Solution:

If you are seeing this error, go to ALL of you Domain Controllers and restart the KERBEROS DISTRIBUTION KEY (KDC) service.  I have done this on live DC’s without any errors or disruption in service.

 

Details:

I found the An Authentication Error Has Occured.  The Encryption Type Requested Is not Supported by the KDC, intermittantly when trying to RDP to various Server 2008 and R2 servers.

Last week, I moved the Forest and Domain functional level to 2008 (from 2003) and a few days later I started seeing problems with my Exchange 2007 SP2 Server (on Hyper-V Server 2008 R1 on a 2008 R1 host).  Specifically users were not able to connect to Exchange via Outlook, ActiveSync or BBerry Ent. Server 5 (which is on the same VM).  I spent MANY hours chasing DNS, GPolicy, NIC and other settings but found that the problem went away after a reboot… that was on Friday.

The next day (Saturday), I had the same problem with Exchange.  I found that if I ran GPUPDATE, it would error out and the event viewer would record:

error code 82 windows could not authenticate to the active directory service on a domain controller (LDAP Bind function call failed)

I also found that I could not get Exchange’s TRANSPORT SERVICE to restart.  It would stop but fail to start.

Most of the articles I read said this related to DNS problems, but I am confident in my DNS config:

– all 4 DC’s point to themselves for DNS and one other DC for secondary DNS
– I can resolve host names throughout the network, including all of the DC’s and the server in question
– REPADMIN /SHOWREPL <DC-HOSTNAME> shows expected results
– DCDIAG and DCDIAG /FIX provide expected results
– I can use \\host-name\ of each DC and see the SYSVOL folder
– The Exchange 2007 Server 2008 problem server is NOT a DC; just a member server.
– there is only ONE subnet and one physical location/site.

After a while I was able to get GPUPDATE to function without error and after restarting all of the Exchange and Blackberry services, all appeared well.  I made several small changes, but believe none of them resolved the issue, I think it was simply time that resolved this.

I ran Windows Updates on this Exchange 2007 Server 2008 R1 VM and rebooted without problem but the RDP issue remains.

When I Remote Desktop (RDP) to the server (from Win 7, or Server 2008 or even RDP from the host Server 2008 r2 server) but I can still log into the Exchange server via the Hyper-V console.

On the off chance this DC was a problem, I set the Exchange Server 08 VM in question to use DNS from two other DC’s, but that did not resolve the issue.

 

For more simple information on this KDC error, you find these references useful:

http://blogs.technet.com/b/ad/archive/2007/11/02/server-2008-and-windows-vista-encryption-better-together.aspx

http://blogs.msdn.com/b/openspecification/archive/2009/09/12/msds-supportedencryptiontypes-episode-1-computer-accounts.aspx

 


20 Comments

UnderCoverGuy · October 23, 2014 at 5:09 am

I almost forgot to mention something. To add to my previous comment, we recently raised the forest/domain levels a few days ago. It may be that the KDC was stale and needed to be refreshed (restarted) after raising the levels.

UnderCoverGuy · October 23, 2014 at 5:06 am

MANY KUDOS TO YOU GOOD SIR!!!

We had the same issue when we would try to RDP into certain systems – “An RDP authentication error has occurred” with a 0x80004005 error code. This was happening on both DC’s and member servers (and it was only a few of each of them, we could RDP into some of the servers, including DC’s but not others). We tried the WIMMGMT stuff, checking DNS and all the other stuff. I found your article here about restarting the KDC on all DC’s. We tried it on a couple of our DC’s and still had the problem, so we just restarted the KDC service on all of them and everything works now.

I think that root cause is due to there being an issue with the KDC service on one of the FSMO role DC servers, and restarting the KDC on that server resolves the problem (maybe some type of “corruption”). We didn’t have time to test further to isolate the issue.

BTW – another solution, changing the RDP setting from “Allow connections only from computers running Remote Desktop with Network Level Authentication (more secure)” to “Allow connections from computers running any version of Remote Desktop (less secure)” resolved the issue as well (at least temporarily). This could be a temporary stop-gap, if needed but once you change the setting back, the RDP authentication error reoccurs.

Anyway, KUDOS to you – and THANK YOU!!

Umer · June 2, 2014 at 10:55 pm

Thanks, Solved my problem. Keep it up. ! 🙂

jjr · November 5, 2013 at 1:16 pm

This worked. Thanks. Can you tell me how it worked?

Davor · May 15, 2013 at 3:11 am

Thanks a lot, this helped me with Hyper-V replication problems after upgrading domain level from 2003 to 2008R2!

Leandro · January 30, 2013 at 5:22 am

Thanks Man! this solves my DC problem when it restarts over a failure on our eletrical architeture.
Simply reseting the service on the other 3 DCs solved the problem!

rich · January 18, 2013 at 11:16 am

Just a note to let you know this also solved our problem. Thanks.

Tom Geraghty · January 2, 2013 at 3:04 am

Thanks! This was really useful.

Mike · October 10, 2012 at 4:47 am

Thanks a lot. I just upgraded our sysvol to use dfs and our dfs namespace stopped working some days later.

As per your solution restarting KERBEROS DISTRIBUTION KEY (KDC) service on both my DCs solved it.

SpongeBob · September 25, 2012 at 7:16 am

Thanks for sharing this. You are a beautiful person.

    Ian Matthews · September 26, 2012 at 10:30 pm

    Well… I just don’t want to argue… 🙂 thanks.

Yves · September 12, 2012 at 5:22 pm

this fixed our error. thanks for the post!!

Jason · August 2, 2012 at 6:35 am

Thanks for this awesome post. You saved me hours.

Babacar · June 19, 2012 at 7:58 am

Great post. It help a lot. Thank you Markus

Markus · January 17, 2012 at 3:49 pm

Hi,
thanks for that!
We ran into the same problem after an upgrade to 2008r2.
simply restarting the service seems to work.

Best regards

Markus

Heraufstufen der Funktionsebenen von Active Directory-Domänen und -Gesamtstruktur | IT-Operations-Management · August 6, 2014 at 1:01 am

[…] Bei unserem Update hatten wir danach ein paar merkwürdige Probleme, dich sich auf den KDC Dienst bezogen. Nachdem wir den KDC Dienst auf allen Domain Controller neu gestartet hatten, waren die Probleme weg. Siehe Sure Raise the FFL & DFL…No Problem & SOLVED: AN AUTHENICATION ERROR HAS OCCURED. THE ENCRYPTION TYPE REQUESTED IS NOT SUPPORTED BY THE KD…. […]

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *