Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

MIT Kerberos clients cannot authenticate to a Windows Server 2003-based domain controller in a Windows 2000 domain


View products that this article applies to.

Symptoms

After you add a Microsoft Windows Server 2003-based domain controller to a Microsoft Windows 2000 domain, you may find that Massachusetts Institute of Technology (MIT) Kerberos clients cannot authenticate to the Windows Server 2003-based domain controller. The same clients can authenticate successfully to a Windows 2000-based domain controller.

An MIT Kerberos client may receive the following error message:
[Key version number for principal in key table is incorrect] Unable to verify host ticket

↑ Back to the top


Cause

This problem occurs because Windows 2000 does not fully implement the key version number for security principals.

A ticket that is created by a Windows 2000 Kerberos Key Distribution Center (KDC) always has the key version number set to 1. This value is not incremented when a principal's password is updated. In Windows Server 2003, a new msDS-KeyVersionNumber attribute has been added to the schema. Therefore, this behavior has changed. A Windows Server 2003-based domain controller increments the msDS-KeyVersionNumber attribute whenever the principal's password changes. Tickets that Windows Server 2003-based domain controllers distribute include this updated attribute.

This problem occurs when the value of a principal's msDS-KeyVersionNumber attribute is greater than one, and the principal requests a service ticket from a Windows Server 2003-based domain controller. If the principal's keytab file was created on a Windows 2000-based domain controller, the key version number in the keytab file is 1. In this scenario, the key version number in the client's initial logon request does not match the key version number in the Active Directory directory service. Therefore, authentication does not succeed.

↑ Back to the top


Resolution

The following hotfix lets an administrator instruct all Windows Server 2003-based domain controllers in the forest to behave as Windows 2000-based domain controllers do with regard to the key version number. After all domain controllers in the forest have been upgraded to Windows Server 2003, you can turn off this behavior. However, after you turn off this behavior, clients cannot verify tickets until a new keytab file is created with the correct key version number.

Important After you install this hotfix, see the "More Information" section for steps that you can use to turn on the new behavior.

Hotfix information

A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix.

If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix.

Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site: Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.

Prerequisites

No prerequisites are required.

Restart requirement

You must restart your computer after you apply this hotfix.

Hotfix replacement information

This hotfix does not replace any other hotfixes.

File information

The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.
Windows Server 2003, 32-bit editions
   Date         Time   Version            Size  File name
   --------------------------------------------------------
   19-Aug-2004  02:15  5.2.3790.201  1,531,904  Ntdsa.dll
   19-Aug-2004  02:15  5.2.3790.196     32,768  Ntdsatq.dll
   05-Aug-2004  18:26  5.2.3790.197     59,392  Ws03res.dll
Windows Server 2003, Enterprise Edition for Itanium-based Systems
   Date         Time   Version            Size  File name     Platform
   -------------------------------------------------------------------
   19-Aug-2004  03:08  5.2.3790.201  4,055,552  Ntdsa.dll        IA-64
   19-Aug-2004  03:08  5.2.3790.196     82,432  Ntdsatq.dll      IA-64
   05-Aug-2004  19:27  5.2.3790.197     58,880  Ws03res.dll      IA-64
   05-Aug-2004  19:26  5.2.3790.197     59,392  Wws03res.dll       x86

↑ Back to the top


Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

↑ Back to the top


More information

Warning If you use the ADSI Edit snap-in, the LDP utility, or any other LDAP version 3 client, and you incorrectly modify the attributes of Active Directory objects, you can cause serious problems. These problems may require you to reinstall Microsoft Windows 2000 Server, Microsoft Windows Server 2003, Microsoft Exchange 2000 Server, Microsoft Exchange Server 2003, or both Windows and Exchange. Microsoft cannot guarantee that problems that occur if you incorrectly modify Active Directory object attributes can be solved. Modify these attributes at your own risk.

To turn on the new behavior, modify the dSHeuristic attribute in Active Directory. To do this, follow these steps:
  1. Start ADSI Edit. To do this, open a command prompt in the Support Tools folder, type adsiedit.msc, and then press ENTER.

    Note ADSI Edit is included with the Microsoft Windows 2000 Server Support Tools and with the Microsoft Windows Server 2003 Support Tools. To install the Windows 2000 Support Tools, double-click Setup.exe in the Support\Tools folder on the Windows 2000 CD. To install the Windows Server 2003 Support Tools, double-click Suptools.msi in the Support\Tools folder on the Windows Server 2003 CD.
  2. Right-click CN=Directory Service in the following location, and then click Properties:
    CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=forest root
  3. Click the Attribute Editor tab, and then locate dSHeuristic in the Attributes list.

    Note By default, the value of this attribute is not set.
  4. Click dSHeuristic, and then click Edit.
  5. Type 00000000010000001 in the Value box, and then click OK.
Note If a value has already been set for this attribute, incorporate the existing settings into the new value. When you do this, note the following:
  • The tenth bit from the left must be 1.
  • The seventeenth bit from the left must be 1.
  • None of the other bits of the existing value should be changed.
You do not have to restart the computer after you make this change. As this change is replicated to all domain controllers in the forest, Windows Server 2003-based domain controllers automatically read the value and change their behaviors accordingly.

To confirm the fix, follow these steps:
  1. Use ADSI Edit to locate a user account in Active Directory.
  2. Right-click the user account object, and then click Properties.
  3. Click the Attribute Editor tab, and then locate msDS-KeyVersionNumber in the Attributes list.
Before you install the hotfix, this value is greater than 1 if the user's password has been changed. After you install the hotfix and turn on the new behavior, this value is 1.

For additional information about the terminology that is used in this article, click the following article number to view the article in the Microsoft Knowledge Base:
824684 Description of the standard terminology that is used to describe Microsoft software updates

↑ Back to the top


Keywords: KB870987, kbwinserv2003presp1fix, kbfix, kbbug, kberrmsg, kbhotfixserver, kbqfe, kbautohotfix

↑ Back to the top

Article Info
Article ID : 870987
Revision : 11
Created on : 7/24/2007
Published on : 7/24/2007
Exists online : False
Views : 445