Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


Windows 2012 R2 DC Event Id 26

Posted on 2016-09-29
Medium Priority
Last Modified: 2016-10-15
This is the error I have been getting all of a sudden over the last week or so

I have two DC's on the parent Domain both Windows 2012 R2 on the Child Domain Windows 2003 and Windows 2012 R2

One DC get this multiple times a day the other only a few times

Log Name:      System
Source:        Microsoft-Windows-Kerberos-Key-Distribution-Center
Date:          9/29/2016 21:17:16
Event ID:      26
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
While processing an AS request for target service krbtgt, the account ba-06dc6a$ did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 1). The requested etypes were 3. The accounts available etypes were 23  -133  -128  18  17.
Event Xml:
<Event xmlns="">
    <Provider Name="Microsoft-Windows-Kerberos-Key-Distribution-Center" Guid="{3FD9DA1A-5A54-46C5-9A26-9BD7C0685056}" EventSourceName="KDC" />
    <EventID Qualifiers="49152">26</EventID>
    <TimeCreated SystemTime="2016-09-30T01:17:16.000000000Z" />
    <Correlation />
    <Execution ProcessID="0" ThreadID="0" />
    <Security />
    <Data Name="Target">krbtgt</Data>
    <Data Name="Name">ba-06dc6a$</Data>
    <Data Name="ID">1</Data>
    <Data Name="RequestedEtypes">3</Data>
    <Data Name="AvailableETypes">23  -133  -128  18  17</Data>


Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\Users\administrator.OUR>klist tickets

Current LogonId is 0:0x724e6

Cached Tickets: (2)

#0>     Client: administrator @ OUR.NETWORK.TGCSNET.COM
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x40e10000 -> forwardable renewable initial pre_authent nam
        Start Time: 9/27/2016 7:17:51 (local)
        End Time:   9/27/2016 17:17:51 (local)
        Renew Time: 10/4/2016 7:17:51 (local)
        Session Key Type: AES-256-CTS-HMAC-SHA1-96
        Cache Flags: 0x1 -> PRIMARY
        Kdc Called: TGCS011

#1>     Client: administrator @ OUR.NETWORK.TGCSNET.COM
        Server: host/ @ OUR.NETWORK.TGCSNET.COM
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x40a50000 -> forwardable renewable pre_authent ok_as_deleg
ate name_canonicalize
        Start Time: 9/27/2016 7:17:51 (local)
        End Time:   9/27/2016 17:17:51 (local)
        Renew Time: 10/4/2016 7:17:51 (local)
        Session Key Type: AES-256-CTS-HMAC-SHA1-96
        Cache Flags: 0
        Kdc Called: TGCS011


How do I correct this issue
Question by:Thomas Grassi
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 19

Expert Comment

by:Mal Osborne
ID: 41822836
First thing I would do here is check that all machines involved have the correct time set. Kerberos errors, in my experience are often due to time skew.
LVL 23

Author Comment

by:Thomas Grassi
ID: 41822839

I just checked all machines are running current time Physical and VM hosts all same time

Every so Often I get and event about not syncing the time but not that often and only from a few member servers.

Is there a command to run to reset this?
LVL 19

Expert Comment

by:*** Hopeleonie ***
ID: 41822926
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

LVL 23

Author Comment

by:Thomas Grassi
ID: 41823302
Yes I saw that already

This part does not make any sense to me


Configure an available encryption type

Kerberos supports several encryption types that are used to encrypt the tickets. If you are using a non-Microsoft Kerberos client to request a ticket from a Windows-based Kerberos server, the Kerberos client must support the same encryption type. Use the event log message to determine the available encryption type and configure the Kerberos client accordingly.

Also  you can see I ran the klist tickets  command that's where I got that from

LVL 23

Author Comment

by:Thomas Grassi
ID: 41824873

After reviewing the event errors closely I figured which devices are causing this issue

I have Seagate Black Armor 440 NAS that is the BA-06dc6a$

Do not understand why they are causing this error

I contacted Seagate waiting for response

What does "did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 1)."   mean

LVL 23

Author Comment

by:Thomas Grassi
ID: 41831049

Seagate support was of no help

Any one out there have any ideas

I am at a loss here
LVL 42

Accepted Solution

Adam Brown earned 2000 total points
ID: 41834265
Basically this error occurs when a system attempts to generate a Kerberos ticket but doesn't have the necessary rights/authorization to do so. Basically it means your NAS isn't properly communicating with the domain and has probably lost its secure channel link. Check to see if there is an Object for the NAS in AD. Just search AD for a computer with the name BA-06dc6a. If there is no object for the NAS in AD, that means it can't request a Kerberos ticket, and this event will pop up in the logs each time it tries. If that's the case, you'll have to add the NAS to the domain again or remove its domain configuration entirely.
LVL 23

Author Comment

by:Thomas Grassi
ID: 41834574

I checked Ad and both units are in AD the are in the Computers container.

Is there any settings I should look for?
LVL 23

Author Closing Comment

by:Thomas Grassi
ID: 41845182
Guys I had to remove them from AD and put them in a workgroup

Very strange that this started after I put the second NAS on the network

Thanks for all the help

Featured Post

U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
A procedure for exporting installed hotfix details of remote computers using powershell
In this Micro Tutorial viewers will learn how to use Windows Server Backup to create full image of their system. Tutorial shows how to install Windows Server Backup Feature on Windows 2012R2 and how to configure scheduled Bare Metal Recovery backup.…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

660 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question