You U2U? Me too!

Windows Vista and 7 have a “Remote Assistance” feature where users can attempt to share control of another user’s desktop in order to assist them – there is a full description over on TechNet, and it can be invoked from the command line using msra.exe.

In most environments this will work just fine, however we had an instance recently where offers coming from Windows 7 clients in a domain were not able to be made, throwing the following error after a 20-30 second delay:

"Your offer to help could not be sent
Check the following:
- Do you have the correct permissions on the remote computer?
- Is the remote computer turned on, and is it connected to the network?
- Is there a network problem?
For assistance, contact your network administrator.

In the same environment, Windows Vista clients were not having this error, so this was a head-scratcher…


Through a network trace from the clients we saw that the Vista client was happily using NTLM authentication between the 2 clients, but the Windows 7 client was trying to acquire a “User 2 User” Kerberos ticket from the KDC for the user object – the result was KDC_ERR_S_PRINCIPAL_UNKNOWN and we saw that an event 3 was being logged from source Microsoft-Windows-Security-Kerberos  with error code 0x1b.

Error results 0x1b is KDC_ERR_MUST_USE_USER2USER.

So the KDC was complaining that the request type was not understood… the DCs in this environment were all running Windows Server 2003, and “U2U” tickets were new for KDCs on Windows Server 2008.

As the Kerberos request was failing, the client offering assistance failed to get a ticket to use and so bombed out the connection attempt to the other client.


The reason that the U2U ticket was requested was a little more complicated 🙂

When we query the abilities of a KDC we look at the version number of the KRBTGT account – if it’s over a threshold then we assume the KDC to be running on a Windows Server 2008 RODC (and hence U2U should be possible).

However, if an authoritative restore has been made of a Windows Server 2003 DC then the version number will have been bumped up, but U2U is not possible.

After much investigation it turned out there was a trivial fix to apply to the Windows Server 2003 DCs to fix the issue and prevent the KRBTGT version getting bumped up again, KB939820:

Events 1925, 1006, 1645, 1055, 40961 on a Windows Server 2008-based domain controller or error message: "No authority could be contacted for authentication" when you use Remote Desktop Connection


Once all the Windows Server 2003 DCs in the environment had this patch applied, the Windows 7 clients were able to offer Remote Assistance without a problem.

Comments (0)

Skip to main content