KnowledgeBase: You experience errors with Event ID 42 and source Kdcsvc on Domain Controllers

To continually increase the information security of on-premises Domain Controllers, Microsoft provides new functionality to Windows Server and Active Directory. Sometimes, the new security measures affect backward compatibility. In this knowledgebase article, I’ll discuss such a measure.

The situation

You run Active Directory with Domain Controllers on one or more of the below Windows Server Operating Systems:

  • Windows Server 2008
  • Windows Server 2008 R2
  • Windows Server 2012
  • Windows Server 2012 R2
  • Windows Server 2016
  • Windows Server 2019
  • Windows Server 2022

You have not reset the password for the krbtgt account in Active Directory since upgrading the Active Directory Domain Functional Level (DFL) to Windows Server 2008, or beyond, or your DFL still runs Windows Server 2003.

You have not configured the Network Security: Configure encryption types allowed for Kerberos setting in a Group Policy object targeting the domain or the Domain Controllers OU, or have it configured to still allow RC4_HMAC_MD5 explicitly.

The issue

Suddenly, you start experiencing errors in the System log of your Domain Controllers. These errors have Event ID 42 and source Kdcsvc.

The Kerberos Key Distribution Center lacks strong keys for account: accountname. You must update the password of this account to prevent use of insecure cryptography. See https://go.microsoft.com/fwlink/?linkid=2210019 to learn more.

End users in the environment do not experience any issues signing in or signing out and any services that run with the credentials of domain user objects do not experience issues.

The cause

These errors occur because the November 2022 or newer cumulative updates for Windows Server are installed on Domain Controllers.

Since the November 2022 updates, the Advanced Encryption Standard (AES) is configured as the default encryption type for session keys on user objects that are not marked with a default encryption type.

After applying the updates, the above error is triggered on Domain Controllers, in either or both of the following two scenarios:

  1. A person signs in with a user object that is explicitly configured to use RC4 and is allowed to do so, because the Network Security: Configure encryption types allowed for Kerberos Group Policy setting allows it.
  2. The password for the krbtgt account was last reset when the Active Directory domain ran in the Windows Server 2003 Domain Functional Level (or before).

Since Windows Server 2008, the krbtgt account supports AES-encrypted session keys, but only when the password on the password for this account is reset after the Active Directory Domain Functional Level (DFL) was upgraded to Windows Server 2008.

The error indicates that the affected user objects are insecurely configured and should be configured to use the Advanced Encryption Standard (AES) instead of legacy RC4 encryption to encrypt session keys. The affected user objects are vulnerable in the context of CVE-2022-37966.

The solution

There are two ways to solve these errors:

Reset the password for the krbtgt account, have affected people change their passwords and have them sign out and sign in again

Perform these steps:

Step 1

If the Active Directory Domain Functional Level (DFL) is set to Windows Server 2003, upgrade it to Windows Server 2008, or up. In the process, the password for the krbtgt account is reset, so do not reset the password for the krbtgt account as part of step 2 (within a week’s time span). Skip to step 3.

Step 2

To reset the password for the krbtgt account, use Microsoft’s New-KrbtgtKeys.ps1 PowerShell script from Github and run it on the Domain Controller holding the Primary Domain Controller Emulator (PDCE) Flexible Single Master Operations (FSMO) role.

Step 3

Configure the affected user object(s) to no longer explicitly use RC4_HMAC_MD5.

When people sign out and sign in again after they’ve changed their passwords, their session keys will be AES encrypted and no longer be vulnerable in the context of CVE-2022-37966. When RC4 is needed for the account, turn to Step 3 of the below alternative method.

Step 4

Optionally, when no new errors with event ID 42 occur, configure the Network Security: Configure encryption types allowed for Kerberos setting in a Group Policy object targeting the domain to explicitly disable the DES_CBC_CRC, DES_CBC_MD5 and RC4_HMAC_MD5 encryption types and explicitly enable the AES128_HMAC_SHA1, AES256_HMAC_SHA1 and Future encryption types.

Reset the password for the krbtgt account, apply a registry key to update explicitly set encryption defaults and have affected people sign out and sign in again

Perform these steps:

Step 1

If the Active Directory Domain Functional Level (DFL) is set to Windows Server 2003, upgrade it to Windows Server 2008, or up. In the process, the password for the krbtgt account is reset, so do not reset the password for the krbtgt account as part of step 2 (within a week’s time span). Skip to step 3.

Step 2

To reset the password for the krbtgt account, use Microsoft’s New-KrbtgtKeys.ps1 PowerShell script from Github and run it on the Domain Controller holding the Primary Domain Controller Emulator (PDCE) Flexible Single Master Operations (FSMO) role.

Step 3

Apply the following line of PowerShell to all Domain Controllers and domain-joined devices:

New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Services\KDC" -Name DefaultDomainSupportedEncTypes -Value 0X27 -PropertyType DWORD –Force

This registry key re-enables the DES_CBC_CRC, DES_CBC_MD5 and RC4_HMAC_MD5 encryption types as supported encryption types for Kerberos.

Step 4

Work with the vendor of any third-party Domain Controllers, devices and/or applications to remove dependencies on the RC4_HMAC_MD5 encryption for Kerberos session tickets.

Step 5

After remediating these situations, change the password for the affected user object(s), have people sign out and sign in again or restart the affected service run by the affected user object(s), and disable the outdated encryption types again by removing the DefaultDomainSupportedEncTypes registry key.

Step 6

Optionally, when no new errors with event ID 42 occur, configure the Network Security: Configure encryption types allowed for Kerberos setting in a Group Policy object targeting the domain to explicitly disable the DES_CBC_CRC, DES_CBC_MD5 and RC4_HMAC_MD5 encryption types and explicitly enable the AES128_HMAC_SHA1, AES256_HMAC_SHA1 and Future encryption types.

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.