Windows 2008 server on 2003 Domain failing kerberos pre-auth
0x19 corresponds to 19 in hex notation which is 25 in decimal: "Additional pre-authentication required*"
Related videos on Youtube
sh-beta
Updated on September 17, 2022Comments
-
sh-beta over 1 year
I've recently added a few Windows 2008 servers to my Windows 2003 domain. Now my domain controllers are periodically posting Security event ID 675 for the Windows 2008 boxes (only and all of the Win2k8 boxes):
Pre-authentication failed: User Name: MY2008SERVER$ User ID: MYDOMAIN\MY2008SERVER$ Service Name: krbtgt/MYDOMAIN.LOCAL Pre-Authentication Type: 0x0 Failure Code: 0x19 Client Address: 10.2.1.32
According to Microsoft, that failure code means "Additional pre-auth required." As nedm noted, the actual RFC says 0x19 means "Server credentials revoked." Logon auditing yielded no useful information. Time is properly synced.
I've found a number of similar reports on the web and the only answer I've seen so far is to set the "Don't require Kerberos pre-auth flag" via ADSIEdit.
This is fine as a workaround, but I don't want to have to do this for every 2008 server I deploy. Any idea where this is coming from? How to fix it for real?
-
sh-beta over 14 yearsAdded a link to MS's site where they label 0x19 as additional pre-auth required. Interesting discrepancy, though. Time is correctly configured on these boxes. I'll test removing/rejoining them to the domain, but given that it's happening with ALL my 2008 boxes that's an unlikely fix.
-
sh-beta over 14 yearsBear in mind that these errors are logged by my domain controller's auditing policies - I hear about it when my 2003 boxes fail kerberos auth. Time is configured properly.
-
sh-beta over 14 yearsGood catch. I'd upvote this as a comment, but not as an answer.
-
sh-beta over 14 yearsSee David's explanation above - decimal vs hex.
-
sh-beta over 14 yearsGood idea, but they're all unique.