Unfortunately I can't raise my DFL yet - I still have a 2003 DC in a branch office that cannot be upgraded.
Sean Rector, MCSE From: Brian Desmond [mailto:[email protected]] Sent: Thursday, October 01, 2009 10:02 PM To: NT System Admin Issues Subject: RE: krbtgt Account issues Well basically something requested AES256 encryption (a Vista+ client) and there isn't such an encryption type available. That account is supposed to get its password rotated automatically when you go to DFL3 (WS2008). It would appear as though that did not happen (or have you not raised your DFL?). You should just be able to reset the krbtgt password to something of your choosing and be on your merry way. It's possible you may have boxes which need to be bounced after this but this shouldn't happen. Thanks, Brian Desmond [email protected] c - 312.731.3132 From: Ken Schaefer [mailto:[email protected]] Sent: Thursday, October 01, 2009 8:05 PM To: NT System Admin Issues Subject: RE: krbtgt Account issues Hi, You do not need to enable that account. It's only purpose is to provide a password that can be used to derive certain protections applied to TGTs. To be honest - I've never seen this error before, and I'm entirely sure why you're in this situation. After resetting the password, have you given time for the changes to propagate, and also tried purging the tickets of the service in question? Cheers Ken From: Sean Rector [mailto:[email protected]] Sent: Friday, 2 October 2009 1:21 AM To: NT System Admin Issues Subject: krbtgt Account issues I'm getting the event listed below when my BES server tries to do an LDAP lookup. The problem is that while I can reset the krbtgt account's password, it is disabled and cannot be enabled. The Kerberos Key Distribution service runs on the System Account. What's the best method for clearing this problem? Log Name: System Source: Microsoft-Windows-Kerberos-Key-Distribution-Center Date: 10/1/2009 1:05:51 PM Event ID: 14 Task Category: None Level: Error Keywords: Classic User: N/A Computer: VOA-NOR-DC01.vaopera.net Description: While processing an AS request for target service krbtgt/VAOPERA.NET, the account account.adm did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 3). The requested etypes : 18. The accounts available etypes : 23 -133 -128 3 -140. Changing or resetting the password of krbtgt will generate a proper key. Sean Rector, MCSE Information Technology Manager Virginia Opera Association Information Technology Manager Virginia Opera Association E-Mail: [email protected]<mailto:[email protected]> Phone: (757) 213-4548 (direct line) {+} Virginia Opera's 35th Anniversary Season<http://www.vaopera.org> The One You Love Celebrate with a 2009-2010 Subscription: La Boh?me<http://www.vaopera.org/html/currentoperas/opera1.cfm>, The Daughter of the Regiment<http://www.vaopera.org/html/currentoperas/opera2.cfm>, Don Giovanni<http://www.vaopera.org/html/currentoperas/opera3.cfm> and Porgy and BessSM<http://www.vaopera.org/html/currentoperas/opera4.cfm> Visit us online at www.vaopera.org<http://www.vaopera.org> or call 1-866-OPERA-VA The vision of Virginia Opera is to enrich lives through the powerful integration of music, voice and human drama ________________________________ This e-mail and any attached files are confidential and intended solely for the intended recipient(s). Unless otherwise specified, persons unnamed as recipients may not read, distribute, copy or alter this e-mail. Any views or opinions expressed in this e-mail belong to the author and may not necessarily represent those of Virginia Opera. Although precautions have been taken to ensure no viruses are present, Virginia Opera cannot accept responsibility for any loss or damage that may arise from the use of this e-mail or attachments. {*} ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
