SBS 2008\Kerberos Failure Audits are logged when Windows 7 clients are on LAN

Article ID: 2519073 - View products that this article applies to.
Expand all | Collapse all

Symptoms

You are logging the following failure audit each time a Windows 7 client requests a new kerberos ticket from the SBS 2008 server:

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          2/7/2011 2:14:14 PM
Event ID:      4769
Task Category: Kerberos Service Ticket Operations
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:     SBS2008.Contoso.local

Description:
A Kerberos service ticket was requested.

Account Information:
Account Name:  Windows7Machine@contoso.local

Account Domain:  CONTOSO.LOCAL
Logon GUID:  {00000000-0000-0000-0000-000000000000}

Service Information:
Service Name:  krbtgt/CONTOSO.LOCAL
Service ID:  NULL SID

Network Information:
Client Address:  ::ffff:192.168.1.75
Client Port:  49208

Additional Information:
Ticket Options:  0x60810010
Ticket Encryption Type: 0xffffffff
Failure Code:  0xe
Transited Services: -

0xe translates to KDC_ERR_ETYPE_NOTSUPP

Cause

If the domain is still running at the Windows 2003 functional level you will receive these events. 

  • Windows 7 clients will request the aes256-cts-hmac-sha1-96 algorithm by default.
  • This algorithm is only supported at the Windows 2008 domain functional level.
  • SBS 2008 setup will not raise the functional level of the domain after promoting the server to a domain controller.  This is always a manual step that you have to perform.
  • When the server rejects the request, the Windows 7 client will negotiate down to a supported algorithm.  Nothing is actually broken here, all by design.

To verify whether this is taking place, take a netmon trace and look for the following packet from the client; the EType is aes256-cts-hmac-sha1-96:

2285 1:16:32 PM 2/18/2011 62.0646736  Windows7Machine SBS2008 KerberosV5 KerberosV5:TGS Request Realm: CONTOSO.LOCAL Sname: krbtgt/CONTOSO.LOCAL  {TCP:221, IPv4:17}

  Frame: Number = 2285, Captured Frame Length = 1447, MediaType = ETHERNET
+ Ethernet: Etype = Internet IP (IPv4),DestinationAddress:[A4-BA-DB-44-CE-24],SourceAddress:[B8-AC-6F-BA-D8-FB]
+ Ipv4: Src = 192.168.130.76, Dest = 192.168.130.2, Next Protocol = TCP, Packet ID = 12132, Total IP Length = 1433
+ Tcp: Flags=...AP..., SrcPort=50797, DstPort=Kerberos(88), PayloadLen=1393, Seq=328192576 - 328193969, Ack=2800542374, Win=64240 (scale factor 0x0) = 64240
- Kerberos: TGS Request Realm: CONTOSO.LOCAL Sname: krbtgt/CONTOSO.LOCAL
  + Length: Length = 1389
  - TgsReq: Kerberos TGS Request
   + ApplicationTag:
   - KdcReq: KRB_TGS_REQ (12)
    + SequenceHeader:
    + Tag1:
    + Pvno: 5
    + Tag2:
    - MsgType: KRB_TGS_REQ (12)
     + AsnIntegerHeader:
       AsnInt: 12 (0xC)
    + Tag3:
    + PaData:
    + Tag4:
    - ReqBody:
     + SequenceHeader:
     + Tag0:
     + KdcOptions: 0x60810010
     + Tag2: 0x1
     + Realm: CONTOSO.LOCAL
     + Tag3:
     + Sname: krbtgt/CONTOSO.LOCAL
     + Tag5: 0x1
     + Till: 09/13/2037 02:48:05 UTC
     + Tag7:
     + Nonce: 1580942399 (0x5E3B443F)
     + Tag8:
     - Etype:
      + SequenceOfHeader:
      - EType: aes256-cts-hmac-sha1-96 (18)
       + AsnIntegerHeader:
         AsnInt: 18 (0x12)//

Resolution

If you have 2003 domain controllers in your environment, then ignore the event.  If you are able and ready to raise the functional level of the domain, then raising it to 2008 will eliminate these events.
Note This is a "FAST PUBLISH" article created directly from within the Microsoft support organization. The information contained herein is provided as-is in response to emerging issues. As a result of the speed in making it available, the materials may include typographical errors and may be revised at any time without notice. See Terms of Use for other considerations.

Properties

Article ID: 2519073 - Last Review: November 1, 2011 - Revision: 4.0
APPLIES TO
  • Windows Small Business Server 2008 Standard
Keywords: 
KB2519073

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com