KnowledgeBase: Kerberos authentication fails when the computer tries to request a service ticket from a Windows Server 2012-based Domain Controller

Earlier this month, Microsoft released KnowledgeBase Article 2877460, describing an issue where Kerberos authentication to an Active Directory-integrated service may fail, despite proper implementation and time synchronization, with an error describing time differences between the Primary Domain Controller (PDC) and a Backup Domain Controller (BDC).

 

The situation

Domain-joined Windows devices use Kerberos as their primary network authentication protocol. Parts of the Kerberos protocol are its two ticket types. Typically when a colleague logs on to a domain-joined device, the device requests a Ticket Granting Ticket (TGT) from a Domain Controller (acting as the Key Distribution Center (KDC)). In an Active Directory domain, TGTs, by default, have a lifetime of 10 hours and may be renewed throughout the user's log-on session without requiring the user to re-enter his password.

When the colleague wants to use an Active Directory-integrated service, like accessing files on a domain-joined File Server, the device sends the TGT to the Domain Controller (acting as the Ticket Granting Service (TGS) this time). After verifying the TGT is valid and the user is permitted access the requested service, the TGS issues a Service Ticket (ST). The device then sends the Service Ticket to the service server along with the service request.

The domain-joined Windows device will store the Service Tickets (STs) it gathered in a local cache and reused for subsequent service requests to the service server. When the Service Ticket (ST) expires, which it does, by default, after 10 hours, it is removed from the cache.

Tip!
You can set the default lifetime for Service Tickets (STs) through Group Policy. More information can be found here.

 

The issue

Now, under certain conditions, getting a new Service Ticket (ST), while a valid Ticket Granting Ticket (TGT) from a Windows Server 2012-based Domain Controller is present, may fail.

when the issue occurs, the Windows Server 2012-based Domain Controller returns a KRB_AP_ERR_TKT_EXPIRED error to the domain-joined device. This will result in the Kerberos authentication to fail.

Additionally, the following event is logged on the computer:

Event Type: Warning
Event Source: LSASRV
Event Category: SPNEGO (Negotiator)
Event ID: 40960
Date: date
Time: time
User: N/A
Computer: computer name
Description:
The Security System detected an authentication error for the server server name.
The failure code from authentication protocol Kerberos was "The time at the Primary Domain Controller is different than the time at the Backup Domain Controller or member server by too large an amount. (0xc0000133)"

 

The cause

This issue occurs because the Key Distribution Center (KDC) on the Windows Server 2012-based Domain Controller performs additional checks on the lifetime of Ticket Granting Tickets (TGTs). If the TGT’s lifetime is less than 2 minutes, the Key Distribution Center (KDC) returns a KRB_AP_ERR_TKT_EXPIRED error.

 

The resolution

To resolve this issue, install the Windows 8 and Windows Server 2012 October 2013 update rollup (KB2883201) on the Windows Server 2012-based Domain Controllers throughout the Active Directory domain.

Note:
As a prerequisite to the Windows 8 and Windows Server 2012 October 2013 update rollup (KB2883201), you will need to have the servicing stack update is available for Windows 8 and Windows Server 2012 (KB2771431) installed first.

Note:
The Domain Controllers need to be restarted after you apply the Windows 8 and Windows Server 2012 October 2013 update rollup (KB2883201).

 

Related KnowledgeBase articles

2877460 Kerberos authentication fails when the computer tries to request a Service Ticket from a Windows Server 2012-based Domain Controller

Further reading

Kerberos Explained
Maximum lifetime for service ticket

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.