Consider the following scenario:
- A computer tries to request Kerberos authentication for a target service.
- There is no suitable service ticket in the local Kerberos ticket cache on the computer.
- The computer uses the cached ticket-granting ticket (TGT) to request a service ticket from a Windows 2012-based domain controller.
This issue occurs because the Key Distribution Center (KDC) in the Windows Server 2012-based domain controller performs additional checks on the lifetime of TGTs. If the TGT’s lifetime is less than 2 minutes, the KDC returns a "KRB_AP_ERR_TKT_EXPIRED" error.
Update informationTo resolve this issue, install the Windows 8 and Windows Server 2012 update rollup 2883201. For more information about how to obtain this update rollup package, click the following article number to go to the article in the Microsoft Knowledge Base:
2883201 Windows RT, Windows 8, and Windows Server 2012 update rollup: October 2013
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:
824684 Description of the standard terminology that is used to describe Microsoft software updates