Feb 15 2022 06:40 AM - edited Feb 17 2022 03:04 AM
Hello,
Today, I found issues in my Windows System evenlog:
- LSA(LsaSrv) eventID 6038 (LEVEL WARNING):
Microsoft Windows Server has detected that NTLM authentication is presently being used between clients and this server. This event occurs once per boot of the server on the first time a client uses NTLM with this server.
- Security-Kerberos eventID 4 (LEVEL ERROR):
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server servername$. The target name used was HOST/localhost. This indicates that the target server failed to decrypt the ticket provided by the client.
These eventID appear at each start/restart of servers.
What I have done for now to investigate is:
- Functional Domain level is set to Server 2016
- Check SPN duplicate with setspn -x executed from a server => no duplicate found.
- I never create GPO for Kerberos setting like encryption type allowed for example, so Domain controller and member servers don't have settings set about it (I have checked with RSOP)
- Run klist tickets to see if there are Kerberos tickets in cache => Yes, details below
- I've attached a screenshot of my wireshark kerberos error "krb5kdc_err_s_principal_unknown"
-------------------------------------------------------
C:\Users\USERNAME>klist tickets
Current LogonId is 0:0x19e8112
Cached Tickets: (3)
#0> Client: USERNAME @ DOMAIN.LOC
Server: krbtgt/DOMAIN.LOC @ DOMAIN.LOC
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40e10000 -> forwardable renewable initial pre_authent name_canonicalize
Start Time: 2/15/2022 15:19:32 (local)
End Time: 2/16/2022 1:19:32 (local)
Renew Time: 2/22/2022 15:19:32 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0x1 -> PRIMARY
Kdc Called: DOMAIN_CONTROLLER
#1> Client: USERNAME @ DOMAIN.LOC
Server: LDAP/DOMAIN_CONTROLLER.DOMAIN.LOC/DOMAIN.LOC @ DOMAIN.LOC
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40a50000 -> forwardable renewable pre_authent ok_as_delegate name_canonicalize
Start Time: 2/15/2022 15:25:29 (local)
End Time: 2/16/2022 1:19:32 (local)
Renew Time: 2/22/2022 15:19:32 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0
Kdc Called: DOMAIN_CONTROLLER.DOMAIN.LOC
#2> Client: USERNAME @ DOMAIN.LOC
Server: host/MEMBER_SERVER.DOMAIN.LOC @ DOMAIN.LOC
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40a10000 -> forwardable renewable pre_authent name_canonicalize
Start Time: 2/15/2022 15:19:32 (local)
End Time: 2/16/2022 1:19:32 (local)
Renew Time: 2/22/2022 15:19:32 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0
Kdc Called: DOMAIN_CONTROLLER.DOMAIN.LOC
-----------------------------------------------------------------------
What is the best approach you could advice me ?
Thanks in advance.
Regards,
Bernard