Kerberos authentication policy causes requests to fail with a status of KDC_ERR_POLICY in Windows Server 2012 R2

Symptoms
The Kerberos client requests a ticket to a resource that has an associated authentication policy that only allows access if the device is a member of a specific group. In this situation, the request fails with a status of KDC_ERR_POLICY (0xc) and an extended status of STATUS_AUTHENTICATION_FIREWALL_FAILED (0xc0000413).

This issue only occurs when the client is using a renewed Ticket Granting Ticket (TGT) for the Kerberos TGS request.
Cause
This issue occurs because the Key Distribution Center (KDC) doesn't set the KERB_EXTENDED_POLICY_COMPOUND_ID_CAPABLE bit in the ticket that allows it to be used for explicit armouring during a TGT renewal.

Status
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
References
Learn about the terminology that Microsoft uses to describe software updates.
Properties

Article ID: 3162159 - Last Review: 06/21/2016 16:24:00 - Revision: 2.0

Windows Server 2012 R2 Datacenter, Windows Server 2012 R2 Standard, Windows Server 2012 R2 Essentials, Windows Server 2012 R2 Foundation

  • kbqfe kbsurveynew kbfix kbexpertiseadvanced KB3162159
Feedback