SBS 2008\Kerberos Failure Audits are logged when Windows 7 clients are on LAN

Symptoms

You are logging the following failure audit each time a Windows 7 client requests a new kerberos ticket from the SBS 2008 server:

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          2/7/2011 2:14:14 PM
Event ID:      4769
Task Category: Kerberos Service Ticket Operations
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:     SBS2008.Contoso.local

Description:
A Kerberos service ticket was requested.

Account Information:
Account Name:  Windows7Machine@contoso.local

Account Domain:  CONTOSO.LOCAL
Logon GUID:  {00000000-0000-0000-0000-000000000000}

Service Information:
Service Name:  krbtgt/CONTOSO.LOCAL
Service ID:  NULL SID

Network Information:
Client Address:  ::ffff:192.168.1.75
Client Port:  49208

Additional Information:
Ticket Options:  0x60810010
Ticket Encryption Type: 0xffffffff
Failure Code:  0xe
Transited Services: -

0xe translates to KDC_ERR_ETYPE_NOTSUPP

Cause

If the domain is still running at the Windows 2003 functional level you will receive these events. 

  • Windows 7 clients will request the aes256-cts-hmac-sha1-96 algorithm by default.
  • This algorithm is only supported at the Windows 2008 domain functional level.
  • SBS 2008 setup will not raise the functional level of the domain after promoting the server to a domain controller.  This is always a manual step that you have to perform.
  • When the server rejects the request, the Windows 7 client will negotiate down to a supported algorithm.  Nothing is actually broken here, all by design.

To verify whether this is taking place, take a netmon trace and look for the following packet from the client; the EType is aes256-cts-hmac-sha1-96:

2285 1:16:32 PM 2/18/2011 62.0646736  Windows7Machine SBS2008 KerberosV5 KerberosV5:TGS Request Realm: CONTOSO.LOCAL Sname: krbtgt/CONTOSO.LOCAL  {TCP:221, IPv4:17}

  Frame: Number = 2285, Captured Frame Length = 1447, MediaType = ETHERNET
+ Ethernet: Etype = Internet IP (IPv4),DestinationAddress:[A4-BA-DB-44-CE-24],SourceAddress:[B8-AC-6F-BA-D8-FB]
+ Ipv4: Src = 192.168.130.76, Dest = 192.168.130.2, Next Protocol = TCP, Packet ID = 12132, Total IP Length = 1433
+ Tcp: Flags=...AP..., SrcPort=50797, DstPort=Kerberos(88), PayloadLen=1393, Seq=328192576 - 328193969, Ack=2800542374, Win=64240 (scale factor 0x0) = 64240
- Kerberos: TGS Request Realm: CONTOSO.LOCAL Sname: krbtgt/CONTOSO.LOCAL
  + Length: Length = 1389
  - TgsReq: Kerberos TGS Request
   + ApplicationTag:
   - KdcReq: KRB_TGS_REQ (12)
    + SequenceHeader:
    + Tag1:
    + Pvno: 5
    + Tag2:
    - MsgType: KRB_TGS_REQ (12)
     + AsnIntegerHeader:
       AsnInt: 12 (0xC)
    + Tag3:
    + PaData:
    + Tag4:
    - ReqBody:
     + SequenceHeader:
     + Tag0:
     + KdcOptions: 0x60810010
     + Tag2: 0x1
     + Realm: CONTOSO.LOCAL
     + Tag3:
     + Sname: krbtgt/CONTOSO.LOCAL
     + Tag5: 0x1
     + Till: 09/13/2037 02:48:05 UTC
     + Tag7:
     + Nonce: 1580942399 (0x5E3B443F)
     + Tag8:
     - Etype:
      + SequenceOfHeader:
      - EType: aes256-cts-hmac-sha1-96 (18)
       + AsnIntegerHeader:
         AsnInt: 18 (0x12)//

Resolution

If you have 2003 domain controllers in your environment, then ignore the event.  If you are able and ready to raise the functional level of the domain, then raising it to 2008 will eliminate these events.

Microsoft Internal Support Information

Steps to reproduce.

Product Bug Number:
Author ID (email alias):
Writer ID(email alias):
Tech Review ID (email alias):
Confirm Article has been Tech Reviewed: Yes/No
Confirm Article released for Publishing: Yes/No
Properties

Article ID: 2519073 - Last Review: Nov 1, 2011 - Revision: 1

Feedback