Question : Event ID 27 Source KDC

Hi there

We have 2 DCs, one running 2008 and the other 2003

We keep getting these event ID 27 errors on DC2 everyday

All i can establish is the machines and users in question are the ones using VISTA or Windows 7

Any ideas how i can sort this?

Event Type:      Error
Event Source:      KDC
Event Category:      None
Event ID:      27
Date:            16/11/2009
Time:            15:31:33
User:            N/A
Computer:      DC2
Description:
While processing a TGS request for the target server krbtgt/mydomain.SCHOOL, the account [email protected]OL did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 8). The requested etypes were 18. The accounts available etypes were 23 -133 -128 3 1.

Description:
While processing a TGS request for the target server krbtgt/ mydomain.SCHOOL, the account [email protected] did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 8). The requested etypes were 18. The accounts available etypes were 23 -133 -128 3 1.

Answer : Event ID 27 Source KDC

Yes , i think it should not occur as the reason given bby them.

The detais.

Error messages:
--------------------------

Source: KDC
Event-ID: 27
Type: Error
While processing a TGS request for the target server krbtgt/WEISHAUPT.INT, the
account [email protected] did not have a suitable key for generating a
Kerberos ticket (the missing key has an ID of 8). The requested etypes were 18.
The accounts available etypes were 23 -133 -128 3 1.

Assessment
---------------------------
The problem is that the client is sending a TGS request using the Etype of 18
(AES). Windows 2003 does not support this etype for Kerberos where 2008 does. The
error that is being logged on the domain controller can safely be ignored as it is
by design. The domain controller is just informing the client what etypes it does
support. The 2008 servers are then falling back to one of the supported types. I
did find out that there is a way to modify the default etype that Windows 2008
uses. This will prevent the error from being logged on the domain controller. You
will have to add the following registry value to the Windows 2008 servers. No
reboot is required for this change to take effect. Let me know if you have any
additional questions or concerns.

Navigate to HKLM\System\CurrentControlSet\Control\LSA\Kerberos\Parameters

Add the following registry value.

Value Name = DefaultEncryptionType
Type = Reg_DWORD
Value Data = 0x17(23)
VKB: error: 27 source: KDC Windows server 2008
VKB: SRX080630601218

Windows OS Bugs 1488195

They say its OS bug.

Random Solutions

Access Database Out of Memory Error

Is it possible to store the format for the format property in a table?

Conditional Row Filtering based on column grouping

Example of Union query with 3 views (3 queries)needed

SendObject -- Message Text Truncates

MySysCompactError

Chunk rows of records into 64K blocks and create .xls files..

MS Office 2007 Security on Windows 2008 Terminal Server

How do I add a hyperlink to a InfoPath picture?

vb.net sata hard drive serial number