-
Título
'Windows needs your current credentials' message when logging into Target domain and attempting to access Network Resources -
Descrição
Source AD account and password was migrated to the Target domain.
Customer logged into Target domain with those credentials successfully, but when accessing network resources, the receives the following prompt and no Kerberos ticket was issued:
"Windows needs your current credentials"
"Please lock this computer, then unlock it using your most recent password or smart card."
To confirm there were no Kerberos tickets issued, run klist in Command Prompt.
-
Causa
The Kerberos encryption policy on the Target domain is more restrictive than the Source domain. -
Resolução
Change the Kerberos encryption policy on the Target Default Domain Controllers Group Policy to match the Source Default Domain Controllers Group Policy settings.
Additionally, the issue may be caused by disabled RC4 encryption and/or GPO, preventing NTLM fallback when Kerberos negotiation is failing.
The issue may be more prevalent where the source domain was 2008R2-level.
-
Informações adicionais
https://blogs.msdn.microsoft.com/openspecification/2011/05/30/windows-configurations-for-kerberos-supported-encryption-type/