 2012 R2 on the Child Domain Windows 2003 and Windows 2012 R2

One DC get this multiple times a day the other only a few times

Log Name:      System
Source:        Microsoft-Windows-Kerberos-Key-Distribution-Center
Date:          9/29/2016 21:17:16
Event ID:      26
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      TGCS011.our.network.tgcsnet.com
Description:
While processing an AS request for target service krbtgt, the account ba-06dc6a$ did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 1). The requested etypes were 3. The accounts available etypes were 23  -133  -128  18  17.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Kerberos-Key-Distribution-Center" Guid="{3FD9DA1A-5A54-46C5-9A26-9BD7C0685056}" EventSourceName="KDC" />
    <EventID Qualifiers="49152">26</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2016-09-30T01:17:16.000000000Z" />
    <EventRecordID>285051</EventRecordID>
    <Correlation />
    <Execution ProcessID="0" ThreadID="0" />
    <Channel>System</Channel>
    <Computer>TGCS011.our.network.tgcsnet.com</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="Target">krbtgt</Data>
    <Data Name="Name">ba-06dc6a$</Data>
    <Data Name="ID">1</Data>
    <Data Name="RequestedEtypes">3</Data>
    <Data Name="AvailableETypes">23  -133  -128  18  17</Data>
    <Binary>
    </Binary>
  </EventData>
</Event>



RAN THIS COMAND


Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\Users\administrator.OUR>klist tickets

Current LogonId is 0:0x724e6

Cached Tickets: (2)

#0>     Client: administrator @ OUR.NETWORK.TGCSNET.COM
        Server: krbtgt/OUR.NETWORK.TGCSNET.COM @ OUR.NETWORK.TGCSNET.COM
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x40e10000 -> forwardable renewable initial pre_authent nam
e_canonicalize
        Start Time: 9/27/2016 7:17:51 (local)
        End Time:   9/27/2016 17:17:51 (local)
        Renew Time: 10/4/2016 7:17:51 (local)
        Session Key Type: AES-256-CTS-HMAC-SHA1-96
        Cache Flags: 0x1 -> PRIMARY
        Kdc Called: TGCS011

#1>     Client: administrator @ OUR.NETWORK.TGCSNET.COM
        Server: host/tgcs011.our.network.tgcsnet.com @ OUR.NETWORK.TGCSNET.COM
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x40a50000 -> forwardable renewable pre_authent ok_as_deleg
ate name_canonicalize
        Start Time: 9/27/2016 7:17:51 (local)
        End Time:   9/27/2016 17:17:51 (local)
        Renew Time: 10/4/2016 7:17:51 (local)
        Session Key Type: AES-256-CTS-HMAC-SHA1-96
        Cache Flags: 0
        Kdc Called: TGCS011

C:\Users\administrator.OUR>


How do I correct this issue
0
Thomas Grassi
Asked:
Thomas Grassi
1 Solution
 
Mal OsborneAlpha GeekCommented:
First thing I would do here is check that all machines involved have the correct time set. Kerberos errors, in my experience are often due to time skew.
0
 
Thomas GrassiSystems AdministratorAuthor Commented:
Hello

I just checked all machines are running current time Physical and VM hosts all same time

Every so Often I get and event about not syncing the time but not that often and only from a few member servers.

Is there a command to run to reset this?
0
 
*** Hopeleonie ***IT ManagerCommented:
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
Thomas GrassiSystems AdministratorAuthor Commented:
Yes I saw that already

This part does not make any sense to me

Resolve

Configure an available encryption type

Kerberos supports several encryption types that are used to encrypt the tickets. If you are using a non-Microsoft Kerberos client to request a ticket from a Windows-based Kerberos server, the Kerberos client must support the same encryption type. Use the event log message to determine the available encryption type and configure the Kerberos client accordingly.


Also  you can see I ran the klist tickets  command that's where I got that from

Puzzled
0
 
Thomas GrassiSystems AdministratorAuthor Commented:
Update

After reviewing the event errors closely I figured which devices are causing this issue

I have Seagate Black Armor 440 NAS that is the BA-06dc6a$

Do not understand why they are causing this error

I contacted Seagate waiting for response

What does "did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 1)."   mean

Thoughts
0
 
Thomas GrassiSystems AdministratorAuthor Commented:
Update

Seagate support was of no help

Any one out there have any ideas

I am at a loss here
0
 
Adam BrownSr Solutions ArchitectCommented:
Basically this error occurs when a system attempts to generate a Kerberos ticket but doesn't have the necessary rights/authorization to do so. Basically it means your NAS isn't properly communicating with the domain and has probably lost its secure channel link. Check to see if there is an Object for the NAS in AD. Just search AD for a computer with the name BA-06dc6a. If there is no object for the NAS in AD, that means it can't request a Kerberos ticket, and this event will pop up in the logs each time it tries. If that's the case, you'll have to add the NAS to the domain again or remove its domain configuration entirely.
0
 
Thomas GrassiSystems AdministratorAuthor Commented:
Adam

I checked Ad and both units are in AD the are in the Computers container.

Is there any settings I should look for?
0
 
Thomas GrassiSystems AdministratorAuthor Commented:
Guys I had to remove them from AD and put them in a workgroup

Very strange that this started after I put the second NAS on the network

Thanks for all the help
0

Featured Post

[Webinar On Demand] Database Backup and Recovery

Does your company store data on premises, off site, in the cloud, or a combination of these? If you answered “yes”, you need a data backup recovery plan that fits each and every platform. Watch now as as Percona teaches us how to build agile data backup recovery plan.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now