KDC unreachable/Encryption not supported by the KDC

maxTim · April 2, 2025, 10:00pm

I had an issue with a client running remote desktop from home via VPN. The client machine is windows 11 and the remote machine is Windows 10 joined to the domain. The windows 11 machine reports the following:

[Window Title]
Remote Desktop Connection

[Content]
An authentication error has occurred.
The encryption type requested is not supported by the KDC.

Remote computer: [redacted]

[^] Hide details  [OK]

[Expanded Information]
Error code: 0x0
Extended error code: 0x0
Timestamp (UTC): 04/02/25 09:46:00 PM
Activity ID: 37cc084e-1b36-47b6-abd2-8241d40f0100

Press Ctrl+C to copy.

This prompted me to upgrade my environment to 5.2 in an attempt to fix the issue. While that did not fix the issue, the keycloak migration wasn’t as difficult as I thought it’d be.

Anyways, I have a Primary, Backup, and 3 Member servers. The primary and backup nodes are located in Office A and the other member servers are in Offices B, C, D. The win11 client is connecting to Office A.

The Primary has the shows the following:

$ sudo samba-tool processes

 Service:                          PID
--------------------------------------
cldap_server                      1532
dnsupdate                         1555
dreplsrv                          1536
kccsrv                            1551
kdc_server                        1534
kdc_server(worker 3)              1556
kdc_server(worker 0)              1539
kdc_server(worker 1)              1546
kdc_server(worker 2)              1552
ldap_server                       1530
ldap_server(worker 1)             1577
ldap_server(worker 2)             1579
ldap_server(worker 0)             1575
ldap_server(worker 3)             1581
notify-daemon                     1662
rpc_server                        1525
rpc_server(worker 2)              1568
rpc_server(worker 0)              1564
rpc_server(worker 1)              1566
rpc_server(worker 3)              1570
samba                             1423
winbind_server                    1544
wrepl_server                      1528

The backup does not have the kdc_server, but that is where it shows the error:

The following KDCs were unreachable: udp ucs-dispatch.adventure.local:88

I keep trying to tweak the nameserver ucr variables as per this post. That has changed the original critical warning from basically all KDCs to only the primary KDCs showing unreachable.

Note: I can run the system diagnostic tool several times and sometimes it will be resolved, other times it will be udp primary.server, and then sometimes it will be tcp primary.server, and then sometimes it will be both. Regardless, the win11 client still shows the aforementioned error. I’m worried that as more clients switch to win11, I’ll start seeing this error more and more.

Not really sure where to go from here.

maxTim · April 2, 2025, 10:08pm

Also worth noting that I ran update on both win11 and the remote win10 machines as well as restarted several times. When I restarted the primary node I was able to connect to the remote desktop, but any subsequent attempts fail. I can connect to the same client using Remmina on my Pop_OS! machine.

maxTim · April 7, 2025, 2:39pm

Update

I’ve installed Active Directory-compatible Domain Controller to the Backup server, which now means sudo samba-tool processes on both the primary and backup will look similar if not the same:

Primary Server:

 Service:                          PID
--------------------------------------
cldap_server                      1532
dnsupdate                         1555
dreplsrv                          1536
kccsrv                            1551
kdc_server                        1534
kdc_server(worker 3)              1556
kdc_server(worker 0)              1539
kdc_server(worker 1)              1546
kdc_server(worker 2)              1552
ldap_server                       1530
ldap_server(worker 1)             1577
ldap_server(worker 2)             1579
ldap_server(worker 0)             1575
ldap_server(worker 3)             1581
notify-daemon                     1662
rpc_server                        1525
rpc_server(worker 2)              1568
rpc_server(worker 0)              1564
rpc_server(worker 1)              1566
rpc_server(worker 3)              1570
samba                             1423
winbind_server                    1544
wrepl_server                      1528

Backup server:

 Service:                          PID
--------------------------------------
cldap_server                    1869104
dnsupdate                       1869127
dreplsrv                        1869112
kccsrv                          1869124
kdc_server                      1869106
kdc_server(worker 3)            1869130
kdc_server(worker 0)            1869116
kdc_server(worker 1)            1869121
kdc_server(worker 2)            1869128
ldap_server                     1869100
ldap_server(worker 1)           1869190
ldap_server(worker 2)           1869192
ldap_server(worker 0)           1869188
ldap_server(worker 3)           1869194
notify-daemon                   1869159
rpc_server                      1869092
rpc_server(worker 2)            1869107
rpc_server(worker 0)            1869097
rpc_server(worker 1)            1869102
rpc_server(worker 3)            1869111
samba                           1869083
winbind_server                  1869126

This has not changed anything.

maxTim · April 14, 2025, 2:39pm

Is there anyway to possibly troubleshoot this better? The inability to use remote desktop (so far) only occurs with this one win11 pro machine.

scheinig · April 22, 2025, 2:24pm

Hi maxTim,

let us investigate a little bit. Can you provide the following output:

ucr get samba/kdc_default_domain_supported_enctypes
and 
samba-tool domain level show

Best
Christina

maxTim · April 22, 2025, 2:37pm

$ sudo ucr get samba/kdc_default_domain_supported_enctypes 
aes256-cts-hmac-sha1-96-sk,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96,arcfour-hmac-md5

$ sudo samba-tool domain level show
Domain and forest function level for domain 'DC=adventure,DC=local'

Forest function level: (Windows) 2003
Domain function level: (Windows) 2003
Lowest function level of a DC: (Windows) 2008 R2

scheinig · April 23, 2025, 3:33pm

Hi maxTim,

thanks for the output.
I guess the root cause is the low function level with 2003.
So you can raise the domain and function level but I recomment to do this first in a testenvironment (clone)

Here there is a known issue regarding the windows clients:

maxTim · April 23, 2025, 4:55pm

So I was able to bring the Domain and Forest function up to level 2008 R2. That was pretty simple, to be honest. I was thinking it might be necessary to bring both up to 2016. But, because the Lowest function of a DC is 2008 R2, I am unable to raise the level higher than that. Is there a way of upgrading the lowest level of the DC?

Edit: Reading this article, perhaps DC version 2008 R2 should be sufficient. I’ll try restarting a bunch of things to hopefully propagate the change.

maxTim · April 24, 2025, 1:06pm

This has yielded no results on the issue.

scheinig · April 25, 2025, 10:54am

That’s very unfortunate and I’m sorry that it didn’t work out. You also renewed the Kerberos keys with the script, right?
I’ll see where we can go from here.
BTW 2008RC is is currently still the domain level supported by samba.

maxTim · April 25, 2025, 6:22pm

I think I fixed it. I un-joined and re-joined the remote computer to the domain. This comes after having raised the function level. So it might have been both in conjunction.