DetailPage-MSS-KB

Microsoft small business knowledge base

Article ID: 961302 - Last Review: September 11, 2010 - Revision: 1.1

Source: Microsoft Support

RAPID PUBLISHING

RAPID PUBLISHING ARTICLES PROVIDE INFORMATION DIRECTLY FROM WITHIN THE MICROSOFT SUPPORT ORGANIZATION. THE INFORMATION CONTAINED HEREIN IS CREATED IN RESPONSE TO EMERGING OR UNIQUE TOPICS, OR IS INTENDED SUPPLEMENT OTHER KNOWLEDGE BASE INFORMATION.

Symptom



Consider the following scenario, with all machines in the same domain:

·         Windows Server 2008 domain controller

·         Windows Vista or Windows Server 2008 client

·         Windows Server 2008 failover cluster

 

Client tries to access the cluster name via NetBIOS or DNS name and gets an error:

"\\{cluster name} is not accessible. You might not have permission to use this network resource. Contact the administrator of this server to find out if you have access permissions.

Logon Failure: The target account name is incorrect."

 

When looking at the network traffic it can be seen that the cluster returns KRB5KRB_AP_ERR_MODIFIED to the client.  Microsoft-Windows-Security-Kerberos event ID 4 is also be recorded

 

Services relying on Kerberos communication with a cluster name will also fail with various symptoms (possibly pointing towards "access denied")

 

This occurs when the NetBIOS or DNS name of the cluster computer object is used

If the cluster is accessed using the IP address then there is no error displayed (as NTLM is used instead of Kerberos)

 

If a Windows client prior to Vista is used then the problem does not occur

If any dedicated node name is entered then the problem does not occur

More Information



Windows Vista introduced support for AES-encrypted Kerberos tickets, 128-bit and 256-bit

AES encryption cannot be used for Kerberos negotiation with cluster names; only up to RC4-HMAC is supported.

 

When requesting a Kerberos ticket for a Service Principal Name (SPN), the Key Distribution Center (KDC) service on the domain controller checks two settings to determine the encryption used for the ticket to give to the client:

·         msDS-SupportedEncryptionTypes attribute on the computer object with which the SPN is associated.

·         KdcUseRequestedEtypesForTickets registry value exists and is non-zero.

 

msDS-SupportedEncryptionTypes is only created on computer objects in AD representing physical computers than are running Windows Vista or Windows Server 2008, where it is set to a value of 31 which indicates a maximum supported encryption level of 256-bit AES.

 

Computer objects representing cluster names do not have this attribute set by default, so they are treated as legacy Windows versions, supporting up to RC4-HMAC encryption (an effective msDS-SupportedEncryptionTypes value of 7).

 

If the attribute is set a computer object representing a cluster name, such that the 4th or 5th least significant bits are set, then the problem described above will occur as the KDC will encrypt the Kerberos ticket using AES.

 

KdcUseRequestedEtypesForTickets was introduced in Windows Server 2003 by the hotfix in KB article 833708 to allow the clients to determine the encryption level for the tickets they request - this was to allow applications using Kerberos that do only support encryption lower than RC4-HMAC to function.

 

The value is located in the reigstry under the following key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc

 

It is not present normally and defaults to an effetive setting of 0, but if it exists on the domain controller contacted with the Kerberos request and is non-zero then the KDC will use the highest encryption that the client supports for the ticket.

 

If the value is set to a non-zero value and the client requesting the ticket is Windows Vista or later, then the Kerberos ticket will be AES-encrypted and the problem described above will occur.

 

The problem may also occur with Microsoft Cluster Services (MSCS) cluster configurations.



For more information please see the following Microsoft Knowledgebase article:

833708  KDC does not allow clients to specify an etype in Windows Server 2003

http://support.microsoft.com/default.aspx?scid=kb;EN-US;833708 (http://support.microsoft.com/default.aspx?scid=kb;en-us;833708)



DISCLAIMER

MICROSOFT AND/OR ITS SUPPLIERS MAKE NO REPRESENTATIONS OR WARRANTIES ABOUT THE SUITABILITY, RELIABILITY OR ACCURACY OF THE INFORMATION CONTAINED IN THE DOCUMENTS AND RELATED GRAPHICS PUBLISHED ON THIS WEBSITE (THE “MATERIALS”) FOR ANY PURPOSE. THE MATERIALS MAY INCLUDE TECHNICAL INACCURACIES OR TYPOGRAPHICAL ERRORS AND MAY BE REVISED AT ANY TIME WITHOUT NOTICE.

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, MICROSOFT AND/OR ITS SUPPLIERS DISCLAIM AND EXCLUDE ALL REPRESENTATIONS, WARRANTIES, AND CONDITIONS WHETHER EXPRESS, IMPLIED OR STATUTORY, INCLUDING BUT NOT LIMITED TO REPRESENTATIONS, WARRANTIES, OR CONDITIONS OF TITLE, NON INFRINGEMENT, SATISFACTORY CONDITION OR QUALITY, MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, WITH RESPECT TO THE MATERIALS.
Note This is a "FAST PUBLISH" article created directly from within the Microsoft support organization. The information contained herein is provided as-is in response to emerging issues. As a result of the speed in making it available, the materials may include typographical errors and may be revised at any time without notice. See Terms of Use (http://go.microsoft.com/fwlink/?LinkId=151500) for other considerations.

APPLIES TO
  • Windows Server 2008 Datacenter
  • Windows Server 2008 Enterprise
  • Windows Server 2008 Standard
  • Windows Vista Enterprise
  • Windows Vista Business
  • Windows Vista Ultimate
Keywords: 
kbclustering kbnomt kbrapidpub KB961302
Share
Additional support options
Ask The Microsoft Small Business Support Community
Contact Microsoft Small Business Support
Find Microsoft Small Business Support Certified Partner
Find a Microsoft Store For In-Person Small Business Support