After Microsoft rolled out Kerberos updates in November 2022, login for SmartCard-only users may induce the following log entries errors on the domain controllers:
While processing an AS request for target service krbtgt, the account … did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 1). The requested etypes were: …. The accounts available etypes were 23 18 17. Changing or resetting the password of … will generate a proper key.
This is a known issue and there are various ways to mitigate it, most obvious one being changing the user's password. Since SystoLOCK users are passwordless, a special care needs to be taken for these accounts. As of SystoLOCK version 2.12 these steps are no longer required, but up to version 2.10 SP1 the below script can help you reset users' passwords without loosing any functionality.
Be sure to try the script on some users first, before rolling out for everyone.
#Requires -Modules ActiveDirectory,Systola.SystoLOCK.Management
$DC = Get-ADDomainController | select -expand HostName
$PSDefaultParameterValues = @{ '*-AD*:Server' = $DC }
# Uncomment this line and comment out the next one to apply to the whole AD
# Get-SystoLockAssignment | % { Get-ADUser $_.userdn -Properties SmartcardLogonRequired } | ? SmartcardLogonRequired -eq $True | % `
Get-SystoLockAssignment | Select -First 1 | % { Get-ADUser $_.userdn -Properties SmartcardLogonRequired } | ? SmartcardLogonRequired -eq $True | % `
{
$NewPassword = ConvertTo-SecureString -String ([System.Web.Security.Membership]::GeneratePassword(40,10)) -AsPlainText -Force
Write-Host "Changing password for $($_.Name)... " -NoNewline
Set-ADUser $_ -SmartcardLogonRequired $False
Set-ADAccountPassword $_ -NewPassword $NewPassword -Reset
Set-Aduser $_ -SmartcardLogonRequired $True
Write-Host "OK"
}