cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

NTLM / Kerberos issue eventID 6038 & 4

Bernard_Buyle06
Copper Contributor

‎Feb 15 2022 06:40 AM - edited ‎Feb 17 2022 03:04 AM

‎Feb 15 2022 06:40 AM - edited ‎Feb 17 2022 03:04 AM

NTLM / Kerberos issue eventID 6038 & 4

Hello,

 

Today, I found issues in my Windows System evenlog:

 

- LSA(LsaSrv) eventID 6038 (LEVEL WARNING):

Microsoft Windows Server has detected that NTLM authentication is presently being used between clients and this server. This event occurs once per boot of the server on the first time a client uses NTLM with this server.

 

- Security-Kerberos eventID 4 (LEVEL ERROR):

The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server servername$. The target name used was HOST/localhost. This indicates that the target server failed to decrypt the ticket provided by the client.

 

These eventID appear at each start/restart of servers.

 

What I have done for now to investigate is:

- Functional Domain level is set to Server 2016

- Check SPN duplicate with setspn -x executed from a server => no duplicate found.

- I never create GPO for Kerberos setting like encryption type allowed for example, so Domain controller and member servers don't have settings set about it (I have checked with RSOP)

- Run klist tickets to see if there are Kerberos tickets in cache => Yes, details below

- I've attached a screenshot of my wireshark kerberos error "krb5kdc_err_s_principal_unknown"

 

-------------------------------------------------------

C:\Users\USERNAME>klist tickets

Current LogonId is 0:0x19e8112

Cached Tickets: (3)

#0> Client: USERNAME @ DOMAIN.LOC
Server: krbtgt/DOMAIN.LOC @ DOMAIN.LOC
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40e10000 -> forwardable renewable initial pre_authent name_canonicalize
Start Time: 2/15/2022 15:19:32 (local)
End Time: 2/16/2022 1:19:32 (local)
Renew Time: 2/22/2022 15:19:32 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0x1 -> PRIMARY
Kdc Called: DOMAIN_CONTROLLER

 

#1> Client: USERNAME @ DOMAIN.LOC
Server: LDAP/DOMAIN_CONTROLLER.DOMAIN.LOC/DOMAIN.LOC @ DOMAIN.LOC
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40a50000 -> forwardable renewable pre_authent ok_as_delegate name_canonicalize
Start Time: 2/15/2022 15:25:29 (local)
End Time: 2/16/2022 1:19:32 (local)
Renew Time: 2/22/2022 15:19:32 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0
Kdc Called: DOMAIN_CONTROLLER.DOMAIN.LOC

 

#2> Client: USERNAME @ DOMAIN.LOC
Server: host/MEMBER_SERVER.DOMAIN.LOC @ DOMAIN.LOC
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40a10000 -> forwardable renewable pre_authent name_canonicalize
Start Time: 2/15/2022 15:19:32 (local)
End Time: 2/16/2022 1:19:32 (local)
Renew Time: 2/22/2022 15:19:32 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0
Kdc Called: DOMAIN_CONTROLLER.DOMAIN.LOC

-----------------------------------------------------------------------

 

What is the best approach you could advice me ?

Thanks in advance.

 

Regards,

Bernard

 

Preview file
122 KB
8,752 Views
0 Likes
0 Replies
Reply
0 Replies