Error occured after an offline P2V conversion of a 2003 SP2 domain controller (DC). I used "klist tickets" (Resource Kit) to verify cached tickets. The faulty DC had only two cached tickets, another running DC had four.
Rebooted the DC in an attempt to "reload" the ticket cache. After reboot the faulty DC had all four tickets in the cache and the error was resolved.
As per ME978055
, user accounts that use DES encryption for Kerberos authentication types cannot be authenticated in a Windows Server 2003 domain after a Windows Server 2008 R2 domain controller joins the domain. The article provides information about a hotfix that solved my problem.
This happened to me in a Active Directory 2003 Forest - native mode with Windows 2008 R2 SP1 DCs recently installed and SAP JEE.
The exact description was "While processing a TGS request for the target server HTTP/<server-fqdn>, the account sAMAccoutName@My.domain.com did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 9). The requested etypes were 3 1. The accounts available etypes were 23 -133 -128."
provides an explanation of this situation. In short current SAP JEE rely on DES encryption for the account setup in the UME. The issue is solved by the hotfix described in ME978055
Additional info. Etype are fixed in RFC. See the list in EV100074
From a support forum: "By default Windows 7 and Windows 2008 R2 do not enable des_cbc_md5. Windows 2003 has cryptography set as rsadsi rc4_hmac_md5. When you setup spn with keytpass by default it is used des_cbs_md5. Verify your ticket granting service with kerbtray select the SPN and control the tab encryption type.
I suggest you to try with a GPO to enable computer settings\windows settings\security settings\security options\network security\configure encription type. Enable both des_cbs_md5 and (the standard 2003 rc4_hmac_md5). Please note that enabling one suite means that you enable only that kind of encryption suite, that's why we re-enable the standard rsadsi."
From a support forum: "The cause of the event is that the client requests a service ticket with a etype 18 (aes256-cts-hmac-sha1-96), which is not supported by Windows Server 2003 but supported by Windows Server 2008 R2. If the Kerberos authentication works properly, you can safely ignore the events. It just informs the clients what etypes it supports.
For more information, please refer to the following articles:
The security principals and the services that use only DES encryption for Kerberos authentication are incompatible with the default settings on a computer that is running Windows 7 or Windows Server 2008 R2 (ME977321
) and T733974
This error occurred multiple times when we tried joining a Fedora Core 2 Linux/Samba server to our Win2k3 domain without first getting a Kerberos ticket. On the Linux side, we had to type "kinit username@DOMAIN.COM" to get a ticket.