Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations wOOdy-Soft on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Kerebos ticket? (Event ID 8 Source KDC)

Status
Not open for further replies.
Lizardkng

Lizardkng

Technical User
Oct 21, 2002
135
US
I keep getting this in event viewer, for the same user:

Event Type: Error
Event Source: KDC
Event Category: None
Event ID: 8
Date: 5/15/2003
Time: 07:01:51
User: N/A
Computer: SERVER
Description:
The account username did not have a suitable key for generating a Kerberos ticket. If the encryption type is supported, changing or setting the password will generate a proper key.

Ive tried changing the password, both on a workstation, and on the server, it doesnt fix it.

How can I see if "the encryption type is supported"?

I really dont know anything at all about this encryption stuff...

Any ideas?

Thanks.
 
Sort by date Sort by votes
The KDC or Key Distrubtion Center is directly affected by time. If the client is off by 5 min, the KDC will not issue (or authenticate) the user. I would check the time on the computer the user is logging into. Also, what service pack is installed on the server?

"I really dont know anything at all about this encryption stuff..." Encryption or Authentication?

For encryption see thread96-552260 basically kerberos authentication is as follow,

1. the user logs on to computer, and finds a domain controller with kerberos KDC using DNS. The Kerberos client running on a workstation converts her password to an encryption key, and saves the result in a program variable.

2. The Kerberos client sends a message to the Key Distribution Server (KDC), of type KRB_AS_REQ (Kerberos Authentication Server Request). This message has two parts:
An identification of the user,and the service for which the user is requesting credentials, the TGS (Ticket-Granting Service)
Pre-authentication data, intended to prove that the user knows her password.
Next the KDC issues a ticket granting ticket and uses the TGT to request session ticket for the workstation, with authorizations.

3 It is the session ticket which enables the user to access domain resources. The ticket is only valid while the session is active (until the user logs off).

Hewissa

MCSE, CCNA, CIW
 
Upvote 0 Downvote
Thanks!

First, SP3 is installed on the server and all workstations, I considered reinstalling it on the server?

I just checked and they have *exactly* the same time.

(Which I suspected, I have our server synched to the atomic clock, and in an all w2k network, clients synch with the DC automatically.)

Any other suggestions?
 
Upvote 0 Downvote
Have a look in AdministartiveTools/LocalSecurityPolicy, then go to "LocalPolicies"/"Security Options".
There are a few kesy there that are regulating the dialogue with the server. Check your effective settings on your DC server and also on your workstation.

But my question is: is this happening to a user,. or to a workstation?

Gia Betiu
gia@almondeyes.net
Computer Eng. CNE 4, CNE 5, MCSE Win2K
new: (just started)
 
Upvote 0 Downvote
Ill check that when I get in tonight.

To answer your question, both, but seems to follow the user.

It happens to the same user, apparently on all workstations.

Ill test that tonight too.

He primarily uses only one workstation, but does try to log on to others sometimes (rarely), and his profile fails to load on those others.

Thanks again.
 
Upvote 0 Downvote
Oh I forgot to add, eventid.net had only one *possible* solution, that that was a user that cited that when they reinstalled SP3, it fixed it...my question at this point is...

Would there be any problem with me reinstalling SP3? (provided another easier and less intrusive solution is unavailable)
 
Upvote 0 Downvote
You know, first i'm trying to understand why error appear and in which conditions.
Is interesting that you said that that user fails to logon to other machines (error in profile?).
SO, let's first find when is happening the error, eventually find a moment in time whe this started (and think what could trigger it).


Gia Betiu
gia@almondeyes.net
Computer Eng. CNE 4, CNE 5, MCSE Win2K
new: (just started)
 
Upvote 0 Downvote
It happens when the user logs in. (and maybe out, but I dont think so.)

Im about to head out to work and Ill play with it tonight and try to nail it down exactly.
 
Upvote 0 Downvote
Check the user profile. There is a setting for storing the password using reverse encryption. That is required if the user is authenticating by CHAP authentication. If you change it to use reverse encryption, it takes effect the next time the password is changed. An IPSec policy applied to the domain would be the place to look for this type of authentication requirement for this user.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

andyferris
  • Locked
  • Question
DC Event logs auditing cannot be set by GPO
Replies
1
Views
335
RRankin355
RRankin355
blpcrs
  • Locked
  • Question
Disk Space warning in real time in Event Viewer?
Replies
0
Views
399
blpcrs
blpcrs
AdeAsis
  • Locked
  • Question
thread96-864378
Replies
0
Views
191
AdeAsis
AdeAsis
Fireksf
  • Locked
  • Question
Avaya IPOCC not generate Report, Please any body if you a have any idea help me.
Replies
1
Views
353
MarkSweetland
MarkSweetland
amanua
  • Locked
  • Question
Event ID 4776 Security Log
Replies
0
Views
254
amanua
amanua

Part and Inventory Search

Sponsor

Back
Top