Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Monday, November 28, 2016 4:45 PM
We are upgrading our domain onto Windows 2012 R2 and getting lot of Kerberos-Key-Distribution-Center Errors for Linux clients with Error code 26 on Windows 2012 R2 domain controllers. How can we resolve the KDC errors?
On domain controller the key type is showing.
Session Key Type: AES-256-CTS-HMAC-SHA1-96.
below is the error message for Linux clients.
Tek-Nerd
Tuesday, November 29, 2016 3:08 AM
Hi,
According your description,this error may be caused by different encryption type between KDC and Linux clients.
Kerberos supports several encryption types that are used to encrypt the tickets. If you are using a non-Microsoft Kerberos client to request a ticket from a Windows-based Kerberos server, the Kerberos client must support the same encryption type. Use the event log message to determine the available encryption type and configure the Kerberos client accordingly.
Ref:Event ID 26 — KDC Encryption Type Configuration
https://technet.microsoft.com/en-us/library/cc734055(v=ws.10).aspx
Best Regards,
Cartman
Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.
Tuesday, November 29, 2016 8:57 PM | 2 votes
To build upon what Cartman Shen mentioned, these errors are generated because your Linux clients can't negotiate an equitable Kerberos key exchange between themselves and the KDC because in your Windows Server 2012 R2 Active Directory environment, your Linux clients who are generating the Event ID 26 error message are requesting etype 1, which is the des-cbc-crc encryption type. DES is disabled by default in Windows 2008 R2 AD and above! Your KDC is definitely not allowing des-cbc-crc. According to the error shown it is only allowing 17, 18, and 23 - 133. You need to either allow DES (big security hole!) or fix your Linux clients so that they use an upgraded encryption type. How to do that would be a whole new question though. Reference: Kerberos Encryption Type Numbers.
Best Regards, Todd Heron | Active Directory Consultant
Monday, December 5, 2016 7:25 PM
Thank You Todd,
My Linux admin re-configured clients to supported encryption type and the issue has been resolved.
Tek-Nerd
Monday, December 5, 2016 9:41 PM
Great to hear this. Please also mark the answer as "Answered" so that it may help others when searching for the same question. Only you or the moderators can mark it as such, and I have seen, especially in this particular forum, that they forget to do so sometimes.
Best Regards, Todd Heron | Active Directory Consultant