Recently we had an encounter with a weird issue. Our monitoring software started reporting thousands of “hacker” alerts on a mixed Windows 2003 / 2008 domain. These audit failures were coming from the inside stations and servers. After we examined the spyware/virus theory we started looking into Windows compatibility issues.
Here’s a sample of an Event ID 675.
Pre-authentication failed: User Name: Username User ID: DOMAIN\Username Service Name: krbtgt/DOMAIN Pre-Authentication Type: 0x2 Failure Code: 0x18 Client Address: 10.0.0.100
We began with this Microsoft technet article, that started us up with a brief explanation of what we’re dealing with. Unfortunately, this article is somewhat dated, so naturally it doesn’t talk about the differences in Kerberos implementation in Windows 2003 and Windows 2008 server OS.
After hours of research it turned out that Windows 7 / Vista is using a higher grade of encryption for pre-authentication. Windows 7 / Vista is using AES256 by default. There is a way to change the default encryption level to RC4, which is used by 2003 / XP windows by default.
Note If the Parameters key is not listed under Kerberos, you must create the key.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters Entry: DefaultEncryptionType Type: REG_DWORD Default Value: 23 (decimal) or 0x17 (hexadecimal) 23 (decimal) is KERB_ETYPE_RC4_HMAC_NT 24 (decimal) is KERB_ETYPE_AES256_CTS_HMAC_SHA1_96
On DC’s side the registry entries that control KDC:
If the value of this key is non-zero, the server will try and use the highest encryption level supported by the client PC. Windows 2003 servers will require the hotfix 833708.