Kerberos Authentication not working for a single user on Server 2012

we have service account has unusual authentication problem. account runs fine on our server 2008 r2 server, same account not appear able use kerberos authentication domain controller. logged in, balloon tip says:

"windows needs current credentials. please lock computer, unlock using recent password or smart card."

logging out or rebooting doesn't help.

we noticed kerberos logon not complete when trying use service account connect sql server on different box. during sql server connection process able network capture, , have noticed kerberos fails requiring preauth (which understand normal), never see successful kerberos authentication domain controller in network trace or security logs. if turn off pre-authentication, can see issue related encryption due krb5kdc_err_etype_nosupp error.

so believe have encryption issue, except if else logs server, none of these problems exist. have made account member of same groups part of (way more rights required), , have put account in same ou account. account works fine everything. service account doesn't seem authenticate properly. in kerbtray see no indication of issued kerberos certificates.

this service account has rights in active directory, exchange, , sql databases. don't want recreated if don't have to, cannot figure out why doesn't work right. pointing me have on looked appreciated.

we got resolved, don't understand why happened. appears need enable rc4_hmac_md5 on network security: configure encryption types allowed kerberos policy. once did that, service account stopped trying use des, , authentication succeeded.

any thoughts on limit single account rc4_hmac_md5 encryption when logging on server 2012 member server supported server 2008 r2 member servers?

Windows Server  >  Directory Services