Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-2140: Login failure for a user from cross Forest domain errors with KDC_ERR_POLICY (12)

Centrify DirectControl ,  

12 April,16 at 10:57 AM

Applies to:

 

Centrify DirectControl 4.4.3 or below on all platforms with Windows 2003 domains

 


Problem:

 

Users from Forest A unable to login to machines that are joined to Forest B.  In the network trace, the error shows:

 

When requesting host/hostname.mydomain.com with krbtgt/mydomain.com ... it was rejected for KRB5KDC_ERR_POLICY (12).

 

Status c0000413 is STATUS_AUTHENTICATION_FIREWALL_FAILED Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine.

0xC - KDC_ERR_POLICY: KDC policy rejects request Associated internal Windows error codes
•    STATUS_AUTHENTICATION_FIREWALL_FAILED

 

Cause:

 

KDC_ERR_POLICY is usually the result of logon restrictions in place on a user’s account. This error is usually accompanied by an error packet which might contain additional information that can be viewed with a Network Monitor capture.

 


Solution:

 

The machine account hostname in Forest B must have "allow to authenticate" permission marked for the user or the group from Forest A.

 

 

Note: below are more possible causes and resolutions found from the web that you may find it helpful:

 

•    KDC_ERR_POLICY is usually the result of logon restrictions in place on a user’s account. This error is usually accompanied by an error packet which might contain additional information that can be viewed with a Network Monitor capture.

 


Resolution:
 

Use Active Directory Users and Computers to verify whether restrictions in place on this account might prevent this user from logging on. To use Active Directory Users and Computers:

1.    Click Start; click Run, and then type: dsa.msc
2.    Locate the user that is having logon problems, right-click the user’s account, and then click Properties.
3.    Verify settings on the Account tab for valid logon hours and computer to which this user is allowed to log on.

 

•    Constrained delegation is being attempted across multiple domains.



Resolution: 


No resolution. Windows Server 2003 does not support constrained delegation across multiple domains.

 

•    The server receives a ticket in which client’s realm does not match the local realm.

 


Resolution: 


Confirm the error with a Network Monitor capture. The only way to eliminate this error is to ensure that the server and client are in the same realm (domain).

 

For more information, refer to the following links:

 

http://technet.microsoft.com/en-us/library/cc816733(WS.10).aspx
http://technet.microsoft.com/en-us/library/cc787623(WS.10).aspx
http://technet.microsoft.com/en-us/library/cc755321(WS.10).aspx

 

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.