While joining new QAS hosts to AD, the join works as expected yet 3/4 errors like the following are generated on the domain controller in the System log.
"While processing an AS request for target service krbtgt, the account <account name> did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of <id number>). The requested etypes were <etype>. The accounts available etypes were 23 -133 -128 3 1."
This is due to the Kerberos libraries that VAS uses (Heimdal). It is attempting to use the highest encryption level first. When this fails (as Windows 2003 does not support AES) it fails over to ARCFOUR-HMAC.
WORKAROUND 1
Prior to joining the QAS host pre-populate the vas.conf with the default etype so AES encryption is not attempted.
# /opt/quest/vas/vastool configure vas libdefaults default_etypes arcfour-hmac-md5
WORKAROUND 2
You can safely ignore or filter these events. QAS will still use the highest encryption that the Windows server is able to support.
STATUS
Waiting for fix in a future release of Quest Authentication Services.
© 2025 One Identity LLC. ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center