Ran into this error today logged every couple of hours in the event log.
Event Type: Error
Event Source: KDC
Event Category: None
Event ID: 26
Date: 11/11/2008
Time: 7:33:29 AM
User: N/A
Computer: ADGREENTEST2
Description:
While processing an AS request for target service krbtgt, the account MITC0312$ did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 2). The requested etypes were 18. The accounts available etypes were 23 -133 -128 3 1 -140.
I found this response from MS on the technet site.
Kerberos authentication protocol is significantly improved in Windows Vista with the following features
- AES support
- Improved security for Kerberos Key Distribution Centers (KDCs) located on branch office domain controllers
Typically, when the parties are operating systems running Windows Vista or Windows Server 2008, the exchange will use AES. However, if one of the parties is an operating system running Windows 2000 Professional, Windows 2000 Server, Windows XP, or Windows Server 2003, the exchange will not use AES.
Based on your configuration, Vista client, Windows Server 2003 DC as KDC, the cause of the KDC event 26/27 is the client computer sends the service ticket request with Etype which is not supported by Windows 2003 DC but supported by Windows 2008 DC. The error that is being logged on the Windows 2003 domain controller can safely be ignored as it is by design. The domain controller is just informing the client what Etypes it supports. Vista clients are then falling back to the supported types.