Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Tuesday, April 27, 2010 3:06 PM
Looking for some advice. We recently upgraded our Domain Controllers to Windows Server 2008 R2 and are running in the Windows Server 2008 R2 functional levels. However; we still have XP client machines.
I started noticing a large number of the following audit failures:
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 4/27/2010 10:29:28 AM
Event ID: 4769
Task Category: Kerberos Service Ticket Operations
Level: Information
Keywords: Audit Failure
User: N/A
Computer:
Description:
A Kerberos service ticket was requested.
Account Information:
Account Name:
Account Domain:
Logon GUID: {00000000-0000-0000-0000-000000000000}
Service Information:
Service Name:
Service ID: NULL SID
Network Information:
Client Address: 172.16.21.44
Client Port: 1650
Additional Information:
Ticket Options: 0x40800000
Ticket Encryption Type: 0xffffffff
Failure Code: 0xe
Transited Services: -
Doing some research I found that this is the KDC granting tickets through Kerberos. It would seem that everyone is getting their tickets with no problems however it appears that the Failure Code: 0xe is related to KDC has no support for encryption type.
What can I do to fix this? From what I understand encryption really changed for Kerberos in Windows Server 2008 R2. Also if this is not a issue how can I suppress these events so they will no longer fill up the event log.
Any help would be greatly appreciated.
Thank you
All replies (7)
Thursday, April 29, 2010 9:30 AM ✅Answered
Hi,
This error 4768 is normal if you have new DC and old client systems. If no other problem, we can safely ignore it.
The Failure Code 0xe means "KDC has no support for encryption type". This error was caused by Kerberos Enhancements in Windows Server 2008. The base Kerberos protocol in Windows Server 2008 supports AES for encryption of ticket-granting tickets (TGTs), service tickets, and session keys.
But old systems don't support this new encryption type. So the first try failed and you can find a Success 4768 after this failure.
For more information about Kerberos Enhancements, please refer to the following article.
http://technet.microsoft.com/en-us/library/cc749438.aspx
Thanks.
This posting is provided "AS IS" with no warranties, and confers no rights.
Tuesday, April 27, 2010 5:12 PM
Also...
I am not sure if this makes any difference but we have a High Security GPO for all of our Windows XP clients that has the following setting:
Network Security: LDAP client signing requiremnets Require Signing
Domain controller: LDP server signing requirements Require Signing
However these settings are NOT on the defualt DC policy.
I imagine this means that this sitting is ingorned but thought it may be related.
Thank you
Tuesday, April 27, 2010 7:40 PM | 1 vote
I found out how to surpress the auditing of the failure events. I used the following command on both of my DCs:
auditpol /set /category:"Account Logon" /subcategory:"Kerberos Service Ticket Operations" /failure:disable
However I am still not sure why these failures were showing up.
Tuesday, April 12, 2011 6:13 PM
What do we do if this is causing us issues?
We have Mac and Linux Machines that are loosing their AD connection after a little while. I believe this is because of Kerberos Authentication issues. We are seeing the above Event on our 2008 R2 DC's for our linux / Mac computers.
How can we fix this?
Wednesday, December 28, 2011 8:29 PM | 2 votes
Just a note on this...if you use this you will disable all "Account Logon" failures as well. If you just use what I have below you will just disable the Kerberos stuff.
auditpol /set /subcategory:"Kerberos Service Ticket Operations" /failure:disable
Tested multiple times.
Thursday, December 29, 2011 3:34 PM | 2 votes
I found that when my DC updates its policy it reverts back to the original setting. I am trying to find a way to make this persistent.
EDIT: Found it. Some conflicts may arise if you are running a mixed environment with operating systems that support expanded auditing policies (e.g. Windows Vista and Windows Server 2008) and earlier operating systems that do not offer this feature. By default, legacy domain audit policies will overwrite the expanded Group Policy settings. To avoid this, you must enable the “Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings” found in Computer Configuration => Windows Settings => Local Policies => Security Options of a Group Policy Object.
I understand this is an old thread but hey, it still helps.
Thursday, December 17, 2015 4:31 PM
I'm running a domain and forrest functional level of 2008 R2 and I STILL get these errors from 2 BRAND NEW Windows 7 systems, not XP.
The answer from M$ seems to be the typical just ignore it. This is an unacceptable answer. There is either a fix for the problem or not. If you products don't work properly - fix them.