Kerberos authentication policy causes requests to fail with a status of KDC_ERR_POLICY in Windows Server 2012 R2
The Kerberos client requests a ticket to a resource that has an associated authentication policy that only allows access if the device is a member of a specific group. In this situation, the request fails with a status of KDC_ERR_POLICY (0xc) and an extended status of STATUS_AUTHENTICATION_FIREWALL_FAILED (0xc0000413).
This issue only occurs when the client is using a renewed Ticket Granting Ticket (TGT) for the Kerberos TGS request.
This issue occurs because the Key Distribution Center (KDC) doesn't set the KERB_EXTENDED_POLICY_COMPOUND_ID_CAPABLE bit in the ticket that allows it to be used for explicit armouring during a TGT renewal.
To fix this issue, install the June 2016 update rollup for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2 (KB3161606).
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
Learn about the terminology that Microsoft uses to describe software updates.
Article ID: 3162159 - Last Review: 06/21/2016 16:24:00 - Revision: 2.0
Windows Server 2012 R2 Datacenter, Windows Server 2012 R2 Standard, Windows Server 2012 R2 Essentials, Windows Server 2012 R2 Foundation
- kbqfe kbsurveynew kbfix kbexpertiseadvanced KB3162159