If you are seeing this error, go to ALL of you Domain Controllers and restart the KERBEROS DISTRIBUTION KEY (KDC) service. I have done this on live DC’s without any errors or disruption in service.
I found the An Authentication Error Has Occured. The Encryption Type Requested Is not Supported by the KDC, intermittantly when trying to RDP to various Server 2008 and R2 servers.
Last week, I moved the Forest and Domain functional level to 2008 (from 2003) and a few days later I started seeing problems with my Exchange 2007 SP2 Server (on Hyper-V Server 2008 R1 on a 2008 R1 host). Specifically users were not able to connect to Exchange via Outlook, ActiveSync or BBerry Ent. Server 5 (which is on the same VM). I spent MANY hours chasing DNS, GPolicy, NIC and other settings but found that the problem went away after a reboot… that was on Friday.
The next day (Saturday), I had the same problem with Exchange. I found that if I ran GPUPDATE, it would error out and the event viewer would record:
error code 82 windows could not authenticate to the active directory service on a domain controller (LDAP Bind function call failed)
I also found that I could not get Exchange’s TRANSPORT SERVICE to restart. It would stop but fail to start.
Most of the articles I read said this related to DNS problems, but I am confident in my DNS config:
– all 4 DC’s point to themselves for DNS and one other DC for secondary DNS
– I can resolve host names throughout the network, including all of the DC’s and the server in question
– REPADMIN /SHOWREPL <DC-HOSTNAME> shows expected results
– DCDIAG and DCDIAG /FIX provide expected results
– I can use \\host-name\ of each DC and see the SYSVOL folder
– The Exchange 2007 Server 2008 problem server is NOT a DC; just a member server.
– there is only ONE subnet and one physical location/site.
After a while I was able to get GPUPDATE to function without error and after restarting all of the Exchange and Blackberry services, all appeared well. I made several small changes, but believe none of them resolved the issue, I think it was simply time that resolved this.
I ran Windows Updates on this Exchange 2007 Server 2008 R1 VM and rebooted without problem but the RDP issue remains.
When I Remote Desktop (RDP) to the server (from Win 7, or Server 2008 or even RDP from the host Server 2008 r2 server) but I can still log into the Exchange server via the Hyper-V console.
On the off chance this DC was a problem, I set the Exchange Server 08 VM in question to use DNS from two other DC’s, but that did not resolve the issue.
For more simple information on this KDC error, you find these references useful:
This website uses cookies.
View Comments
We have two 2012R2 Hyper-V hosts replicating from one to the other. Today I inadvertently violated the cardinal rule: "Never make more than one change at a time."
I had to replace a UPS in my NOC, so I shut down four servers, one of which was my Hyper-V replication target. One of the servers kicked into that "Applying 1 of 98 updates" and it literally took 5 hours to finish. During that time, I raised the Domain Function Level on the main DC from 2003 to 2008R2 (I guess I was bored.)
After I brought the rack back up (after swapping the UPS), I noticed that replication had broken. I searched a number of event log errors, but none worked until I found this page.
My replica target had the following 29212 Event ID "Hyper-V failed to authenticate the primary server using Kerberos authentication. Error: The I/O operation has been aborted because of either a thread exit or an application request. (0x800703E3)"
I promptly opened both of my DCs and restarted the KDC service on each. BAM! That was all it took.
Thanks a million!
Randy
Thank you this resolved the problem after a recent AD functional level raise.
I almost forgot to mention something. To add to my previous comment, we recently raised the forest/domain levels a few days ago. It may be that the KDC was stale and needed to be refreshed (restarted) after raising the levels.
MANY KUDOS TO YOU GOOD SIR!!!
We had the same issue when we would try to RDP into certain systems - "An RDP authentication error has occurred" with a 0x80004005 error code. This was happening on both DC's and member servers (and it was only a few of each of them, we could RDP into some of the servers, including DC's but not others). We tried the WIMMGMT stuff, checking DNS and all the other stuff. I found your article here about restarting the KDC on all DC's. We tried it on a couple of our DC's and still had the problem, so we just restarted the KDC service on all of them and everything works now.
I think that root cause is due to there being an issue with the KDC service on one of the FSMO role DC servers, and restarting the KDC on that server resolves the problem (maybe some type of "corruption"). We didn't have time to test further to isolate the issue.
BTW - another solution, changing the RDP setting from "Allow connections only from computers running Remote Desktop with Network Level Authentication (more secure)" to "Allow connections from computers running any version of Remote Desktop (less secure)" resolved the issue as well (at least temporarily). This could be a temporary stop-gap, if needed but once you change the setting back, the RDP authentication error reoccurs.
Anyway, KUDOS to you - and THANK YOU!!
Thanks, Solved my problem. Keep it up. ! :)
This worked. Thanks. Can you tell me how it worked?
sorry, just what I have in the post :)
Thanks a lot, this helped me with Hyper-V replication problems after upgrading domain level from 2003 to 2008R2!
Thanks Man! this solves my DC problem when it restarts over a failure on our eletrical architeture.
Simply reseting the service on the other 3 DCs solved the problem!
Just a note to let you know this also solved our problem. Thanks.
Thanks! This was really useful.