User accounts are not authenticated by the domain controllers that are in the child domain if "The other domain supports Kerberos AES Encryption" check box is selected

Article translations Article translations
Article ID: 975616 - View products that this article applies to.
Expand all | Collapse all

On This Page

SYMPTOMS

Consider the following scenario:
  • You set the forest functional level of an Active Directory forest to Windows Server 2003.
  • You set the domain functional level of a parent domain to Windows Server 2003. The parent domain contains one or more domain controllers that are running Windows Server 2008.
  • You set the domain functional level of a child domain to Windows Server 2008. The child domain contains one or more domain controllers that are running Windows Server 2008.
  • You install hotfix 959517 or Windows Server 2008 Service Pack 2 (SP2) on all these domain controllers that are running Windows Server 2008.
  • You click to select The other domain supports Kerberos AES Encryption check box for the trust relationship between the parent domain and the child domain.
In this scenario, the user accounts that are in the parent domain are not authenticated by the domain controllers in the child domain. Therefore, these user accounts cannot access resources in the child domain.

Additionally, the following event is logged in the System log on a domain controller that is in the child domain:

Source: Microsoft-Windows-Kerberos-Key-Distribution-Center
Date: <date>
Event ID: 18
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: <computer>
Description: During TGS processing, the KDC was unable to verify the signature on the PAC from <the partent domain name>. This indicates the PAC was modified.

CAUSE

This issue occurs because the Windows Server 2008-based Key Distribution Center (KDC) uses an incorrect key type to verify the privilege attribute certificate (PAC) in the scenario that is described in the "Symptoms" section.

RESOLUTION

Hotfix information

A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing the problem described in this article. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix.

If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix.

Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site:
http://support.microsoft.com/contactus/?ws=support
Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.

Prerequisites

To apply this hotfix, your computer must be running Windows Server 2008 or Windows Server 2008 Service Pack 2 (SP2). Additionally, the Active Directory Domain Service (AD DS) role must be installed.

For more information about how to obtain a Windows Server 2008 service pack, click the following article number to view the article in the Microsoft Knowledge Base:
968849 How to obtain the latest service pack for Windows Server 2008

Restart requirement

You must restart the computer after you apply this hotfix.

Hotfix replacement information

This hotfix replaces the previously released hotfix 959517

File information

The English (United States) version of this hotfix installs files that have the attributes that are listed in the following tables. The dates and the times for these files are listed in Coordinated Universal Time (UTC). The dates and the times for these files on your local computer are displayed in your local time together with your current daylight saving time (DST) bias. Additionally, the dates and the times may change when you perform certain operations on the files.
Windows Server 2008 file information notes
  • The files that apply to a specific product, SR_Level (RTM, SPn), and service branch (LDR, GDR) can be identified by examining the file version numbers as shown in the following table.
    Collapse this tableExpand this table
    VersionProductSR_LevelService branch
    6.0.600 1 . 22xxx Windows Server 2008SP1LDR
    6.0.600 2 . 22xxx Windows Server 2008SP2LDR
  • Service Pack 1 is integrated into the release version of Windows Server 2008. Therefore, RTM milestone files apply only to Windows Vista. RTM milestone files have a 6.0.0000.xxxxxx version number.
  • The MANIFEST files (.manifest) and the MUM files (.mum) that are installed for each environment are listed separately in the "Additional file information for Windows Server 2008" section. MUM and MANIFEST files, and the associated security catalog (.cat) files, are extremely important to maintaining the state of the updated component. The security catalog files, for which the attributes are not listed, are signed with a Microsoft digital signature.
For all supported x86-based versions of Windows Server 2008

Collapse this tableExpand this table
File nameFile versionFile sizeDateTimePlatform
Kdcsvc.dll6.0.6001.22572312,83201-Dec-200914:13x86
Kdcsvc.mofNot Applicable5,30001-Apr-200919:14Not Applicable
Kdcsvc.dll6.0.6002.22278312,83201-Dec-200915:54x86
Kdcsvc.mofNot Applicable5,30003-Apr-200921:47Not Applicable
For all supported x64-based versions of Windows Server 2008

Collapse this tableExpand this table
File nameFile versionFile sizeDateTimePlatform
Kdcsvc.dll6.0.6001.22572406,52801-Dec-200915:40x64
Kdcsvc.mofNot Applicable5,30001-Apr-200916:43Not Applicable
Kdcsvc.dll6.0.6002.22278406,52801-Dec-200914:00x64
Kdcsvc.mofNot Applicable5,30003-Apr-200921:07Not Applicable

WORKAROUND

Workaround for Windows Server 2008

To work around this issue, click to clear The other domain supports Kerberos AES Encryption check box for the parent and child trust.

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

MORE INFORMATION

To select or clear The other domain supports Kerberos AES Encryption check box, follow these steps:
  1. Open the Active Directory Domains and Trusts Microsoft Management console (MMC) snap-in on a domain controller that is in the parent domain.
  2. Right-click the domain name of this parent domain to open the Properties dialog box.
  3. On the Trusts tab, select the trust between the parent domain and the child domain, and then click Properties.
  4. Click to select or clear The other domain supports Kerberos AES Encryption option check box.
  5. Click OK, and then restart the domain controllers that are in both domains to apply the setting.
For more information, click the following article number to view the article in the Microsoft Knowledge Base:
959517 Windows Server 2008 Key Distribution Center (KDC) rejects a TGS request after the TGT is renewed

For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:
824684 Description of the standard terminology that is used to describe Microsoft software updates

Additional file information

Additional file information for Windows Server 2008

Additional files for all supported x86-based versions of Windows Server 2008

Collapse this tableExpand this table
File nameFile versionFile sizeDateTimePlatform
Update.mumNot Applicable2,25502-Dec-200906:50Not Applicable
X86_77579d0e15e6e869515377c8c67adca5_31bf3856ad364e35_6.0.6001.22572_none_daaf6ab4925649ae.manifestNot Applicable72002-Dec-200906:50Not Applicable
X86_cc2b6ef15fee21c57e8e831b823cc21c_31bf3856ad364e35_6.0.6002.22278_none_e662da6861421dee.manifestNot Applicable72002-Dec-200906:50Not Applicable
X86_microsoft-windows-k..distribution-center_31bf3856ad364e35_6.0.6001.22572_none_8bf7bdd3ad956d97.manifestNot Applicable42,27601-Dec-200918:08Not Applicable
X86_microsoft-windows-k..distribution-center_31bf3856ad364e35_6.0.6002.22278_none_8de43177aab65ac5.manifestNot Applicable42,27601-Dec-200918:48Not Applicable
Additional files for all supported x64-based versions of Windows Server 2008

Collapse this tableExpand this table
File nameFile versionFile sizeDateTimePlatform
Amd64_b2d5ce3c9ebc080f1a87d396eaa46d5d_31bf3856ad364e35_6.0.6001.22572_none_1090c8e45181d249.manifestNot Applicable72402-Dec-200906:50Not Applicable
Amd64_c0b523ccd3c830544cebc3fa816e4ba7_31bf3856ad364e35_6.0.6002.22278_none_19a2df947f9703be.manifestNot Applicable72402-Dec-200906:50Not Applicable
Amd64_microsoft-windows-k..distribution-center_31bf3856ad364e35_6.0.6001.22572_none_e816595765f2decd.manifestNot Applicable42,32001-Dec-200919:46Not Applicable
Amd64_microsoft-windows-k..distribution-center_31bf3856ad364e35_6.0.6002.22278_none_ea02ccfb6313cbfb.manifestNot Applicable42,32001-Dec-200915:30Not Applicable
Update.mumNot Applicable2,27102-Dec-200906:50Not Applicable

Properties

Article ID: 975616 - Last Review: February 8, 2010 - Revision: 1.0
APPLIES TO
  • Windows Server 2008 Datacenter without Hyper-V
  • Windows Server 2008 Enterprise without Hyper-V
  • Windows Server 2008 Standard without Hyper-V
  • Windows Server 2008 Datacenter
  • Windows Server 2008 Enterprise
  • Windows Server 2008 Standard
Keywords: 
kbqfe kbhotfixserver kbsurveynew kbautohotfix kbbug kbfix KB975616

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com