Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-8022 Mac is creating Event ID 26 in Windows System Logs

20 January,17 at 07:35 PM

Applies to: 

Centrify Identity Service, Mac Edition




Problem:

An Administrator auditing the Windows System Event logs in their network notices many errors from the Key Distribution Center (KDC) which are "Event ID 26" and will have a message similar to:
 
Log Name:      System
Source:        Microsoft-Windows-Kerberos-Key-Distribution-Center
Date:          12/20/2016 9:24:12 AM
Event ID:      26
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      MacComputer1.centrifylab.test
Description:
While processing an AS request for target service krbtgt, the account <AccountName> did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 1). The requested etypes were 3  1. The accounts available etypes were 23  -133  -128  18  17.




Cause:

This is caused when the adclient on Mac attempts DES encryption, on a Windows Server running 2008 R2 or above, which has DES encryption disabled by default.

More information can be found here :

https://technet.microsoft.com/en-us/library/cc734055(v=ws.10).aspx




Workaround:

To workaround this issue, an Administrator can discard these messages, as they are benign to the end User, or else enable DES encryption on the KDC. Alternately, an Administrator can use the following method to prevent these errors:


Find /etc/centrifydc/centrifydc.conf on Mac and modify the following two entries

 
From the following:
 
adclient.krb5.tkt.encryption.types: aes256-cts aes128-cts arcfour-hmac-md5 arcfour-hmac-md5  des-cbc-md5 des-cbc-crc

and 

adclient.krb5.permitted.encryption.types: aes256-cts aes128-cts arcfour-hmac-md5 arcfour-hmac-md5  des-cbc-md5 des-cbc-crc



To the following;

adclient.krb5.tkt.encryption.types: aes256-cts aes128-cts arcfour-hmac-md5 arcfour-hmac-md5 


and

adclient.krb5.permitted.encryption.types: aes256-cts aes128-cts arcfour-hmac-md5 arcfour-hmac-exp


For detailed instructions on doing this manually or using Group policy, please refer to this KB

KB-7563 How to manage and edit centrifydc.conf on Mac computers



Resolution:

There are no current resolutions other than implementing one of the work-around's above. 



For additional information not covered in this guide or troubleshooting assistance, please review Centrify Online Help or visit the Customer Support Portal at https://www.centrify.com/support/customer-support-portal/
 

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.