This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 28.999999999999996%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPW%3C/text%3E%3C/svg%3E)
Hi Everyone,
After the recent Nov Windows updates we have a number of entries in the Event log (system) stating: While procesing an AS request for target service krbtg, the account did not have a suitable key for generating a Kerberos ticket (the missing key has an id of 1). The requested etypes 18 17 23 24 -135 3. The accounts available etypes: 23 18 17. Changing the password will generate a proper key
This only seems to be affected some machines and not all. On these machines they are being prompted to enter credentials and also receive a kdc error if they try and change thier password
Our Domian hasnt been changed and has been running error free for a long time. Replication appears to be working between the to DC's
Changing the password on the Dc dosnt seem to stop the error.
Any ideas?
Many thanks,
Paul
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(156.8, 37%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETS%3C/text%3E%3C/svg%3E)
We are seeing the same issue.
Testing removing the updates from the DC's
Removing via wusa /uninstall /kb:5020023 /quiet resolved the issue for 2012 R2
and wusa /uninstall /kb:5019964 /quiet for 2016.
I don't have any 2022 DCs. Having the monthly update on the workstations (Win10 & 11) doesn't seem to have any issues so far so must only be DC related.
Waiting for MS to say what they broke this time Ugh!
I'm wondering if the November update must be fully deployed to all workstations before the DCs as it seems the DCs don't like the kdc ticket the workstations are sending.
Looks like MS has broken things. MS has found that adding the following key on the DCs resolves the issue.
reg add "HKLM\SYSTEM\CurrentControlSet\services\kdc" /v ApplyDefaultDomainPolicy /t REG_DWORD /d 0 /f
See the following thread for more information:
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(259.20000000000005, 14.000000000000002%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJN%3C/text%3E%3C/svg%3E)
Thank you! This solved my issue immediately. Thanks a lot, Microsoft.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(44.800000000000004, 57.00000000000001%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Appreciate the info. Adding this key worked for us as well, but I'm curious as to what this key is actually doing. Is this telling the DC to NOT apply the default domain policy to itself?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(204.8, 57.00000000000001%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EO%3C/text%3E%3C/svg%3E)
I too wanted to say thank you. Running 2 DC's Server 2019. Saw several strange errors beginning to creep throughout the domain. Once I searched errors found in the event viewer, I came
across this post. The reg add fixed the issue almost immediately. I had to have all PC's do a reboot. They were all beginning to be part of a private network instead of the domain network. (domain.com 2 (unauthenticated)) This was a big problem as all sharing/permissions were affected. After the reg add and having users reboot, all is happy in the domain again.
Extreme gratitude to those a little more in the know than I.
Much appreciated.
Also found two other reg key recomended by MS from another poster: https://www.reddit.com/r/sysadmin/comments/ypbpju/patch_tuesday_megathread_20221108/
Also another person had success turning off 128 and 256 encryption support within AD - Account. Interestingy enough every user that I had an issue with had these two tick boxes checked. All the ones who didnt have the issue didnt have these enabled.
All my users have gone home for the evening so will see if anyone shouts tomorrow. Enabling all three reg keys and unticking the boxes got rid of the error in event viewer.
I hate patch Tuesdays!
Turning off 128 and 256 will leave your system more vulnerable. It is currently recommended to install the patch, apply the registry, and disable RC4 KDC encryption.
I can confirm that only the "ApplyDefaultDomainPolicy" registry is needed. This was also confirmed in the thread.
I have applied this to 13 DC with no issues.
No worries, will test enabling encryption support and if no issue re enable accross the board. What is the best way to disable RC4 KDc encryption?
Set the policy:
Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Configure encryption types allowed for Kerberos
And only check the last three: AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types.
See:
https://www.tenable.com/audits/items/CIS_DC_SERVER_2019_Level_1_v1.3.0.audit:62722feffd4c3ac9be54d1e4212d3d22
https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos
Thanks Squirrel, much appreciated.