When working with Active Directory environments, you might encounter repetitive Kerberos authentication errors in your Windows Event Log similar to:
Event ID: XYZ
A Kerberos Error Message was received:
on logon session DOMAIN\serviceaccount
Error Code: 0x19 KDC_ERR_PREAUTH_REQUIRED
Server Name: krbtgt/DOMAIN
Target Name: krbtgt/DOMAIN@DOMAINContrary to initial impressions, this isn't necessarily an error condition. Windows clients use a two-step negotiation process:
- Initial request without pre-authentication (triggering KDC_ERR_PREAUTH_REQUIRED)
- Immediate follow-up request with proper pre-authentication data
The complete flow looks like this in network traces:
1. Client -> KDC: AS-REQ (no preauth)
2. KDC -> Client: KRB-ERROR (KDC_ERR_PREAUTH_REQUIRED)
3. Client -> KDC: AS-REQ (with PA-ENC-TIMESTAMP)
4. KDC -> Client: AS-REP (TGT ticket)While typically benign, these events indicate potential issues when:
- They persist beyond the initial handshake
- Accompanied by actual authentication failures
- Generated for service accounts using older encryption types
To reduce log noise while maintaining security:
# PowerShell: Check account encryption types
Get-ADUser -Identity serviceaccount -Properties msDS-SupportedEncryptionTypes
# PowerShell: Update to modern encryption
Set-ADAccountControl -Identity serviceaccount -KerberosEncryptionType AES128,AES256For debugging or legacy system support:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters]
"SupportedEncryptionTypes"=dword:0000001cWhen building monitoring scripts, exclude these expected events:
# Sample Log Filter
Get-WinEvent -LogName System | Where-Object {
$_.Id -eq XYZ -and
$_.Message -notmatch "KDC_ERR_PREAUTH_REQUIRED.*followed by successful auth"
}While suppressing these events, ensure:
- All domain controllers support modern encryption types
- No accounts are configured with DES-only encryption
- Pre-authentication remains enabled for all user accounts
The KDC_ERR_PREAUTH_REQUIRED (0x19) error occurs when a client attempts to obtain a Kerberos Ticket-Granting Ticket (TGT) without including required pre-authentication data. This is actually part of Windows' normal negotiation process to determine supported encryption types.
// Example of Kerberos AS-REQ (Authentication Service Request) flow
1. Client sends initial request without pre-auth
2. KDC responds with KDC_ERR_PREAUTH_REQUIRED
3. Client resends request with proper pre-auth data
4. KDC issues TGT
The constant logging occurs because:
- Service accounts may be configured without AES encryption support
- Older systems might only support RC4 encryption (deprecated)
- Domain controller policy enforces strict pre-authentication
Option 1: Configure Encryption Types
Update your domain's supported encryption types through Group Policy:
Computer Configuration → Policies → Windows Settings →
Security Settings → Local Policies → Security Options →
Network security: Configure encryption types allowed for Kerberos
Option 2: Modify Service Account Properties
For problematic service accounts, set the proper encryption flags:
Set-ADAccountControl -Identity "serviceaccount" -KerberosEncryptionType "AES256,AES128"
For legacy systems, you might need registry tweaks:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters]
"SupportedEncryptionTypes"=dword:0000001c
Create a custom Event Viewer filter to exclude these non-critical events:
<QueryList>
<Query Id="0" Path="System">
<Select Path="System">
*[System[Provider[@Name='Microsoft-Windows-Kerberos-Key-Distribution-Center']
and (Level<3) and not (EventID=26)]]
</Select>
</Query>
</QueryList>
Investigate further if you see:
- Failed authentication attempts after the initial PREAUTH error
- Multiple retries from the same account
- Accompanying errors like KDC_ERR_ETYPE_NOSUPP