Forum Discussion
Kerberos KDC Errors
Hello,
I have been testing Windows Server 2025 with AD DC role and sometimes in event log I can see error.
The Security Account Manager failed a KDC request in an unexpected way. The error is in the data field. The account name was and lookup type 0x108.
Just a note - I did not remove the account name; it is not just there, not even once.
I'm unable to connect it to some "action", so it looks a bit random. In data field there is only C000000D (in words) which is every time the same. Event ID is 7.
Is this okay or anything to worry about?
It's seems that 24H2 doesn't get the error but 23H2 does.
Login with cached credentials (remove network first)
Test with "Test-ComputerSecureChannel", if it gets False it has lost the trust.
Then fix with "Test-ComputerSecureChannel -Repair -Credential (Get-Credential)" in an elevated PS. It should say True. If not, run same command again. The credential that is needed is a account that has permissions to update the computer account.
I have exact the same issue after update the DC to Server 2025!
Any solution? Merci.
Hello,
i think it has something to do with the domain trust lost of clients. It is a bug. Everytime when some client is logging i without computersecurechannel true you are getting the kdc error in my opinion.
I habe still the same error. I think is a combination with the clients which are dropping of the domain with trust lost. But im not sure. I think we must wait for january patch day. I hope so!
please inform us if you have a fix.
I'm having the same issue on Server 2025. Paid £400 to Microsoft for a technical support ticket and they haven't got in contact in over a week. There are no words.
Heyjoel-wraight-ac did you get any Solution from MS?
Oh thats bad. I think we must wait for the January Patch Day. I also have the Problem with clients which are dropping of the Domain all 30Days. Really bad Bugs here!
joel-wraight-ac please write here if you have a fix!
Disabling machine password change is a temp fix.
https://www.edugeek.net/forums/windows-server-2022/240312-windows-server-2025-dcs-causing-trust-relationship-problems-client-devices.html
I have the same Error. No Effect on anything. Is it fixable ?
I'm seeing the same exact issue on Server 2025 with ADDS - did you ever work this out?
Update and Patch the Server: If you are running Windows Server 2025 as part of the testing process, make sure it is fully updated, as this error may be related to early-stage bugs or configuration issues that have been addressed in later patches.
- If the error happens sporadically and doesn't affect normal operations, it may not be a critical issue, but it's still worth keeping an eye on.
- If it's causing authentication problems or occurring frequently, you should investigate the potential causes, including account validity, replication health, KDC service functionality, and network issues.
Check Account Existence: Ensure the account mentioned in the error log exists and is active. If it is a computer account, verify that it has not been deleted or disabled.
- You can use Active Directory Users and Computers (ADUC) or the PowerShell cmdlet Get-ADUser / Get-ADComputer to verify account status.
Verify KDC Service Status:
- Ensure that the KDC service is running on all Domain Controllers.
- You can check the status with
he error you're encountering, "The Security Account Manager failed a KDC request in an unexpected way," with Event ID 7, typically indicates an issue with the Kerberos Key Distribution Center (KDC) in Active Directory. This can happen in various scenarios where there's an issue with authentication or when a request from a client (or another server) fails to complete properly.
The data field value C000000D you are seeing is a specific error code, and it translates to a STATUS_NO_SUCH_USER error, which means the KDC was unable to locate the specified user account. This error may occur in scenarios where:
- Account Lookup Failures: The KDC is receiving a request for an account that does not exist or cannot be found in the domain. This could happen due to:
- A stale or missing account.
- A misspelled username in a request.
- An issue with replication that prevents the KDC from retrieving information about the user or computer.
- Kerberos Authentication Issues: There could be a problem with the Kerberos ticket request process. For example, if a client is trying to authenticate and is sending an incorrect or malformed request, this error could be logged.
- Domain Controller or KDC Service Issues: If the KDC service is having trouble processing requests, it could lead to these types of errors. It could also indicate issues with Active Directory replication or a network connectivity issue between Domain Controllers.
Should you be concerned?
- If it's infrequent and there are no other signs of authentication issues (e.g., users can log in, Kerberos tickets are granted without issue), this might not be something to worry about right now.
- If this happens frequently, or you're seeing patterns of authentication failures tied to specific accounts or systems, it would be a good idea to investigate further.
- If you see other related KDC or replication errors in the event logs, they could indicate broader problems with Active Directory health or with the Kerberos authentication infrastructure.
- Account Lookup Failures: The KDC is receiving a request for an account that does not exist or cannot be found in the domain. This could happen due to:
