Solved

Windows 2012 R2 DC Event Id 26

Posted on 2016-09-29
10
70 Views
Last Modified: 2016-10-15
This is the error I have been getting all of a sudden over the last week or so

I have two DC's on the parent Domain both Windows 2012 R2 on the Child Domain Windows 2003 and Windows 2012 R2

One DC get this multiple times a day the other only a few times

Log Name:      System
Source:        Microsoft-Windows-Kerberos-Key-Distribution-Center
Date:          9/29/2016 21:17:16
Event ID:      26
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      TGCS011.our.network.tgcsnet.com
Description:
While processing an AS request for target service krbtgt, the account ba-06dc6a$ did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 1). The requested etypes were 3. The accounts available etypes were 23  -133  -128  18  17.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Kerberos-Key-Distribution-Center" Guid="{3FD9DA1A-5A54-46C5-9A26-9BD7C0685056}" EventSourceName="KDC" />
    <EventID Qualifiers="49152">26</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2016-09-30T01:17:16.000000000Z" />
    <EventRecordID>285051</EventRecordID>
    <Correlation />
    <Execution ProcessID="0" ThreadID="0" />
    <Channel>System</Channel>
    <Computer>TGCS011.our.network.tgcsnet.com</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="Target">krbtgt</Data>
    <Data Name="Name">ba-06dc6a$</Data>
    <Data Name="ID">1</Data>
    <Data Name="RequestedEtypes">3</Data>
    <Data Name="AvailableETypes">23  -133  -128  18  17</Data>
    <Binary>
    </Binary>
  </EventData>
</Event>



RAN THIS COMAND


Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\Users\administrator.OUR>klist tickets

Current LogonId is 0:0x724e6

Cached Tickets: (2)

#0>     Client: administrator @ OUR.NETWORK.TGCSNET.COM
        Server: krbtgt/OUR.NETWORK.TGCSNET.COM @ OUR.NETWORK.TGCSNET.COM
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x40e10000 -> forwardable renewable initial pre_authent nam
e_canonicalize
        Start Time: 9/27/2016 7:17:51 (local)
        End Time:   9/27/2016 17:17:51 (local)
        Renew Time: 10/4/2016 7:17:51 (local)
        Session Key Type: AES-256-CTS-HMAC-SHA1-96
        Cache Flags: 0x1 -> PRIMARY
        Kdc Called: TGCS011

#1>     Client: administrator @ OUR.NETWORK.TGCSNET.COM
        Server: host/tgcs011.our.network.tgcsnet.com @ OUR.NETWORK.TGCSNET.COM
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x40a50000 -> forwardable renewable pre_authent ok_as_deleg
ate name_canonicalize
        Start Time: 9/27/2016 7:17:51 (local)
        End Time:   9/27/2016 17:17:51 (local)
        Renew Time: 10/4/2016 7:17:51 (local)
        Session Key Type: AES-256-CTS-HMAC-SHA1-96
        Cache Flags: 0
        Kdc Called: TGCS011

C:\Users\administrator.OUR>


How do I correct this issue
0
Comment
Question by:Thomas Grassi
10 Comments
 
LVL 16

Expert Comment

by:Malmensa
Comment Utility
First thing I would do here is check that all machines involved have the correct time set. Kerberos errors, in my experience are often due to time skew.
0
 
LVL 23

Author Comment

by:Thomas Grassi
Comment Utility
Hello

I just checked all machines are running current time Physical and VM hosts all same time

Every so Often I get and event about not syncing the time but not that often and only from a few member servers.

Is there a command to run to reset this?
0
 
LVL 18

Expert Comment

by:hopeleonie
Comment Utility
0
 
LVL 23

Author Comment

by:Thomas Grassi
Comment Utility
Yes I saw that already

This part does not make any sense to me

Resolve

Configure an available encryption type

Kerberos supports several encryption types that are used to encrypt the tickets. If you are using a non-Microsoft Kerberos client to request a ticket from a Windows-based Kerberos server, the Kerberos client must support the same encryption type. Use the event log message to determine the available encryption type and configure the Kerberos client accordingly.


Also  you can see I ran the klist tickets  command that's where I got that from

Puzzled
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 23

Author Comment

by:Thomas Grassi
Comment Utility
Update

After reviewing the event errors closely I figured which devices are causing this issue

I have Seagate Black Armor 440 NAS that is the BA-06dc6a$

Do not understand why they are causing this error

I contacted Seagate waiting for response

What does "did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 1)."   mean

Thoughts
0
 
LVL 23

Author Comment

by:Thomas Grassi
Comment Utility
Update

Seagate support was of no help

Any one out there have any ideas

I am at a loss here
0
 
LVL 38

Accepted Solution

by:
Adam Brown earned 500 total points
Comment Utility
Basically this error occurs when a system attempts to generate a Kerberos ticket but doesn't have the necessary rights/authorization to do so. Basically it means your NAS isn't properly communicating with the domain and has probably lost its secure channel link. Check to see if there is an Object for the NAS in AD. Just search AD for a computer with the name BA-06dc6a. If there is no object for the NAS in AD, that means it can't request a Kerberos ticket, and this event will pop up in the logs each time it tries. If that's the case, you'll have to add the NAS to the domain again or remove its domain configuration entirely.
0
 
LVL 23

Author Comment

by:Thomas Grassi
Comment Utility
Adam

I checked Ad and both units are in AD the are in the Computers container.

Is there any settings I should look for?
0
 
LVL 23

Author Closing Comment

by:Thomas Grassi
Comment Utility
Guys I had to remove them from AD and put them in a workgroup

Very strange that this started after I put the second NAS on the network

Thanks for all the help
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

I don't know if many of you have made the great mistake of using the Cisco Thin Client model with the management software VXC. If you have then you are probably more then familiar with the incredibly clunky interface, the numerous work arounds, and …
A procedure for exporting installed hotfix details of remote computers using powershell
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now