KDC Event ID 16 or 27 is logged if DES for Kerberos is disabled

Applies to: Windows Server 2012 StandardWindows Server 2012 StandardWindows Server 2012 Essentials More

Summary

Starting with Windows 7, Windows Server 2008 R2, and all later Windows operating systems, Data Encryption Standard (DES) encryption for Kerberos authentication is disabled. This article describes various scenarios in which you may receive the following events in the Application, Security, and System logs because DES encryption is disabled:

KDCEVENT_UNSUPPORTED_ETYPE_REQUEST_TGS
KDCEVENT_NO_KEY_INTERSECTION_TGS

Additionally, this article explains how to enable DES encryption for Kerberos authentication in Windows 7 and in Windows Server 2008 R2. For detailed information, see the "Symptoms," "Cause," and "Workaround" sections of this article.

Symptoms

Consider the following scenarios:

A service uses a user account or a computer account that is configured for only DES encryption on a computer that is running Windows 7 or Windows Server 2008 R2.
A service uses a user account or a computer account that is configured for only DES encryption and that is in a domain together with Windows Server 2008 R2-based domain controllers.
A client that is running Windows 7 or Windows Server 2008 R2 connects to a service by using a user account or a computer account that is configured for only DES encryption.
A trust relationship is configured for only DES encryption and includes domain controllers that are running Windows Server 2008 R2.
An application or a service is hardcoded to use only DES encryption.

In any of these scenarios, you may receive the following events in the Application, Security, and System logs together with the Microsoft-Windows-Kerberos-Key-Distribution-Center source:

ID	Symbolic name	Message
27	KDCEVENT_UNSUPPORTED_ETYPE_REQUEST_TGS	While processing a TGS request for the target server %1, the account %2 did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of %3). The requested etypes were %4. The accounts available etypes were %5. Event ID 27 — KDC Encryption Type Configuration
16	KDCEVENT_NO_KEY_INTERSECTION_TGS	While processing a TGS request for the target server %1, the account %2 did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of %3). The requested etypes were %4. The accounts available etypes were %5. Changing or resetting the password of %6 will generate a proper key. Event ID 16 — Kerberos Key Integrity

Cause

By default, the security settings for DES encryption for Kerberos are disabled on the following computers:

Computers that are running Windows 7
Computers that are running Windows Server 2008 R2
Domain controllers that are running Windows Server 2008 R2

Note Cryptographic support for Kerberos exists in Windows 7 and in Windows Server 2008 R2.By default, Windows 7 uses the following Advance Encryption Standard (AES) or RC4 cipher suites for "encryption types" and for "etypes":

AES256-CTS-HMAC-SHA1-96
AES128-CTS-HMAC-SHA1-96
RC4-HMAC

Services that are configured for only DES encryption fail unless the following conditions are true:

The service is reconfigured to support RC4 encryption or to support AES encryption.
All client computers, all servers, and all domain controllers for the domain of the service account are configured to support DES encryption.

By default, Windows 7 and Windows Server 2008 R2 support the following cipher suites: The DES-CBC-MD5 cipher suite and the DES-CBC-CRC cipher suite can be enabled in Windows 7 when it is required.

Workaround

We strongly recommend that you check whether DES encryption is still required in the environment or check whether specific services require only DES encryption. Check whether the service can use RC4 encryption or AES encryption, or check whether the vendor has an authentication alternative that has stronger cryptography.

Hotfix 978055 is required for the Windows Server 2008 R2-based domain controllers to correctly handle encryption type information that is replicated from the domain controllers that are running Windows Server 2003. See more information section below.

Determine whether the application is hard-coded to use only DES encryption. But it is disabled by the default settings on clients that are running Windows 7 or on Key Distribution Centers (KDCs).

To check whether you are affected by this problem, please collect some network traces, and then check for traces that resemble the following sample traces:

Frame 1 {TCP:48, IPv4:47}    <SRC IP>   <DEST IP>  KerberosV5  KerberosV5:TGS Request Realm: CONTOSO.COM Sname: HTTP/<hostname>.<FQDN>

Frame 2 {TCP:48, IPv4:47}    <DEST IP>  <SRC IP>   KerberosV5  KerberosV5:KRB_ERROR  - KDC_ERR_ETYPE_NOSUPP (14) 

0.000000  {TCP:48, IPv4:47}  <source IP> <destination IP> KerberosV5    KerberosV5:TGS Request Realm: <fqdn> Sname: HTTP/<hostname>.<fqdn> 
       - Etype: 
      + SequenceOfHeader: 
      + EType: aes256-cts-hmac-sha1-96 (18)
      + EType: aes128-cts-hmac-sha1-96 (17)
      + EType: rc4-hmac (23)
      + EType: rc4-hmac-exp (24)
      + EType: rc4 hmac old exp (0xff79)
     + TagA: 
     + EncAuthorizationData:

Determine whether the user account or the computer account is configured for only DES encryption.

In "Active Directory Users and Computers" snap-in, open user account properties, and then check whether the Use Kerberos DES encryption types for this account option is set under the Account tab.

If you conclude that you are affected by this issue and that you have to turn on the DES encryption type for Kerberos authentication, enable the following Group Policies to apply the DES encryption type to all computers that are running Windows 7 or Windows Server 2008 R2:

In the Group Policy Management Console (GPMC), locate the following location:
Computer Configuration\ Windows Settings\ Security Settings\ Local Policies\ Security Options
Click to select the Network security: Configure encryption types allowed for Kerberos option.
Click to select Define these policy settings and all the six check boxes for the encryption types.
Click OK. Close the GPMC.

Note The policy sets the SupportedEncryptionTypes registry entry to a value of 0x7FFFFFFF. The SupportedEncryptionTypes registry entry is at the following location:

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\parameters\

Depending on the scenario, you may have to set this policy at the domain level to apply the DES encryption type to all clients that are running Windows 7 or Windows Server 2008 R2. Or, you may have to set this policy at the organizational unit (OU) of the domain controller for the domain controllers that are running Windows Server 2008 R2.

More Information

The DES-only application compatibility issues are encountered in the following two configurations:

The calling application is hardcoded for only DES encryption.
The account that runs the service is configured to use only DES encryption.

The following encryption type criteria must be satisfied for Kerberos authentication to work:

A common type exists between the client and the domain controller for the authenticator on the client.
A common type exists between the domain controller and the resource server to encrypt the ticket.
A common type exists between the client and the resource server for the session key.

Consider the following situation:

Role	OS	Supported encryption level for Kerberos
DC	Windows Server 2003	RC4 and DES
Client	Windows 7	AES and RC4
Resource Server	J2EE	DES

In this situation, the criteria 1 is satisfied by RC4 encryption, and the criteria 2 is satisfied by DES encryption. The third criterion fails because the server is DES-only and because client does not support DES.

The hotfix 978055 must be installed on each Windows Server 2008 R2-based domain controller if the following conditions are true in the domain:

There are some DES-enabled user or computer accounts.
In the same domain, there is one or more domain controllers that are running Windows 2000 Server, Windows Server 2003, or Windows Server 2003 R2.

Note

Hotfix 978055 is required for the Windows Server 2008 R2-based domain controllers to correctly handle encryption type information that is replicated from the domain controllers that are running Windows Server 2003.
The Windows Server 2008-based domain controllers do not require this hotfix.
This hotfix is not required if the domain has only Windows Server 2008-based domain controllers.

For more information, click the following article number to view the article in the Microsoft Knowledge Base:

978055 FIX: User accounts that use DES encryption for Kerberos authentication types cannot be authenticated in a Windows Server 2003 domain after a Windows Server 2008 R2 domain controller joins the domain

Last Updated: Mar 29, 2017