This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Hey does anyone know why this is happening? I have a domain with 4 Windows Server 2016 DCs running KDC. I recently added a 2019 Server to the domain that runs KDC also. The problem I am getting is that every time I start the KDC service on the 2019 server and try to sign in on that domain controller is says the password is invalid. I can PowerShell into the server and disable KDC and it will instantly let me log in. All 2016 servers still work and give out tickets allowing people to login, but only the 2019 doesn't work. Any thoughts on this, any help is appreciated.
Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question. To protect privacy, user profiles for migrated questions are anonymized.
Finally Figured out a solution, at least to my issue. Check your Password Settings Container in AD under the system container. For some reason mine was named PasswordSettingsContainer. Renamed it to Password Settings Container with spaces and everything is working now. Not sure if there was an issue when upgrading domain/forest but that would be my guess.
Hi Sakthikumaran,
Thank you for posting in the Microsoft Community Forum.
It sounds like there could be a compatibility issue between the Key Distribution Center (KDC) service running on the Windows Server 2019 machine and the rest of the domain. Here are a few steps you can take to troubleshoot and resolve the issue:
By following these steps, you should be able to identify and resolve the issue preventing the Windows Server 2019 machine from authenticating users properly via the KDC service.
Best regards
Neuvi Jiang
Hi Neuvi,
Thank you for responding and providing me with some solutions. Unfortunately, after going through multiple tests, none of these recommendations corrected the problem.
Another thing to note is that if I build another Windows server 2016 it will work completely fine, while if I make a new 2019 server I get that same KDC problem where it does not let me log on. So it seems to be specifically only 2019 servers and beyond that cause this problem.
Please let me know if you have any other recommendations I should try to fix this ongoing problem.
Thanks
Hi GRam10,
Have a nice day!
Check the Kerberos encryption settings configured in Active Directory. Ensure that the Windows Server 2019 domain controller supports the encryption types used by other domain controllers and clients for authentication.
Verify that the Windows Firewall or any other firewall software is not blocking Kerberos traffic between the Windows Server 2019 domain controller and other domain controllers or clients. Ensure that the necessary ports for Kerberos (TCP/UDP 88) are open.
Best regards
Neuvi Jiang
Hi Neuvi,
I verified that both ports are open and are set to allowed on the windows firewall.
I was able to confirm the encryption methods were allowed through group policy and added the role to server 2019.
Both recommendations were done, but the server is still not letting me log in while KDC is turned on. I am able to PowerShell into the server still while it's on and when I type klist tickets, it shows a ticket was made but it is blank for KDC called. From my knowledge, I would guess that it would pull the ticket from itself but I'm not 100% sure.
What are the next steps I should take to resolve this?
