Kerberos PAC Errors

We have a Windows 2016 RODC running server core in our DMZ. That is restricted via our firewall on which DC's internally it can communicate with. Sporadically we i.e once every other week get the following error message on one of the internal DC's the RODC can talk to. "During TGS processing, the KDC was unable to verify the signature on the PAC from RODCNA1$. This indicates the PAC was modified." Search online seems to point out this is normal but my problem is if this is normal they why is is an error
LVL 20
compdigit44Asked:
Who is Participating?
 
LearnctxConnect With a Mentor EngineerCommented:
Microsoft have a good blog that talks about PAC verification issues. The article is good and gives insight into your question and scenarios which cause PAC verification failure. You can find the article here.

That is restricted via our firewall on which DC's internally it can communicate with.

I have to wonder what restricting it to communicating with just a few DC's vs. say all of them achieves. And I say this because if 1 is compromised they are all compromised.

Search online seems to point out this is normal but my problem is if this is normal they why is is an error

Because you probably have a network restriction that is sporadically generating this error. Windows is saying, hey this happened.
0
 
compdigit44Author Commented:
Thank you for your feed back. All the article i have read seem to point out this is normal but was concerned this could have  been some type of attack on the RODC
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.