Microsoft KB Archive Search

Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

  1. Home
  2. Vista and Windows Server 2008 clients are unable to access cluster names with AES-encrypted Kerberos tickets

Vista and Windows Server 2008 clients are unable to access cluster names with AES-encrypted Kerberos tickets

Source: Microsoft Support

↑ Back to the top

RAPID PUBLISHING

RAPID PUBLISHING ARTICLES PROVIDE INFORMATION DIRECTLY FROM WITHIN THE MICROSOFT SUPPORT ORGANIZATION. THE INFORMATION CONTAINED HEREIN IS CREATED IN RESPONSE TO EMERGING OR UNIQUE TOPICS, OR IS INTENDED SUPPLEMENT OTHER KNOWLEDGE BASE INFORMATION.

↑ Back to the top

Symptom



Consider the following scenario, with all machines in the same domain:


·         Windows Server 2008 domain controller


·         Windows Vista or Windows Server 2008 client


·         Windows Server 2008 failover cluster


 


Client tries to access the cluster name via NetBIOS or DNS name and gets an error:


"\\{cluster name} is not accessible. You might not have permission to use this network resource. Contact the administrator of this server to find out if you have access permissions.


Logon Failure: The target account name is incorrect."


 


When looking at the network traffic it can be seen that the cluster returns KRB5KRB_AP_ERR_MODIFIED to the client.  Microsoft-Windows-Security-Kerberos event ID 4 is also be recorded


 


Services relying on Kerberos communication with a cluster name will also fail with various symptoms (possibly pointing towards "access denied")


 


This occurs when the NetBIOS or DNS name of the cluster computer object is used


If the cluster is accessed using the IP address then there is no error displayed (as NTLM is used instead of Kerberos)


 


If a Windows client prior to Vista is used then the problem does not occur


If any dedicated node name is entered then the problem does not occur

↑ Back to the top

More Information



Windows Vista introduced support for AES-encrypted Kerberos tickets, 128-bit and 256-bit


AES encryption cannot be used for Kerberos negotiation with cluster names; only up to RC4-HMAC is supported.


 


When requesting a Kerberos ticket for a Service Principal Name (SPN), the Key Distribution Center (KDC) service on the domain controller checks two settings to determine the encryption used for the ticket to give to the client:


·         msDS-SupportedEncryptionTypes attribute on the computer object with which the SPN is associated.


·         KdcUseRequestedEtypesForTickets registry value exists and is non-zero.


 


msDS-SupportedEncryptionTypes is only created on computer objects in AD representing physical computers than are running Windows Vista or Windows Server 2008, where it is set to a value of 31 which indicates a maximum supported encryption level of 256-bit AES.


 


Computer objects representing cluster names do not have this attribute set by default, so they are treated as legacy Windows versions, supporting up to RC4-HMAC encryption (an effective msDS-SupportedEncryptionTypes value of 7).


 


If the attribute is set a computer object representing a cluster name, such that the 4th or 5th least significant bits are set, then the problem described above will occur as the KDC will encrypt the Kerberos ticket using AES.


 


KdcUseRequestedEtypesForTickets was introduced in Windows Server 2003 by the hotfix in KB article 833708 to allow the clients to determine the encryption level for the tickets they request - this was to allow applications using Kerberos that do only support encryption lower than RC4-HMAC to function.


 


The value is located in the reigstry under the following key:


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc


 


It is not present normally and defaults to an effetive setting of 0, but if it exists on the domain controller contacted with the Kerberos request and is non-zero then the KDC will use the highest encryption that the client supports for the ticket.


 


If the value is set to a non-zero value and the client requesting the ticket is Windows Vista or later, then the Kerberos ticket will be AES-encrypted and the problem described above will occur.


 


The problem may also occur with Microsoft Cluster Services (MSCS) cluster configurations.




For more information please see the following Microsoft Knowledgebase article:


833708  KDC does not allow clients to specify an etype in Windows Server 2003


http://support.microsoft.com/default.aspx?scid=kb;EN-US;833708



↑ Back to the top

DISCLAIMER

MICROSOFT AND/OR ITS SUPPLIERS MAKE NO REPRESENTATIONS OR WARRANTIES ABOUT THE SUITABILITY, RELIABILITY OR ACCURACY OF THE INFORMATION CONTAINED IN THE DOCUMENTS AND RELATED GRAPHICS PUBLISHED ON THIS WEBSITE (THE “MATERIALS”) FOR ANY PURPOSE. THE MATERIALS MAY INCLUDE TECHNICAL INACCURACIES OR TYPOGRAPHICAL ERRORS AND MAY BE REVISED AT ANY TIME WITHOUT NOTICE.


TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, MICROSOFT AND/OR ITS SUPPLIERS DISCLAIM AND EXCLUDE ALL REPRESENTATIONS, WARRANTIES, AND CONDITIONS WHETHER EXPRESS, IMPLIED OR STATUTORY, INCLUDING BUT NOT LIMITED TO REPRESENTATIONS, WARRANTIES, OR CONDITIONS OF TITLE, NON INFRINGEMENT, SATISFACTORY CONDITION OR QUALITY, MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, WITH RESPECT TO THE MATERIALS.

↑ Back to the top

Keywords: kbclustering, kbnoloc, kbnomt, kbrapidpub, kb

↑ Back to the top

Article Info
Article ID : 961302
Revision : 3
Created on : 4/23/2018
Published on : 4/23/2018
Exists online : False
Views : 149