Kerberos authentication is unsuccessful in the Local System security context when the computer account password has recently changed on a computer that is running Windows Server 2003

Consider the following scenario. On a computer that is running Microsoft Windows Server 2003, the password of the computer account has recently changed. This computer issues a Kerberos ticket-granting ticket (TGT) request on behalf of a local program that runs in the Local System security context. In this scenario, the domain controller that services the TGT request returns a 0x18 Kerberos pre-authentication error, and the authentication is unsuccessful.

This problem does not occur if the program runs in a user account's security context for Kerberos authentication.

This problem occurs when the password of the computer account on the Kerberos client that submits the TGT request is newer than the password on the domain controller.

If a change to the computer account password is not updated on the targeted domain controller, Kerberos authentication is unsuccessful for programs that run in the Local System account. Starting in Windows 2000 with Service Pack 3, the primary domain controller (PDC) is not updated immediately after a change to the computer account. Therefore, when the domain controller contacts the PDC to request an updated password for the computer account, the request is unsuccessful. If the Kerberos client runs in a user account's security context, the Kerberos client uses the older password to send a second TGT request, and the TGT request succeeds. However, if the Kerberos client runs in the Local System account, the OldPassword value is not available. Therefore, the second request is not sent, and Kerberos authentication is unsuccessful.

Note The SMTP service in Microsoft Exchange Server 2003 is one program that runs in the Local System account.

Service pack information

To resolve this problem, obtain the latest service pack for Windows Server 2003. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

Hotfix information

A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix.

If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix.

Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site: Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.

Prerequisites

No prerequisites are required.

Restart requirement

You have to restart the computer after you apply this hotfix.

Hotfix replacement information

This hotfix does not replace any other hotfixes.

File information

The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.

Windows Server 2003, 32-bit versions

Windows Server 2003, x64-based versions

Windows Server 2003, Itanium-based versions

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section. This problem was first corrected in Windows Server 2003 Service Pack 2.

The Kerberos error occurs in the following scenario:

1. A Windows Server 2003-based computer that is named \\Contoso-client hosts a server-based process that runs in the Local System security context. The Kerberos client on \\Contoso-client submits Kerberos authentication requests on behalf of this process.
2. The password of the computer account for the computer that hosts the program changes on a Windows Server 2003-based domain controller. The domain controller is named \\Contoso-DC-01.
   
   Note A domain controller that is running the original release version of Windows Server 2003 does not replicate password updates for computer accounts to the domain PDC.
3. The program on \\Contoso-client requests mutual authentication. The Kerberos client on \\Contoso-client submits a TGT request that is encrypted by using a hash of its current computer account password.
   
   Note Kerberos clients that are running the original release version of Windows Server 2003 do not populate the OldPassword field in the Kerberos logon structure with the previous computer account password.
4. A different domain controller services the TGT request. This domain controller is named \\Contoso-DC-02.
   
   The Active Directory directory service on \\Contoso-DC-02 includes the old password for the Kerberos client. Active Directory determines whether the new password is available on the PDC of the domain. The new password is not present on the PDC.
5. The \\Contoso-DC-02 domain controller returns the 0x18 pre-authentication error to the Kerberos client. Therefore, Kerberos authentication is unsuccessful. If the Kerberos client then tries to use NTLM for fallback authentication, this authentication attempt is also unsuccessful.

If the value of the KerbDebugLevel registry entry is set to 1 on the computer that issues the TGT, the following event is logged in the local System log:

Event Type: Error
Event Source: Kerberos
Event Category: None
Event ID: 3
Date:
Time:
User: N/A
Computer:
Description:
A Kerberos Error Message was received:
on logon session
Client Time:
Server Time:
Error Code: 0x18 KDC_ERR_PREAUTH_FAILED
Extended Error:
Client Realm:
Client Name:
Server Realm:
Server Name:
Target Name:
Error Text:
File: e
Line: 6bc
Error Data is in record data.

For more information, see Help and Support Center at http://support.microsoft.com.
Data:
0000: 30868130 03a18381 a20b0102 307a047c
0010: a0093078 17010203 000402a1 04a00a30
0020: 7bff0202 000402a1 03a00930 a1800102
0030: 30000402 0203a029 22a10301 494e2004
0040: 48434b43 2e444c49 4b43494e 2e42414c
0050: 41434f4c 6165524c 6573556c 29304172
0060: 010203a0 0422a101 43494e20 4948434b
0070: 4e2e444c 4c4b4349 4c2e4241 4c41434f
0080: 6c616552 72657355 41

For more information about the terms that are used in this article, click the following article number to view the article in the Microsoft Knowledge Base:

Technical support for x64-based versions of Microsoft Windows

If your hardware came with a Microsoft Windows x64 edition already installed, your hardware manufacturer provides technical support and assistance for the Windows x64 edition. In this case, your hardware manufacturer provides support because a Windows x64 edition was included with your hardware. Your hardware manufacturer might have customized the Windows x64 edition installation by using unique components. Unique components might include specific device drivers or might include optional settings to maximize the performance of the hardware. Microsoft will provide reasonable-effort assistance if you need technical help with a Windows x64 edition. However, you might have to contact your manufacturer directly. Your manufacturer is best qualified to support the software that your manufacturer installed on the hardware. If you purchased a Windows x64 edition such as a Microsoft Windows Server 2003 x64 edition separately, contact Microsoft for technical support.

For product information about Microsoft Windows XP Professional x64 Edition, visit the following Microsoft Web site: For product information about x64-based versions of Microsoft Windows Server 2003, visit the following Microsoft Web site: