Finally Figured out a solution, at least to my issue. Check your Password Settings Container in AD under the system container. For some reason mine was named PasswordSettingsContainer. Renamed it to Password Settings Container with spaces and everything is working now. Not sure if there was an issue when upgrading domain/forest but that would be my guess.
KDC not letting me login on windows server 2019
Hey does anyone know why this is happening? I have a domain with 4 Windows Server 2016 DCs running KDC. I recently added a 2019 Server to the domain that runs KDC also. The problem I am getting is that every time I start the KDC service on the 2019 server and try to sign in on that domain controller is says the password is invalid. I can PowerShell into the server and disable KDC and it will instantly let me log in. All 2016 servers still work and give out tickets allowing people to login, but only the 2019 doesn't work. Any thoughts on this, any help is appreciated.
Windows for business | Windows Server | Directory services | User logon and profiles
Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question. To protect privacy, user profiles for migrated questions are anonymized.
9 answers
Sort by: Most helpful
-
Anonymous
2025-01-28T13:41:45+00:00 -
Anonymous
2024-03-25T07:10:07+00:00 Hi Sakthikumaran,
Thank you for posting in the Microsoft Community Forum.
It sounds like there could be a compatibility issue between the Key Distribution Center (KDC) service running on the Windows Server 2019 machine and the rest of the domain. Here are a few steps you can take to troubleshoot and resolve the issue:
- Check Event Viewer Logs: Start by checking the Event Viewer logs on both the Windows Server 2019 machine and the existing Windows Server 2016 Domain Controllers (DCs). Look for any error messages or warnings related to Kerberos or authentication.
- Verify Time Synchronization: Ensure that all domain controllers, including the new Windows Server 2019 machine, have accurate time synchronization. Time skew can cause authentication failures.
- Review KDC Configuration: Double-check the configuration of the KDC service on the Windows Server 2019 machine. Make sure it is properly configured to join the existing domain and is using the correct domain controller(s) for authentication.
- Check DNS Configuration: Ensure that the DNS settings on the Windows Server 2019 machine are configured correctly and that it can resolve domain controller names and domain-related DNS records.
- Review Group Policies: Review any Group Policies that may be applied to the Windows Server 2019 machine. Ensure that there are no policies that could be causing authentication issues or conflicts.
- Update Software: Ensure that both the Windows Server 2019 machine and the existing Windows Server 2016 DCs have all necessary updates and patches installed.
- Test with Different Accounts: Try logging in with different user accounts on the Windows Server 2019 machine to see if the issue is specific to certain accounts.
By following these steps, you should be able to identify and resolve the issue preventing the Windows Server 2019 machine from authenticating users properly via the KDC service.
Best regards
Neuvi Jiang
-
Anonymous
2024-03-25T14:03:51+00:00 Hi Neuvi,
Thank you for responding and providing me with some solutions. Unfortunately, after going through multiple tests, none of these recommendations corrected the problem.
Another thing to note is that if I build another Windows server 2016 it will work completely fine, while if I make a new 2019 server I get that same KDC problem where it does not let me log on. So it seems to be specifically only 2019 servers and beyond that cause this problem.
Please let me know if you have any other recommendations I should try to fix this ongoing problem.
Thanks
-
Anonymous
2024-03-27T07:41:59+00:00 Hi GRam10,
Have a nice day!
Check the Kerberos encryption settings configured in Active Directory. Ensure that the Windows Server 2019 domain controller supports the encryption types used by other domain controllers and clients for authentication.
Verify that the Windows Firewall or any other firewall software is not blocking Kerberos traffic between the Windows Server 2019 domain controller and other domain controllers or clients. Ensure that the necessary ports for Kerberos (TCP/UDP 88) are open.
Best regards
Neuvi Jiang
-
Anonymous
2024-03-27T16:00:02+00:00 Hi Neuvi,
I verified that both ports are open and are set to allowed on the windows firewall.
I was able to confirm the encryption methods were allowed through group policy and added the role to server 2019.
Both recommendations were done, but the server is still not letting me log in while KDC is turned on. I am able to PowerShell into the server still while it's on and when I type klist tickets, it shows a ticket was made but it is blank for KDC called. From my knowledge, I would guess that it would pull the ticket from itself but I'm not 100% sure.
What are the next steps I should take to resolve this?