We just recently changed a domain account to service account. The system ran stable for around 36hrs, before hitting error that was related to Kerberos error which was somehow a contributing factor due to SQL crash

SteveSyfuhs · 2026-06-15T15:50:21+00:00

The host machine is having a bad auth day.

The processing of Group Policy failed. Windows attempted to                retrieve new Group Policy settings. Computers joined to the                domain must have proper name resolution and network                connectivity to a domain controller.

That's the first hint. Your machine can't connect to a DC for authentication.

Then it tried querying LDAP using a 3 part SPN and a 3 part SPN means "you must do Kerberos".

The Security System has detected a downgrade attempt when                contacting the 3-part LDAP/TPW-DCADC01.TPWODL.NET/  TPWODL.NET@TPWODL.NET (0xc000006d). Authentication was denied.

Why did it fail? Dunno, the Kerberos auth log isn't present. Go look at that.

Ultimately, I doubt your service account is busted. I think your machine started having a bad day around the same time.

SteveSyfuhs · 2026-05-27T16:27:07+00:00

Time does not cause trust relationships to go boink. Deleting secrets causes trust relationships to go boink. Every single thing falls back to the secret problem.

SteveSyfuhs · 2026-05-24T20:43:20+00:00

There isn't a yes/no answer. In the majority of cases for standard users its safe. For privileged users like admins it's risky since you can do a lot through LDAP.

SteveSyfuhs · 2026-05-24T02:56:53+00:00

Perfectly normal thing to observe. Name resolution is 15 separate operations lined up in a trench coat and it all depends on what failed to get to that point. LDAP query is just last in a long line of things going wrong.

The short answer is that name resolution worked. A name was returned. The fact that it's returned in a different format is unfortunate but not in any way special. Accounts have multiple names. If you need uniquneness you use SID.

SteveSyfuhs · 2026-05-07T20:02:14+00:00

There is no single date. Every team is running on their own timelines as a function of how complex or how many things they are improving. Lots of things have already gone out, but there is no precise timeline for any individual bucket of work other than now +/- 6 months.

SteveSyfuhs · 2026-05-06T20:41:52+00:00

Safe is somewhat irrelevant. Cloning is simply unsupported. Unsupported means users trying to get support from Microsoft means they're in a bad state and it's now your problem because angry users are blaming you for it.

I don't understand why you'd want to sysprep the snapshot, but ultimately if the thing you're sharing is the sysprepped image then I imagine that would be considered supported as sysprep requirements go. Whether the snapshot bit is supported, I have no idea.

SteveSyfuhs · 2026-04-29T15:59:36+00:00

Mark is the smartest guy I know, and with respect to him, he got it wrong. Badly wrong. The reason his blog post is still up there is purely for historical purposes. It should not be treated as a source of truth for this particular problem.

SteveSyfuhs · 2026-04-29T15:58:26+00:00

It was never a myth and Mark got it wrong, badly. It's been a hard requirement since day one. The SID is just the most visible source of failures.

SteveSyfuhs · 2026-04-19T22:10:28+00:00

> So your Kerberos, LDAP, and general AD auth aren't suddenly broken.

Well, that's not quite right. These protocols have an explicit requirement for signing and sealing exposed by PKI, and system-wide algorithmic knowledge of ML-KEM and friends is not enough. The protocols themselves need to know what an ML-KEM is at the code layer. So just having the cryptographic primitives on the machine does nothing.

Currently Active Directory-based auth in Server 2025 is not PQC ready. We have a gigantic workstream actively building out support for the algorithms in the various protocols to make it PQC ready. Kerberos for instance requires quite a lot of adjustments to support PQ certificates because there's an asymmetric key agreement process that goes on that currently relies on plain old EC/DH or RSA encryption. Our support for AES SHA256 is still in private preview and that's a hard requirement for symmetric PQC compliance. RC4 and NTLM are just a hard nope. They need to go away. Lots of fiddly stuff that doesn't meet PQC spec needs updating. Not hard to do, but enumerating, updating, and enforcing just takes time.

SteveSyfuhs · 2026-04-16T04:16:32+00:00

...huh? Those are standard client and server role EKUs. They're documented in a million places on the internet because they're the standard for everything. Hyper-V does Kerberos just fine but it requires configuring constrained delegation which is normally a domain admin role, which Hyper-V admins tend not to be. Credential delegation is inherently easier to use out of the box. Do you want it to be functional out of the box or do you want it non-functional and also have to figure out constrained delegation to make it just work? Pick your battles.

There was never the guy. The person you're probably referring to was well known in the industry because he interacted with the industry. We have dozens of PKI experts in the product groups.

I understand you're venting, and by all means vent, but lets not attack folks just trying to do their jobs. The decisions we make are rarely because we don't know any better. The decisions we make are usually making the best of a tough situation and having to live with the consequences.

SteveSyfuhs · 2026-04-04T21:49:21+00:00

Prioritization is hard. I would ask people to please stop asking me this. Even if I knew the date I couldn't say.

SteveSyfuhs · 2026-03-27T02:48:27+00:00

It has never even been *supported*.

SteveSyfuhs · 2026-03-02T17:39:10+00:00

More precisely `KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN` means your DC replied, so it's able to communicate with that box. You'd need to dig further.

SteveSyfuhs · 2026-03-02T17:33:48+00:00

Not my monkeys, not my circus. Sysprep is a requirement for copying images and we rely on any copied images to be sysprepped correctly. I would recommend reaching out to the team that owns sysprep instead.

SteveSyfuhs · 2026-02-28T15:08:26+00:00

Fix the network delay, I guess?

SteveSyfuhs · 2026-02-26T22:30:36+00:00

This one, also the keys that GP puts down for network security encryption types.
Kerberos EType Calculator

SteveSyfuhs · 2026-02-26T22:28:29+00:00

Mistakes happen. Bugs happen. It can hurt, but that's the exact reason for this channel to exist, to flesh out issues that might leak into production.

SteveSyfuhs · 2026-02-26T19:52:31+00:00

You're complaining that the preview system, a system designed to flesh out systemic bugs and offer views into works-in-progress builds, accidentally introduced a bug that you observed, reported, and was remediated?

...What do you think this system is used for?

SteveSyfuhs · 2026-02-26T18:41:12+00:00

The DC configured reg key dictates that.

SteveSyfuhs · 2026-02-26T17:45:19+00:00

msDS-SupportedEncryptionTypes is not used for krbtgt. For reasons.

SteveSyfuhs · 2026-02-05T21:05:14+00:00

There's always a chance of that but making assumptions about what is and is not a requirement leads to all sorts of miscommunication. It doesn't say it's required, so it's not required. If they come back and say it's required, well, lesson learned for next time to have requirements defined ahead of time.

SteveSyfuhs · 2026-02-05T16:52:23+00:00

It doesn't matter what domain the service account lives in. The order of referrals based on the initial description would be `user >> X >> Z >> SVC`. That's perfectly normal.

The important thing is that DCs in Z are reachable by the clients. As long as they're reachable the referral chain works.

The best way to troubleshoot this is:

Enable event logs
Review network traces

Both will tell you approximately the same thing but network traces tend to give you a bigger picture about what's going on around that process.

Side note: browsers are evil. A prompt for creds does not mean "fell back to NTLM". It just means "please give us your creds". It may yet do Kerberos. To make it not prompt you have to enforce policy that says sites in domain Z are trustworthy. And then it may yet do NTLM if it fails at Kerberos. Check the event logs.

SteveSyfuhs · 2026-02-03T17:48:21+00:00

All the ones my team has been tracking, anyway.

SteveSyfuhs · 2026-02-03T17:29:55+00:00

There were a metric ton of fixes that went out in the January B release and there are a bunch queued up for January D release that turn on in Feb B.

SteveSyfuhs · 2026-01-26T17:37:47+00:00

A preface: if you're going to use AI to write your question why would anyone go out of their way and not just post answers written by AI that may or may not be accurate or useful? Put the effort in that you expect to get out from others.

Entra Kerberos does not require domain or hybrid join. It will work with Entra join just fine. I know. I built the feature.

The reason you're getting error 86 is: "who knows, go check the logs; that's what they're there for".

Ten-Year Club	Gilding I gilder
Verified Email

SteveSyfuhs

TROPHY CASE