Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

Client fails to request explicit armouring during TGT renewal


View products that this article applies to.


Product bug (s) ID, or bug(s) link:
(e.g. Windows SE:123456)

↑ Back to the top


Symptoms

The Kerberos client requests a ticket to a resource that has an associated authentication policy, which will only allow access if the device is member of a specific group.

The request fails with a status of KDC_ERR_POLICY (0xc) and an extended status of STATUS_AUTHENTICATION_FIREWALL_FAILED (0xc0000413).

This only occurs when the client is using a renewed TGT for the TGS request.

↑ Back to the top


Cause

This issue occurs when the TGT being used for the TGS request has been renewed.

When renewing the TGT the KDC does not set a flag in the ticket that allows it to be used for explicit armouring.

When the client uses the renewed TGT, it will not send explicit armouring that is required for the authentication policy to succeed.


↑ Back to the top


Hotfix/Update information

  • Distribution method (Microsoft Download Center | Hotfix Server | Windows Update etc.):

  • External/Internal location of the update/hotfix packages (e.g. file share, http://hotfix , DLC, WU):

  • Prerequisites to install the software update:

  • Restart requirements (if you must reboot, explain why):

  • After installation information: (e.g. A registry key should be enabled)

  • This software update replaces the following software updates:

  • This software update is schedules to ship in the following service pack(s)



↑ Back to the top


More Information/Reference

Tech reviewers:

Notes/more information for the author:


↑ Back to the top


Keywords: kbqfe, kbsurveynew, kb

↑ Back to the top

Article Info
Article ID : 3162159
Revision : 1
Created on : 1/7/2017
Published on : 1/7/2017
Exists online : False
Views : 334