I've been dealing with a really annoying problem for a few weeks now, and I'm convinced it's related to Kerberos. Some users (and their workstations) are having random authentication issues with the domain. When they try to log in, they get hit with invalid username or password messages. This even happens with my own credentials. Interestingly, if I disconnect a workstation from the network, I can log in just fine. What's weird is that these workstations only accept my old passwords from about a week or two ago.
I've checked the logs and have found messages like 'Kerberos pre-authentication failed' along with other clues indicating trouble with key generation. I've got both 2019 and 2025 domain controllers (DCs), and since promoting the 2025 to Primary Domain Controller (PDC), I haven't seen any improvement. Oddly enough, if I force problematic workstations to use the 2025 DC, they no longer have issues. Can anyone shed some light on what might be going on here with this potential version mismatch or Kerberos issue?
6 Answers
Just remove the 2025 DCs. They’ve got numerous issues and no fixes right now. Stick to the 2022 DCs until updates arrive. Remember, we still have a good six years before security updates end on the older versions!
There’s a possibility this is linked to the KRBTGT account password resets. There was a story shared that might relate to your situation, which led to significant AD problems.
Interesting read! I haven’t changed that service account password since I set things up in 2014-2015.
I think this could be due to changes in security defaults with the new servers. They’ve made enforcement for LDAP/LDAPS more stringent in 2025. This could be related to the issues you're seeing.
That makes sense. I wonder what specific changes are causing these issues. Maybe it has something to do with encryption methods? 2019 supports AES and RC4, but I haven’t seen anything indicating that 2025 is upping the ante in that department.
I've faced this kind of problem before. The only solution that worked for me was to get rid of the 2025 DCs altogether. Having a mix of 2019 and 2022 DCs really sorted things out for us. It's frustrating when the usual Microsoft fixes don't seem to help. Good luck!
Yikes! I'm planning on upgrading my DCs from 2016 to 2025 soon. Sounds like I need to rethink that.
Wow, that’s a bold move! What’s concerning is that directing users to use only the 2025 DC fixes their login issues. I can only use that as a temporary workaround, which isn’t ideal.
Try checking if this problem is linked to password changes. It might be a known bug with the 2025 DCs. If you're running a mix of old and new DCs, consider downgrading the 2025 or resetting passwords on the older ones instead. I’ve seen threads on this issue, so it could definitely help you out!
This does seem to be impacting users who change their passwords! Thanks for pointing that out. I’m hesitant to fully switch to 2025 or downgrade it since it’s my main DC.
Yeah, that’s the trend I’ve been hearing. Better to wait until the kinks with 2025 are worked out before fully committing to the upgrade.
We actually tried resetting it, but it didn’t solve our issues. The only thing that worked for us was ditching the 2025 DCs.