Windows XP Kerberos encryption

If you are having problems with OPC DCOM communication within your domain and are encountering the following errors and symptoms on the client side:

DCOM error code: “0x80070721”
Windows reports error 0x80070721 as: A security package specific error occurred.
unable to receive data updates (asynchronous callbacks).

And the client’s eventviewer’s securitylog is riddled with

status error 0xc00002ee ” An Error occured during Logon.”
Event ID: 4625.

event1

event2

event3

You might want to do a Wireshark capture of your DCOM calls and Kerberos traffic.

You can filter out your Kerberos traffic, by simply adding “kerberos” in the filter field.

filter

If you notice any KRB5 – TGS-REQ packets containing the KRB error KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN and you dig into the value;

Kerberos -> tgs-req -> req-body -> etype and there is no AES encryption type listed when you are running a domain functional level of Windows 2008 or higher then you are probably hitting a Windows XP flaw.

This flaw can be patched on a XP SP3 system with this Hotfix: https://support.microsoft.com/en-us/kb/969442

During my research I noticed I wasn’t the only one encountering this problem.

Leave a Reply

Your e-mail address will not be published. Required fields are marked *