Microsoft KB Archive/918442

= Kerberos authentication is unsuccessful in the Local System security context when the computer account password has recently changed on a computer that is running Windows Server 2003 =

Article ID: 918442

Article Last Modified on 10/11/2007

-

APPLIES TO

 Microsoft Windows Server 2003, Standard x64 Edition Microsoft Windows Server 2003, Enterprise x64 Edition Microsoft Windows Server 2003, Datacenter x64 Edition Microsoft Windows Server 2003 SP1, when used with:  Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems

 Microsoft Windows Server 2003, Datacenter Edition for Itanium-Based Systems </li> Microsoft Windows Server 2003, Standard Edition (32-bit x86)</li> Microsoft Windows Server 2003, Enterprise Edition</li> Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)</li> Microsoft Windows Server 2003, Web Edition</li></ul>

-

<div class="notice_section">

<div class="symptoms_section">

SYMPTOMS
Consider the following scenario. On a computer that is running Microsoft Windows Server 2003, the password of the computer account has recently changed. This computer issues a Kerberos ticket-granting ticket (TGT) request on behalf of a local program that runs in the Local System security context. In this scenario, the domain controller that services the TGT request returns a 0x18 Kerberos pre-authentication error, and the authentication is unsuccessful.

This problem does not occur if the program runs in a user account's security context for Kerberos authentication.

<div class="cause_section">

CAUSE
This problem occurs when the password of the computer account on the Kerberos client that submits the TGT request is newer than the password on the domain controller.

If a change to the computer account password is not updated on the targeted domain controller, Kerberos authentication is unsuccessful for programs that run in the Local System account. Starting in Windows 2000 with Service Pack 3, the primary domain controller (PDC) is not updated immediately after a change to the computer account. Therefore, when the domain controller contacts the PDC to request an updated password for the computer account, the request is unsuccessful. If the Kerberos client runs in a user account's security context, the Kerberos client uses the older password to send a second TGT request, and the TGT request succeeds. However, if the Kerberos client runs in the Local System account, the OldPassword value is not available. Therefore, the second request is not sent, and Kerberos authentication is unsuccessful.

Note The SMTP service in Microsoft Exchange Server 2003 is one program that runs in the Local System account.

<div class="resolution_section">

Service pack information
To resolve this problem, obtain the latest service pack for Windows Server 2003. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

889100 How to obtain the latest service pack for Windows Server 2003

Prerequisites
No prerequisites are required.

Restart requirement
You have to restart the computer after you apply this hotfix.

Hotfix replacement information
This hotfix does not replace any other hotfixes.

File information
The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.

Windows Server 2003, Itanium-based versions
<div class="status_section">

STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the &quot;Applies to&quot; section. This problem was first corrected in Windows Server 2003 Service Pack 2.

<div class="moreinformation_section">

MORE INFORMATION
The Kerberos error occurs in the following scenario:
 * 1) A Windows Server 2003-based computer that is named \\Contoso-client hosts a server-based process that runs in the Local System security context. The Kerberos client on \\Contoso-client submits Kerberos authentication requests on behalf of this process.
 * 2) The password of the computer account for the computer that hosts the program changes on a Windows Server 2003-based domain controller. The domain controller is named \\Contoso-DC-01.

Note A domain controller that is running the original release version of Windows Server 2003 does not replicate password updates for computer accounts to the domain PDC.
 * 1) The program on \\Contoso-client requests mutual authentication. The Kerberos client on \\Contoso-client submits a TGT request that is encrypted by using a hash of its current computer account password.

Note Kerberos clients that are running the original release version of Windows Server 2003 do not populate the OldPassword field in the Kerberos logon structure with the previous computer account password.
 * 1) A different domain controller services the TGT request. This domain controller is named \\Contoso-DC-02.

The Active Directory directory service on \\Contoso-DC-02 includes the old password for the Kerberos client. Active Directory determines whether the new password is available on the PDC of the domain. The new password is not present on the PDC.
 * 1) The \\Contoso-DC-02 domain controller returns the 0x18 pre-authentication error to the Kerberos client. Therefore, Kerberos authentication is unsuccessful. If the Kerberos client then tries to use NTLM for fallback authentication, this authentication attempt is also unsuccessful.

If the value of the KerbDebugLevel registry entry is set to 1 on the computer that issues the TGT, the following event is logged in the local System log: Event Type: Error

Event Source: Kerberos

Event Category: None

Event ID: 3

Date:

Time:

User: N/A

Computer:

Description:

A Kerberos Error Message was received:

on logon session

Client Time:

Server Time:

Error Code: 0x18 KDC_ERR_PREAUTH_FAILED

Extended Error:

Client Realm:

Client Name:

Server Realm:

Server Name:

Target Name:

Error Text:

File: e

Line: 6bc

Error Data is in record data.

For more information, see Help and Support Center at http://support.microsoft.com.

Data:

0000: 30868130 03a18381 a20b0102 307a047c

0010: a0093078 17010203 000402a1 04a00a30

0020: 7bff0202 000402a1 03a00930 a1800102

0030: 30000402 0203a029 22a10301 494e2004

0040: 48434b43 2e444c49 4b43494e 2e42414c

0050: 41434f4c 6165524c 6573556c 29304172

0060: 010203a0 0422a101 43494e20 4948434b

0070: 4e2e444c 4c4b4349 4c2e4241 4c41434f

0080: 6c616552 72657355 41

For more information about the terms that are used in this article, click the following article number to view the article in the Microsoft Knowledge Base:

824684 Description of the standard terminology that is used to describe Microsoft software updates

Technical support for x64-based versions of Microsoft Windows
If your hardware came with a Microsoft Windows x64 edition already installed, your hardware manufacturer provides technical support and assistance for the Windows x64 edition. In this case, your hardware manufacturer provides support because a Windows x64 edition was included with your hardware. Your hardware manufacturer might have customized the Windows x64 edition installation by using unique components. Unique components might include specific device drivers or might include optional settings to maximize the performance of the hardware. Microsoft will provide reasonable-effort assistance if you need technical help with a Windows x64 edition. However, you might have to contact your manufacturer directly. Your manufacturer is best qualified to support the software that your manufacturer installed on the hardware. If you purchased a Windows x64 edition such as a Microsoft Windows Server 2003 x64 edition separately, contact Microsoft for technical support.

For product information about Microsoft Windows XP Professional x64 Edition, visit the following Microsoft Web site:

http://www.microsoft.com/windowsxp/64bit/default.mspx

For product information about x64-based versions of Microsoft Windows Server 2003, visit the following Microsoft Web site:

http://www.microsoft.com/windowsserver2003/64bit/x64/default.mspx

Keywords: kbbug kbfix kbqfe kbpubtypekc kbwinserv2003sp1fix kbhotfixserver kbwinserv2003sp2fix KB918442

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.