krbtgt did not have a suitable key

Paul Walsh 21 Reputation points

Hi Everyone,

After the recent Nov Windows updates we have a number of entries in the Event log (system) stating: While procesing an AS request for target service krbtg, the account did not have a suitable key for generating a Kerberos ticket (the missing key has an id of 1). The requested etypes 18 17 23 24 -135 3. The accounts available etypes: 23 18 17. Changing the password will generate a proper key

This only seems to be affected some machines and not all. On these machines they are being prompted to enter credentials and also receive a kdc error if they try and change thier password

Our Domian hasnt been changed and has been running error free for a long time. Replication appears to be working between the to DC's

Changing the password on the Dc dosnt seem to stop the error.

Any ideas?

Many thanks,


Windows Server 2016
Windows Server 2016
A Microsoft server operating system that supports enterprise-level management, data storage, applications, and communications.
1,978 questions
{count} votes

Accepted answer
  1. The Squirrel 106 Reputation points

    Looks like MS has broken things. MS has found that adding the following key on the DCs resolves the issue.

    reg add "HKLM\SYSTEM\CurrentControlSet\services\kdc" /v ApplyDefaultDomainPolicy /t REG_DWORD /d 0 /f

    See the following thread for more information:

    2 people found this answer helpful.

1 additional answer

Sort by: Most helpful
  1. Paul Walsh 21 Reputation points

    Also found two other reg key recomended by MS from another poster:

    Also another person had success turning off 128 and 256 encryption support within AD - Account. Interestingy enough every user that I had an issue with had these two tick boxes checked. All the ones who didnt have the issue didnt have these enabled.

    All my users have gone home for the evening so will see if anyone shouts tomorrow. Enabling all three reg keys and unticking the boxes got rid of the error in event viewer.

    I hate patch Tuesdays!