Kerberos authentication fails when the computer tries to request a service ticket from a Windows Server 2012-based DC

Gælder for: Windows Server 2012 DatacenterWindows Server 2012 DatacenterWindows Server 2012 Essentials

Symptoms


Consider the following scenario:
  • A computer tries to request Kerberos authentication for a target service.
  • There is no suitable service ticket in the local Kerberos ticket cache on the computer.
  • The computer uses the cached ticket-granting ticket (TGT) to request a service ticket from a Windows 2012-based domain controller.
In this scenario, the windows 2012-based domain controller returns a "KRB_AP_ERR_TKT_EXPIRED" error to the computer. Therefore, the Kerberos authentication fails. Additionally, the following event is logged on the computer:

Cause


This issue occurs because the Key Distribution Center (KDC) in the Windows Server 2012-based domain controller performs additional checks on the lifetime of TGTs. If the TGT’s lifetime is less than 2 minutes, the KDC returns a "KRB_AP_ERR_TKT_EXPIRED" error.

Resolution


Update information

To resolve this issue, install the Windows 8 and Windows Server 2012 update rollup 2883201. For more information about how to obtain this update rollup package, click the following article number to go to the article in the Microsoft Knowledge Base:
2883201 Windows RT, Windows 8, and Windows Server 2012 update rollup: October 2013

Status


Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

More Information


For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:
824684 Description of the standard terminology that is used to describe Microsoft software updates