Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-1550: Windows Event ID: 26 gets reported in Domain Controller event log from Unix/Linux machines running Centrify DirectControl

Centrify Identity Service, Mac Edition ,  

12 April,16 at 11:06 AM

Applies to: Centrify DirectControl 4.3.0 & above on Windows 2003 domain controllers

Problem:
Windows Event ID: 26 gets reported in Domain Controller event log from Unix/Linux machines running Centrify DirectControl.


Source: KDC
Event ID: 26
Description: While processing an AS request for a target service krbtgt, the account <hostname> did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 1). The requested etypes were 17. The account available etypes were 23 -133 -128 3 1.


Cause:
Support for Windows 2008 was added in DirectControl 4.3.0 & above. As a result, the adclient daemon now uses encryption types aes256 and aes128 first to retrieve Kerberos tickets. 

If the domain controller that adclient is bound to is still Windows 2003, then the above event ID gets generated since Windows 2003 domain controllers did not have support for aes encrption type with Kerberos. 

This event ID is harmless.

Resolution:
Option 1: Configure the adclient daemon to use other etypes first, like arcfour-hmac-md5:

  1. Edit /etc/centrifydc/centrifydc.conf and change the parameters adclient.krb5.tkt.encryption.types and adclient.krb5.permitted.encryption.types as follows:

    adclient.krb5.tkt.encryption.types: arcfour-hmac-md5 des-cbc-md5 des-cbc-crc aes256-cts aes128-cts
    adclient.krb5.permitted.encryption.types: arcfour-hmac-md5 des-cbc-md5 des-cbc-crc arcfour-hmac-exp aes256-cts aes128-cts

  2. Edit /etc/krb5/krb5.conf and make equivalent edits to default_tgs_enctypes, default_tkt_enctypes and permitted_enctypes:

    default_tgs_enctypes = arcfour-hmac-md5 des-cbc-md5 des-cbc-crc aes256-cts aes128-cts
    default_tkt_enctypes = arcfour-hmac-md5 des-cbc-md5 des-cbc-crc aes256-cts aes128-cts
    permitted_enctypes = arcfour-hmac-md5 des-cbc-md5 des-cbc-crc arcfour-hmac-exp aes256-cts aes128-cts

  3. Reload the configuration files:

    adreload

 

Option 2: Setup a GP to swap the order of encryption types for all DirectControl agents:

  1. Enable the GP at:

    Computer Configuration / Centrify Settings / DirectControl Settings / "Add centrifydc.conf properties"

  2. Add the following entries into the list:

    • Name: adclient.krb5.tkt.encryption.types

    • Value: arcfour-hmac-md5 des-cbc-md5 des-cbc-crc aes256-cts aes128-cts

    • Name: adclient.krb5.permitted.encryption.types

    • Value: arcfour-hmac-md5 des-cbc-md5 des-cbc-crc aes256-cts aes128-cts

  3. Enable the GP at:

    Computer Configuration / Centrify Settings / Common Unix Settings / "Specify commands to run"

  4. Add the following commands into the list:

    • rm /etc/krb5.conf

    • rm /var/centrifydc/kset.preferred.enctype

    • /usr/share/centrifydc/bin/centrifydc restart

  5. Wait approximately 90-120 minutes for the policies to be parsed on all machines and then disable the "Specify commands to run" GP set in Step 3-4
    (These only need to be run once)

Option 3: Try resetting or changing the user password to force an update of supporting encryption types for the users.

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.