Submitting forms on the support site are temporary unavailable for schedule maintenance. If you need immediate assistance please contact technical support. We apologize for the inconvenience.
"No Key to Generate Kerberos Ticket While processing a TGS request error" error message appearing in Active Directory Windows event logs after removing arcfour encryption type from clients. (4276227)
"No Key to Generate Kerberos Ticket While processing a TGS request error" error message appearing in Active Directory Windows event logs after removing arcfour encryption type from clients.
설명
"No Key to error message appearing in Active Directory Windows event logs after removing arcfour encryption type from clients.Generate Kerberos Ticket While processing a TGS request error"
The following error message appears in Windows event logs: ------------------------------------- No Key to Generate Kerberos Ticket While processing a TGS request for the target server host/client1.mydomain.com, the account user@MYDOMAIN.COM did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 8). The requested etypes were 17. The accounts available etypes were 23 -133 -128 18 17. Changing or resetting the password of CLIENT1$ will generate a proper key. --------------------------------------
Resetting the host password as instructed by the message does not resolve the issue.
The default_etypes option in vas.conf only has AES encryption enabled and no arcfour entry: -------------------- default_etypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 --------------------
원인
Something in the Active Directory environment does not accept the AES encryption.
해결 방안
Request your Active Directory team to investigate if any configuration needs to be changed and keys need to be re-generated so that AES encryption is accepted.
For reference this can include keys for the following: User accounts Computer/host accounts Trust accounts KRBTGT account
WORKAROUND:
If arcfour encryption is still allowed within your domain then you can temporarily add it back into the default_etypes option in vas.conf: -------------------- default_etypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 arcfour-hmac-md5 --------------------