An application or service uses Kerberos to perform authentication through a Key Distribution Center (KDC) that is running Windows Server 2008.
This application or service renews a Kerberos Ticket Granting Ticket (TGT) and then uses the renewed TGT to request a new Kerberos Ticket-Granting Service (TGS) service ticket.
In this scenario, a Privilege Attribute Certificate (PAC) verification error occurs, and Windows Server 2008-based KDC rejects the TGS request. This issue makes the application or service encounter function failure.
This issue occurs because the Windows Server 2008-based KDC uses an incorrect key type to verify the Privilege Attribute Certificate (PAC) in the scenario that is described in the "Symptoms" section.
A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing the problem described in this article. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix.
If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix.
Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site:
Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.
Important Windows Vista and Windows Server 2008 hotfixes are included in the same packages. However, only one of these products may be listed on the “Hotfix Request” page. To request the hotfix package that applies to both Windows Vista and Windows Server 2008, just select the product that is listed on the page.
To apply this hotfix, the computer must run Windows Server 2008. Also, Active Directory services must be installed.
You have to restart the computer after you apply this hotfix.
Hotfix replacement information
This hotfix does not replace any other previously released hotfixes.
To use this hotfix, you do not have to make any changes to the registry.
The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.
Windows Server 2008 file information note
The MANIFEST files (.manifest) and MUM files (.mum) installed for each environment are listed separately. MUM and MANIFEST files, and the associated security catalog (.cat) files, are critical to maintaining the state of the updated component. The security catalog files (attributes not listed) are signed with a Microsoft digital signature.
Windows Server 2008, x86-based version
Windows Server 2008, x64-based version
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
For more information, click the following article number to view the article in the Microsoft Knowledge Base:
824684 Description of the standard terminology that is used to describe Microsoft software updates
Additional files for all supported x86-based versions of Windows Server 2008