Event ID 25 — Services for User to Self Configuration

Applies To: Windows Server 2008

Services for User to Self (S4USelf) provides the ability for a service to request a Kerberos ticket on behalf of a user account.

Event Details

Product: Windows Operating System
ID: 25
Source: Microsoft-Windows-Kerberos-Key-Distribution-Center
Version: 6.0
Message: The account %1 from domain %2 is attempting to use S4USelf for the target client %3, but is not allowed to perform group expansion on this client's user object. It may be necessary to adjust the ACL on the TokenGroupsGlobalAndUniversal attribute on the target client's user object to allow S4USelf to function correctly. This can also be accomplished by adding %1 to the Windows Authorization Access Group.


Add the user account to the Windows Authorization Access Group

To resolve this issue, you must add the user account to the Windows Authorization Access Group. The user account can be found in the event log message.

To perform this procedure, you must be a member of the Domain Admins group, or you must have been delegated the appropriate authority.

To add the user account to the Windows Authorization Access Group by using Active Directory Users and Computers:

  1. Log on to a computer that has Active Directory Users and Computers installed. It is installed by default on a domain controller.
  2. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
  3. In the console tree, click Builtin, right-click Windows Authorization Access Group, and then click Properties.
  4. Click Members, and then click Add.
  5. In the Enter the object names to select dialog box, type the name of the user you want to add to the group, and then click OK.
  6. Close Active Directory Users and Computers.


To verify that the Kerberos client is is correctly configured, you should ensure that a Kerberos ticket was received from the Key Distribution Center (KDC) and cached on the local computer. You can view cached Kerberos tickets on the local computer by using the Klist command-line tool.

Note: Klist.exe is not included with Windows Vista, Windows Server 2003, Windows XP, or Windows 2000. You must download and install the Windows Server Resource Kit before you can use Klist.exe.

To view cached Kerberos tickets by using Klist:

  1. Log on to a Kerberos client computer within your domain.
  2. Click Start, point to All Programs, click Accessories, and then click Command Prompt.
  3. Type klist tickets, and then press ENTER.
  4. Verify that a cached Kerberos ticket is available.
    • Ensure that the Client field displays the client on which you are running Klist.
    • Ensure that the Server field displays the domain in which you are connecting.
  5. Close the command prompt.

Services for User to Self Configuration

Core Security