Microsoft
MicrosoftSavannah_Greene
We have Rc4 disabled and have applied all patches. DefaultDomanSupportedEncTypes is set to 0x18 on all DCs. We rotate the krbtgt monthly (twice with 10 hours separation). Everything seems to be working. However we have started to migrate away from passwords and using smart cards. Users with "Smart card is required for interactive logon" checked start to generate eventid 14 on DCs but slightly different from what you say to watch out for.
"While processing an AS request for target service krbtgt, the account XXXXXX did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 1). The requested etypes : 18 17 3. The accounts available etypes : 23. Changing or resetting the password of XXXXX will generate a proper key."
The accounts no longer have a password per se but the random NT hash from checking the box. If we assign a password again and remove the smart card box the event 14 stops appearing for that account. Check11-Bissues comes back clean and only mentions all our DCs that have RC4 disabled, which is all of them. I've done a lot of searching and so far can't find anything where checking the smart card required generates this event. It seems like this could be an benign message. Or should I be concerned?
Thanks,
Eli
