You are currently offline, waiting for your internet to reconnect

SBS 2008\Kerberos Failure Audits are logged when Windows 7 clients are on LAN


You are logging the following failure audit each time a Windows 7 client requests a new kerberos ticket from the SBS 2008 server:

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          2/7/2011 2:14:14 PM
Event ID:      4769
Task Category: Kerberos Service Ticket Operations
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:     SBS2008.Contoso.local

A Kerberos service ticket was requested.

Account Information:
Account Name:  Windows7Machine@contoso.local

Account Domain:  CONTOSO.LOCAL
Logon GUID:  {00000000-0000-0000-0000-000000000000}

Service Information:
Service Name:  krbtgt/CONTOSO.LOCAL
Service ID:  NULL SID

Network Information:
Client Address:  ::ffff:
Client Port:  49208

Additional Information:
Ticket Options:  0x60810010
Ticket Encryption Type: 0xffffffff
Failure Code:  0xe
Transited Services: -

0xe translates to KDC_ERR_ETYPE_NOTSUPP


If the domain is still running at the Windows 2003 functional level you will receive these events. 

  • Windows 7 clients will request the aes256-cts-hmac-sha1-96 algorithm by default.
  • This algorithm is only supported at the Windows 2008 domain functional level.
  • SBS 2008 setup will not raise the functional level of the domain after promoting the server to a domain controller.  This is always a manual step that you have to perform.
  • When the server rejects the request, the Windows 7 client will negotiate down to a supported algorithm.  Nothing is actually broken here, all by design.

To verify whether this is taking place, take a netmon trace and look for the following packet from the client; the EType is aes256-cts-hmac-sha1-96:

2285 1:16:32 PM 2/18/2011 62.0646736  Windows7Machine SBS2008 KerberosV5 KerberosV5:TGS Request Realm: CONTOSO.LOCAL Sname: krbtgt/CONTOSO.LOCAL  {TCP:221, IPv4:17}

  Frame: Number = 2285, Captured Frame Length = 1447, MediaType = ETHERNET
+ Ethernet: Etype = Internet IP (IPv4),DestinationAddress:[A4-BA-DB-44-CE-24],SourceAddress:[B8-AC-6F-BA-D8-FB]
+ Ipv4: Src =, Dest =, Next Protocol = TCP, Packet ID = 12132, Total IP Length = 1433
+ Tcp: Flags=...AP..., SrcPort=50797, DstPort=Kerberos(88), PayloadLen=1393, Seq=328192576 - 328193969, Ack=2800542374, Win=64240 (scale factor 0x0) = 64240
- Kerberos: TGS Request Realm: CONTOSO.LOCAL Sname: krbtgt/CONTOSO.LOCAL
  + Length: Length = 1389
  - TgsReq: Kerberos TGS Request
   + ApplicationTag:
   - KdcReq: KRB_TGS_REQ (12)
    + SequenceHeader:
    + Tag1:
    + Pvno: 5
    + Tag2:
    - MsgType: KRB_TGS_REQ (12)
     + AsnIntegerHeader:
       AsnInt: 12 (0xC)
    + Tag3:
    + PaData:
    + Tag4:
    - ReqBody:
     + SequenceHeader:
     + Tag0:
     + KdcOptions: 0x60810010
     + Tag2: 0x1
     + Realm: CONTOSO.LOCAL
     + Tag3:
     + Sname: krbtgt/CONTOSO.LOCAL
     + Tag5: 0x1
     + Till: 09/13/2037 02:48:05 UTC
     + Tag7:
     + Nonce: 1580942399 (0x5E3B443F)
     + Tag8:
     - Etype:
      + SequenceOfHeader:
      - EType: aes256-cts-hmac-sha1-96 (18)
       + AsnIntegerHeader:
         AsnInt: 18 (0x12)//

If you have 2003 domain controllers in your environment, then ignore the event.  If you are able and ready to raise the functional level of the domain, then raising it to 2008 will eliminate these events.
Note This is a "FAST PUBLISH" article created directly from within the Microsoft support organization. The information contained herein is provided as-is in response to emerging issues. As a result of the speed in making it available, the materials may include typographical errors and may be revised at any time without notice. See Terms of Use for other considerations.

Article ID: 2519073 - Last Review: 11/01/2011 19:35:00 - Revision: 4.0

Windows Small Business Server 2008 Standard

  • KB2519073