S
Scott Townsend
Help!!!
I'm having Kerberos Issues!!!
May of my users are getting denied access to servers.
In their System Log they have Errors similar to the following:
Event Type: Error
Event Source: Kerberos
Event Category: None
Event ID: 4
Date: 04/16/2004
Time: 12:28:51 AM
User: N/A
Computer: COMPUTER-XP
Description:
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server
host/server.domain.com. This indicates that the password used to encrypt
the kerberos service ticket is different than that on the target server.
Commonly, this is due to identically named machine accounts in the target
realm (<domain>.COM), and the client realm. Please contact your system
administrator.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
On the servers I see the Corresponding Errors in the Security Log:
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 04/16/2004
Time: 10:03:28 AM
User: NT AUTHORITY\SYSTEM
Computer: SERVER
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name:
Domain:
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name: -
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 10.1.0.17
Source Port: 0
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
When I run netdiag I get the following on the server machines:
NetBT name test. . . . . . . . . . : Passed
[WARNING] You don't have a single interface with the <00> 'WorkStation
Service', <03> 'Messenger Service', <20> 'WINS' names defined.
Kerberos test. . . . . . . . . . . : Failed
[FATAL] Kerberos does not have a ticket for :
And depending on the server the name is in the folloing
formats:
<host/server-name.domain.COM.>
<server-name$>
I've been working with one server trying to get its kerberos ticket back in
line and I've done the following to it with no Success:
Renamed it (twice) and added it back to the domain
ran the netdom remove and netdom join
Went to ADUG and did a Reset Account
I've turned on Kerberos Logging inthe registry:
I now get the following when I boot the server:
Event Type: Error
Event Source: Kerberos
Event Category: None
Event ID: 594
Date: 4/16/2004
Time: 1:01:06 PM
User: N/A
Computer: SERVER
Description:
A Kerberos Error Message was received:
on logon session InitializeSecurityContext
Client Time:
Server Time:
Error Code: 20:1:6.0000 4/16/2004 (null) 0x34
Extended Error: KRB_ERR_RESPONSE_TOO_BIG
Client Realm:
Client Name:
Server Realm: <domain>.COM
Server Name: LDAP/DC-server.<domain>.COM
Target Name: LDAP/DC-Server.<domain>.COM@<domain>.COM
Error Text:
File:
Line:
Error Data is in record data.
Event Type: Error
Event Source: Kerberos
Event Category: None
Event ID: 594
Date: 4/16/2004
Time: 1:01:38 PM
User: N/A
Computer: SERVER-SUPPORT
Description:
A Kerberos Error Message was received:
on logon session InitializeSecurityContext
Client Time:
Server Time:
Error Code: 20:1:38.0000 4/16/2004 (null) 0x34
Extended Error: KRB_ERR_RESPONSE_TOO_BIG
Client Realm:
Client Name:
Server Realm: HAYDON-MILL.COM
Server Name: LDAP/DC-server.<domain>.COM
Target Name: LDAP/DC-Server.<domain>.COM@<domain>.COM
Error Text:
File:
Line:
Error Data is in record data.
I'm having Kerberos Issues!!!
May of my users are getting denied access to servers.
In their System Log they have Errors similar to the following:
Event Type: Error
Event Source: Kerberos
Event Category: None
Event ID: 4
Date: 04/16/2004
Time: 12:28:51 AM
User: N/A
Computer: COMPUTER-XP
Description:
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server
host/server.domain.com. This indicates that the password used to encrypt
the kerberos service ticket is different than that on the target server.
Commonly, this is due to identically named machine accounts in the target
realm (<domain>.COM), and the client realm. Please contact your system
administrator.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
On the servers I see the Corresponding Errors in the Security Log:
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 04/16/2004
Time: 10:03:28 AM
User: NT AUTHORITY\SYSTEM
Computer: SERVER
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name:
Domain:
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name: -
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 10.1.0.17
Source Port: 0
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
When I run netdiag I get the following on the server machines:
NetBT name test. . . . . . . . . . : Passed
[WARNING] You don't have a single interface with the <00> 'WorkStation
Service', <03> 'Messenger Service', <20> 'WINS' names defined.
Kerberos test. . . . . . . . . . . : Failed
[FATAL] Kerberos does not have a ticket for :
And depending on the server the name is in the folloing
formats:
<host/server-name.domain.COM.>
<server-name$>
I've been working with one server trying to get its kerberos ticket back in
line and I've done the following to it with no Success:
Renamed it (twice) and added it back to the domain
ran the netdom remove and netdom join
Went to ADUG and did a Reset Account
I've turned on Kerberos Logging inthe registry:
I now get the following when I boot the server:
Event Type: Error
Event Source: Kerberos
Event Category: None
Event ID: 594
Date: 4/16/2004
Time: 1:01:06 PM
User: N/A
Computer: SERVER
Description:
A Kerberos Error Message was received:
on logon session InitializeSecurityContext
Client Time:
Server Time:
Error Code: 20:1:6.0000 4/16/2004 (null) 0x34
Extended Error: KRB_ERR_RESPONSE_TOO_BIG
Client Realm:
Client Name:
Server Realm: <domain>.COM
Server Name: LDAP/DC-server.<domain>.COM
Target Name: LDAP/DC-Server.<domain>.COM@<domain>.COM
Error Text:
File:
Line:
Error Data is in record data.
Event Type: Error
Event Source: Kerberos
Event Category: None
Event ID: 594
Date: 4/16/2004
Time: 1:01:38 PM
User: N/A
Computer: SERVER-SUPPORT
Description:
A Kerberos Error Message was received:
on logon session InitializeSecurityContext
Client Time:
Server Time:
Error Code: 20:1:38.0000 4/16/2004 (null) 0x34
Extended Error: KRB_ERR_RESPONSE_TOO_BIG
Client Realm:
Client Name:
Server Realm: HAYDON-MILL.COM
Server Name: LDAP/DC-server.<domain>.COM
Target Name: LDAP/DC-Server.<domain>.COM@<domain>.COM
Error Text:
File:
Line:
Error Data is in record data.