[FATAL] Kerberos does not have a ticket for <any of my servers>

S

Scott Townsend

Help!!!

I'm having Kerberos Issues!!!

May of my users are getting denied access to servers.

In their System Log they have Errors similar to the following:
Event Type: Error
Event Source: Kerberos
Event Category: None
Event ID: 4
Date: 04/16/2004
Time: 12:28:51 AM
User: N/A
Computer: COMPUTER-XP
Description:
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server
host/server.domain.com. This indicates that the password used to encrypt
the kerberos service ticket is different than that on the target server.
Commonly, this is due to identically named machine accounts in the target
realm (<domain>.COM), and the client realm. Please contact your system
administrator.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.


On the servers I see the Corresponding Errors in the Security Log:

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 04/16/2004
Time: 10:03:28 AM
User: NT AUTHORITY\SYSTEM
Computer: SERVER
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name:
Domain:
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name: -
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 10.1.0.17
Source Port: 0


For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

When I run netdiag I get the following on the server machines:

NetBT name test. . . . . . . . . . : Passed
[WARNING] You don't have a single interface with the <00> 'WorkStation
Service', <03> 'Messenger Service', <20> 'WINS' names defined.

Kerberos test. . . . . . . . . . . : Failed
[FATAL] Kerberos does not have a ticket for :
And depending on the server the name is in the folloing
formats:
<host/server-name.domain.COM.>
<server-name$>


I've been working with one server trying to get its kerberos ticket back in
line and I've done the following to it with no Success:
Renamed it (twice) and added it back to the domain
ran the netdom remove and netdom join
Went to ADUG and did a Reset Account

I've turned on Kerberos Logging inthe registry:

I now get the following when I boot the server:
Event Type: Error
Event Source: Kerberos
Event Category: None
Event ID: 594
Date: 4/16/2004
Time: 1:01:06 PM
User: N/A
Computer: SERVER
Description:
A Kerberos Error Message was received:
on logon session InitializeSecurityContext
Client Time:
Server Time:
Error Code: 20:1:6.0000 4/16/2004 (null) 0x34
Extended Error: KRB_ERR_RESPONSE_TOO_BIG
Client Realm:
Client Name:
Server Realm: <domain>.COM
Server Name: LDAP/DC-server.<domain>.COM
Target Name: LDAP/DC-Server.<domain>.COM@<domain>.COM
Error Text:
File:
Line:
Error Data is in record data.


Event Type: Error
Event Source: Kerberos
Event Category: None
Event ID: 594
Date: 4/16/2004
Time: 1:01:38 PM
User: N/A
Computer: SERVER-SUPPORT
Description:
A Kerberos Error Message was received:
on logon session InitializeSecurityContext
Client Time:
Server Time:
Error Code: 20:1:38.0000 4/16/2004 (null) 0x34
Extended Error: KRB_ERR_RESPONSE_TOO_BIG
Client Realm:
Client Name:
Server Realm: HAYDON-MILL.COM
Server Name: LDAP/DC-server.<domain>.COM
Target Name: LDAP/DC-Server.<domain>.COM@<domain>.COM
Error Text:
File:
Line:
Error Data is in record data.
 
D

David Pharr [MSFT]

Sounds like you may have lost your secure channel connection to the DC.
Was this working fine with users logging on successfully and then the
problem began? If so, what changes were made to the domain just prior to
this problem occurring? Did someone change permissions on the DCs, modify
group policy, stop W32Time, anything like that? Can users logon to their
local machine but not the domain? Can you logon as an admin?

How many domain controllers are in this domain? Any errors in dcdiag or
netdiag on the DC? We need a bit more information about your domain
configuration and what happened on your network to be able to give you good
direction.

To reset secure channel connections, try the following arrticle:
216393 Resetting Computer Accounts in Windows 2000 and Windows XP
http://support.microsoft.com/?id=216393

David Pharr, (e-mail address removed)

This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| From: "Scott Townsend" <[email protected]>
| Subject: [FATAL] Kerberos does not have a ticket for <any of my servers>
| Date: Fri, 16 Apr 2004 13:32:45 -0700
| Lines: 136
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2800.1409
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409
| Message-ID: <#[email protected]>
| Newsgroups: microsoft.public.win2000.active_directory
| NNTP-Posting-Host: 204-145-245-200.enm.com 204.145.245.200
| Path:
cpmsftngxa10.phx.gbl!TK2MSFTNGXA05.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP09
.phx.gbl
| Xref: cpmsftngxa10.phx.gbl microsoft.public.win2000.active_directory:76815
| X-Tomcat-NG: microsoft.public.win2000.active_directory
|
| Help!!!
|
| I'm having Kerberos Issues!!!
|
| May of my users are getting denied access to servers.
|
| In their System Log they have Errors similar to the following:
| Event Type: Error
| Event Source: Kerberos
| Event Category: None
| Event ID: 4
| Date: 04/16/2004
| Time: 12:28:51 AM
| User: N/A
| Computer: COMPUTER-XP
| Description:
| The kerberos client received a KRB_AP_ERR_MODIFIED error from the server
| host/server.domain.com. This indicates that the password used to encrypt
| the kerberos service ticket is different than that on the target server.
| Commonly, this is due to identically named machine accounts in the target
| realm (<domain>.COM), and the client realm. Please contact your system
| administrator.
|
| For more information, see Help and Support Center at
| http://go.microsoft.com/fwlink/events.asp.
|
|
| On the servers I see the Corresponding Errors in the Security Log:
|
| Event Type: Failure Audit
| Event Source: Security
| Event Category: Logon/Logoff
| Event ID: 529
| Date: 04/16/2004
| Time: 10:03:28 AM
| User: NT AUTHORITY\SYSTEM
| Computer: SERVER
| Description:
| Logon Failure:
| Reason: Unknown user name or bad password
| User Name:
| Domain:
| Logon Type: 3
| Logon Process: Kerberos
| Authentication Package: Kerberos
| Workstation Name: -
| Caller User Name: -
| Caller Domain: -
| Caller Logon ID: -
| Caller Process ID: -
| Transited Services: -
| Source Network Address: 10.1.0.17
| Source Port: 0
|
|
| For more information, see Help and Support Center at
| http://go.microsoft.com/fwlink/events.asp.
|
| When I run netdiag I get the following on the server machines:
|
| NetBT name test. . . . . . . . . . : Passed
| [WARNING] You don't have a single interface with the <00> 'WorkStation
| Service', <03> 'Messenger Service', <20> 'WINS' names defined.
|
| Kerberos test. . . . . . . . . . . : Failed
| [FATAL] Kerberos does not have a ticket for :
| And depending on the server the name is in the
folloing
| formats:
| <host/server-name.domain.COM.>
| <server-name$>
|
|
| I've been working with one server trying to get its kerberos ticket back
in
| line and I've done the following to it with no Success:
| Renamed it (twice) and added it back to the domain
| ran the netdom remove and netdom join
| Went to ADUG and did a Reset Account
|
| I've turned on Kerberos Logging inthe registry:
|
| I now get the following when I boot the server:
| Event Type: Error
| Event Source: Kerberos
| Event Category: None
| Event ID: 594
| Date: 4/16/2004
| Time: 1:01:06 PM
| User: N/A
| Computer: SERVER
| Description:
| A Kerberos Error Message was received:
| on logon session InitializeSecurityContext
| Client Time:
| Server Time:
| Error Code: 20:1:6.0000 4/16/2004 (null) 0x34
| Extended Error: KRB_ERR_RESPONSE_TOO_BIG
| Client Realm:
| Client Name:
| Server Realm: <domain>.COM
| Server Name: LDAP/DC-server.<domain>.COM
| Target Name: LDAP/DC-Server.<domain>.COM@<domain>.COM
| Error Text:
| File:
| Line:
| Error Data is in record data.
|
|
| Event Type: Error
| Event Source: Kerberos
| Event Category: None
| Event ID: 594
| Date: 4/16/2004
| Time: 1:01:38 PM
| User: N/A
| Computer: SERVER-SUPPORT
| Description:
| A Kerberos Error Message was received:
| on logon session InitializeSecurityContext
| Client Time:
| Server Time:
| Error Code: 20:1:38.0000 4/16/2004 (null) 0x34
| Extended Error: KRB_ERR_RESPONSE_TOO_BIG
| Client Realm:
| Client Name:
| Server Realm: HAYDON-MILL.COM
| Server Name: LDAP/DC-server.<domain>.COM
| Target Name: LDAP/DC-Server.<domain>.COM@<domain>.COM
| Error Text:
| File:
| Line:
| Error Data is in record data.
|
|
|
|
|
|
 
S

Scott Townsend

Thank you for your reply...

There have been no changes to the DCs (3 in all) at the time this started
happening. The First instance that caused us to notice hte issue was that
some users could not Print. It turned out that their communications with the
print server (just a member Server) was not working, Looking at the Event
Viewer is where we saw the KERBEROS event 4s.

Users can log into the domain just fine, and its not all users that have the
issue. To help Correct the problem we have been removing all DNS, and WINS
entries for the user, their machine and any associated IP address, then had
them run the latest updates.

Then after further checking I ran the netdiag.exe and fame across the
KERBEROS test failing...

DCDIAG on the DCs comes back clean.
NETDIAG on the DCs came back clean too.

My Exchange server (Member Server) is failing the Kerberos Test too...
I've run the 'netdom reset' on it and its in the same shape.
NETDOM Verify comes back okay...

So what else do you need to know about the domain and network?

There are 3 DCs. 2 of which are GCs. We have an Exchange 2000 and 2003
server.
We have 4 offices. Each with a local Member server used for Printing, &
DHCP.
there are anywhere from 30-4 workstations per office.

the Three Remote Office Member Servers failed the Kerberos Tests with
Netdiag.
A few Local Servers failed the test (Exchange 2K, 2K+3, SMS, File)
A few local Servers passed the tests (Web & SQL, Terminal Server:)

The way I got a few servers to pass the test was to remove them from the
domain (added them to a workgroup) then deleted all the info in AD about
them, then added them back to the domain.

Removing them from the domain and then adding them back does not seem to do
it. Seems like you really need to delete the account from ADUG. for it to
take.

I'm scared to do that with the Exchange servers... The Remote server in
case I cant get a hold of them from remote...

Any Assistance would be appreciated..

Thanks...


"David Pharr [MSFT]" said:
Sounds like you may have lost your secure channel connection to the DC.
Was this working fine with users logging on successfully and then the
problem began? If so, what changes were made to the domain just prior to
this problem occurring? Did someone change permissions on the DCs, modify
group policy, stop W32Time, anything like that? Can users logon to their
local machine but not the domain? Can you logon as an admin?

How many domain controllers are in this domain? Any errors in dcdiag or
netdiag on the DC? We need a bit more information about your domain
configuration and what happened on your network to be able to give you good
direction.

To reset secure channel connections, try the following arrticle:
216393 Resetting Computer Accounts in Windows 2000 and Windows XP
http://support.microsoft.com/?id=216393

David Pharr, (e-mail address removed)

This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| From: "Scott Townsend" <[email protected]>
| Subject: [FATAL] Kerberos does not have a ticket for <any of my servers>
| Date: Fri, 16 Apr 2004 13:32:45 -0700
| Lines: 136
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2800.1409
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409
| Message-ID: <#[email protected]>
| Newsgroups: microsoft.public.win2000.active_directory
| NNTP-Posting-Host: 204-145-245-200.enm.com 204.145.245.200
| Path:
cpmsftngxa10.phx.gbl!TK2MSFTNGXA05.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP09
phx.gbl
| Xref: cpmsftngxa10.phx.gbl microsoft.public.win2000.active_directory:76815
| X-Tomcat-NG: microsoft.public.win2000.active_directory
|
| Help!!!
|
| I'm having Kerberos Issues!!!
|
| May of my users are getting denied access to servers.
|
| In their System Log they have Errors similar to the following:
| Event Type: Error
| Event Source: Kerberos
| Event Category: None
| Event ID: 4
| Date: 04/16/2004
| Time: 12:28:51 AM
| User: N/A
| Computer: COMPUTER-XP
| Description:
| The kerberos client received a KRB_AP_ERR_MODIFIED error from the server
| host/server.domain.com. This indicates that the password used to encrypt
| the kerberos service ticket is different than that on the target server.
| Commonly, this is due to identically named machine accounts in the target
| realm (<domain>.COM), and the client realm. Please contact your system
| administrator.
|
| For more information, see Help and Support Center at
| http://go.microsoft.com/fwlink/events.asp.
|
|
| On the servers I see the Corresponding Errors in the Security Log:
|
| Event Type: Failure Audit
| Event Source: Security
| Event Category: Logon/Logoff
| Event ID: 529
| Date: 04/16/2004
| Time: 10:03:28 AM
| User: NT AUTHORITY\SYSTEM
| Computer: SERVER
| Description:
| Logon Failure:
| Reason: Unknown user name or bad password
| User Name:
| Domain:
| Logon Type: 3
| Logon Process: Kerberos
| Authentication Package: Kerberos
| Workstation Name: -
| Caller User Name: -
| Caller Domain: -
| Caller Logon ID: -
| Caller Process ID: -
| Transited Services: -
| Source Network Address: 10.1.0.17
| Source Port: 0
|
|
| For more information, see Help and Support Center at
| http://go.microsoft.com/fwlink/events.asp.
|
| When I run netdiag I get the following on the server machines:
|
| NetBT name test. . . . . . . . . . : Passed
| [WARNING] You don't have a single interface with the <00> 'WorkStation
| Service', <03> 'Messenger Service', <20> 'WINS' names defined.
|
| Kerberos test. . . . . . . . . . . : Failed
| [FATAL] Kerberos does not have a ticket for :
| And depending on the server the name is in the
folloing
| formats:
| <host/server-name.domain.COM.>
| <server-name$>
|
|
| I've been working with one server trying to get its kerberos ticket back
in
| line and I've done the following to it with no Success:
| Renamed it (twice) and added it back to the domain
| ran the netdom remove and netdom join
| Went to ADUG and did a Reset Account
|
| I've turned on Kerberos Logging inthe registry:
|
| I now get the following when I boot the server:
| Event Type: Error
| Event Source: Kerberos
| Event Category: None
| Event ID: 594
| Date: 4/16/2004
| Time: 1:01:06 PM
| User: N/A
| Computer: SERVER
| Description:
| A Kerberos Error Message was received:
| on logon session InitializeSecurityContext
| Client Time:
| Server Time:
| Error Code: 20:1:6.0000 4/16/2004 (null) 0x34
| Extended Error: KRB_ERR_RESPONSE_TOO_BIG
| Client Realm:
| Client Name:
| Server Realm: <domain>.COM
| Server Name: LDAP/DC-server.<domain>.COM
| Target Name: LDAP/DC-Server.<domain>.COM@<domain>.COM
| Error Text:
| File:
| Line:
| Error Data is in record data.
|
|
| Event Type: Error
| Event Source: Kerberos
| Event Category: None
| Event ID: 594
| Date: 4/16/2004
| Time: 1:01:38 PM
| User: N/A
| Computer: SERVER-SUPPORT
| Description:
| A Kerberos Error Message was received:
| on logon session InitializeSecurityContext
| Client Time:
| Server Time:
| Error Code: 20:1:38.0000 4/16/2004 (null) 0x34
| Extended Error: KRB_ERR_RESPONSE_TOO_BIG
| Client Realm:
| Client Name:
| Server Realm: HAYDON-MILL.COM
| Server Name: LDAP/DC-server.<domain>.COM
| Target Name: LDAP/DC-Server.<domain>.COM@<domain>.COM
| Error Text:
| File:
| Line:
| Error Data is in record data.
|
|
|
|
|
|
Click to expand...
 
D

David Pharr [MSFT]

That KRB_ERR_RESPONSE_TOO_BIG message seems to indicate that the UDP packet
was too large for Kerberos to read. Try forcing Kerberos to use TCP per
the following kb article:

244474 How to Force Kerberos to Use TCP Instead of UDP
http://support.microsoft.com/?id=244474

Run SET L on the clients to find out which machine is their authenticating
domain controller. Then set the registry entry on the authenticating DC
and a couple of clients experiencing the problem to see if that corrects
the issue. If it does, you will need to set it on all the machines in the
environment.

Let me know whether or not that works.

David Pharr, (e-mail address removed)

This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| From: "Scott Townsend" <[email protected]>
| References: <#[email protected]>
<[email protected]>
| Subject: Re: [FATAL] Kerberos does not have a ticket for <any of my
servers>
| Date: Tue, 20 Apr 2004 08:49:02 -0700
| Lines: 240
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2800.1409
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409
| Message-ID: <[email protected]>
| Newsgroups: microsoft.public.win2000.active_directory
| NNTP-Posting-Host: 204-145-245-200.enm.com 204.145.245.200
| Path:
cpmsftngxa10.phx.gbl!TK2MSFTNGXA05.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP12
..phx.gbl
| Xref: cpmsftngxa10.phx.gbl microsoft.public.win2000.active_directory:77138
| X-Tomcat-NG: microsoft.public.win2000.active_directory
|
| Thank you for your reply...
|
| There have been no changes to the DCs (3 in all) at the time this started
| happening. The First instance that caused us to notice hte issue was that
| some users could not Print. It turned out that their communications with
the
| print server (just a member Server) was not working, Looking at the Event
| Viewer is where we saw the KERBEROS event 4s.
|
| Users can log into the domain just fine, and its not all users that have
the
| issue. To help Correct the problem we have been removing all DNS, and WINS
| entries for the user, their machine and any associated IP address, then
had
| them run the latest updates.
|
| Then after further checking I ran the netdiag.exe and fame across the
| KERBEROS test failing...
|
| DCDIAG on the DCs comes back clean.
| NETDIAG on the DCs came back clean too.
|
| My Exchange server (Member Server) is failing the Kerberos Test too...
| I've run the 'netdom reset' on it and its in the same shape.
| NETDOM Verify comes back okay...
|
| So what else do you need to know about the domain and network?
|
| There are 3 DCs. 2 of which are GCs. We have an Exchange 2000 and 2003
| server.
| We have 4 offices. Each with a local Member server used for Printing, &
| DHCP.
| there are anywhere from 30-4 workstations per office.
|
| the Three Remote Office Member Servers failed the Kerberos Tests with
| Netdiag.
| A few Local Servers failed the test (Exchange 2K, 2K+3, SMS, File)
| A few local Servers passed the tests (Web & SQL, Terminal Server:)
|
| The way I got a few servers to pass the test was to remove them from the
| domain (added them to a workgroup) then deleted all the info in AD about
| them, then added them back to the domain.
|
| Removing them from the domain and then adding them back does not seem to
do
| it. Seems like you really need to delete the account from ADUG. for it to
| take.
|
| I'm scared to do that with the Exchange servers... The Remote server in
| case I cant get a hold of them from remote...
|
| Any Assistance would be appreciated..
|
| Thanks...
|
|
| | > Sounds like you may have lost your secure channel connection to the DC.
| > Was this working fine with users logging on successfully and then the
| > problem began? If so, what changes were made to the domain just prior
to
| > this problem occurring? Did someone change permissions on the DCs,
modify
| > group policy, stop W32Time, anything like that? Can users logon to
their
| > local machine but not the domain? Can you logon as an admin?
| >
| > How many domain controllers are in this domain? Any errors in dcdiag or
| > netdiag on the DC? We need a bit more information about your domain
| > configuration and what happened on your network to be able to give you
| good
| > direction.
| >
| > To reset secure channel connections, try the following arrticle:
| > 216393 Resetting Computer Accounts in Windows 2000 and Windows XP
| > http://support.microsoft.com/?id=216393
| >
| > David Pharr, (e-mail address removed)
| >
| > This posting is provided "AS IS" with no warranties, and confers no
| rights.
| > --------------------
| > | From: "Scott Townsend" <[email protected]>
| > | Subject: [FATAL] Kerberos does not have a ticket for <any of my
servers>
| > | Date: Fri, 16 Apr 2004 13:32:45 -0700
| > | Lines: 136
| > | X-Priority: 3
| > | X-MSMail-Priority: Normal
| > | X-Newsreader: Microsoft Outlook Express 6.00.2800.1409
| > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409
| > | Message-ID: <#[email protected]>
| > | Newsgroups: microsoft.public.win2000.active_directory
| > | NNTP-Posting-Host: 204-145-245-200.enm.com 204.145.245.200
| > | Path:
| >
|
cpmsftngxa10.phx.gbl!TK2MSFTNGXA05.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP09
| > phx.gbl
| > | Xref: cpmsftngxa10.phx.gbl
| microsoft.public.win2000.active_directory:76815
| > | X-Tomcat-NG: microsoft.public.win2000.active_directory
| > |
| > | Help!!!
| > |
| > | I'm having Kerberos Issues!!!
| > |
| > | May of my users are getting denied access to servers.
| > |
| > | In their System Log they have Errors similar to the following:
| > | Event Type: Error
| > | Event Source: Kerberos
| > | Event Category: None
| > | Event ID: 4
| > | Date: 04/16/2004
| > | Time: 12:28:51 AM
| > | User: N/A
| > | Computer: COMPUTER-XP
| > | Description:
| > | The kerberos client received a KRB_AP_ERR_MODIFIED error from the
server
| > | host/server.domain.com. This indicates that the password used to
| encrypt
| > | the kerberos service ticket is different than that on the target
server.
| > | Commonly, this is due to identically named machine accounts in the
| target
| > | realm (<domain>.COM), and the client realm. Please contact your
system
| > | administrator.
| > |
| > | For more information, see Help and Support Center at
| > | http://go.microsoft.com/fwlink/events.asp.
| > |
| > |
| > | On the servers I see the Corresponding Errors in the Security Log:
| > |
| > | Event Type: Failure Audit
| > | Event Source: Security
| > | Event Category: Logon/Logoff
| > | Event ID: 529
| > | Date: 04/16/2004
| > | Time: 10:03:28 AM
| > | User: NT AUTHORITY\SYSTEM
| > | Computer: SERVER
| > | Description:
| > | Logon Failure:
| > | Reason: Unknown user name or bad password
| > | User Name:
| > | Domain:
| > | Logon Type: 3
| > | Logon Process: Kerberos
| > | Authentication Package: Kerberos
| > | Workstation Name: -
| > | Caller User Name: -
| > | Caller Domain: -
| > | Caller Logon ID: -
| > | Caller Process ID: -
| > | Transited Services: -
| > | Source Network Address: 10.1.0.17
| > | Source Port: 0
| > |
| > |
| > | For more information, see Help and Support Center at
| > | http://go.microsoft.com/fwlink/events.asp.
| > |
| > | When I run netdiag I get the following on the server machines:
| > |
| > | NetBT name test. . . . . . . . . . : Passed
| > | [WARNING] You don't have a single interface with the <00>
| 'WorkStation
| > | Service', <03> 'Messenger Service', <20> 'WINS' names defined.
| > |
| > | Kerberos test. . . . . . . . . . . : Failed
| > | [FATAL] Kerberos does not have a ticket for :
| > | And depending on the server the name is in the
| > folloing
| > | formats:
| > | <host/server-name.domain.COM.>
| > | <server-name$>
| > |
| > |
| > | I've been working with one server trying to get its kerberos ticket
back
| > in
| > | line and I've done the following to it with no Success:
| > | Renamed it (twice) and added it back to the domain
| > | ran the netdom remove and netdom join
| > | Went to ADUG and did a Reset Account
| > |
| > | I've turned on Kerberos Logging inthe registry:
| > |
| > | I now get the following when I boot the server:
| > | Event Type: Error
| > | Event Source: Kerberos
| > | Event Category: None
| > | Event ID: 594
| > | Date: 4/16/2004
| > | Time: 1:01:06 PM
| > | User: N/A
| > | Computer: SERVER
| > | Description:
| > | A Kerberos Error Message was received:
| > | on logon session InitializeSecurityContext
| > | Client Time:
| > | Server Time:
| > | Error Code: 20:1:6.0000 4/16/2004 (null) 0x34
| > | Extended Error: KRB_ERR_RESPONSE_TOO_BIG
| > | Client Realm:
| > | Client Name:
| > | Server Realm: <domain>.COM
| > | Server Name: LDAP/DC-server.<domain>.COM
| > | Target Name: LDAP/DC-Server.<domain>.COM@<domain>.COM
| > | Error Text:
| > | File:
| > | Line:
| > | Error Data is in record data.
| > |
| > |
| > | Event Type: Error
| > | Event Source: Kerberos
| > | Event Category: None
| > | Event ID: 594
| > | Date: 4/16/2004
| > | Time: 1:01:38 PM
| > | User: N/A
| > | Computer: SERVER-SUPPORT
| > | Description:
| > | A Kerberos Error Message was received:
| > | on logon session InitializeSecurityContext
| > | Client Time:
| > | Server Time:
| > | Error Code: 20:1:38.0000 4/16/2004 (null) 0x34
| > | Extended Error: KRB_ERR_RESPONSE_TOO_BIG
| > | Client Realm:
| > | Client Name:
| > | Server Realm: HAYDON-MILL.COM
| > | Server Name: LDAP/DC-server.<domain>.COM
| > | Target Name: LDAP/DC-Server.<domain>.COM@<domain>.COM
| > | Error Text:
| > | File:
| > | Line:
| > | Error Data is in record data.
| > |
| > |
| > |
| > |
| > |
| > |
| >
|
|
|
 
S

Scott Townsend

Thanks again for your help.

I've already Change everyone over to TCP. I've added the GP Admin template
and then set the value to 1. So with a reboot, they should be using TCP.

Most of the Local servers I've been able to get the Kerberos to pass by
dropping them from the Domain and re-adding them.

I'm rebooting the Exchange 2003 Server now to get it update as well as the
DC. so they will be using TCP for Kerberos.

the Set L returned the DC I'm rebooting. I've already Rebooted the other
DCs.

I'll keep you informed.
Thanks,


"David Pharr [MSFT]" said:
That KRB_ERR_RESPONSE_TOO_BIG message seems to indicate that the UDP packet
was too large for Kerberos to read. Try forcing Kerberos to use TCP per
the following kb article:

244474 How to Force Kerberos to Use TCP Instead of UDP
http://support.microsoft.com/?id=244474

Run SET L on the clients to find out which machine is their authenticating
domain controller. Then set the registry entry on the authenticating DC
and a couple of clients experiencing the problem to see if that corrects
the issue. If it does, you will need to set it on all the machines in the
environment.

Let me know whether or not that works.

David Pharr, (e-mail address removed)

This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| From: "Scott Townsend" <[email protected]>
| References: <#[email protected]>
<[email protected]>
| Subject: Re: [FATAL] Kerberos does not have a ticket for <any of my
servers>
| Date: Tue, 20 Apr 2004 08:49:02 -0700
| Lines: 240
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2800.1409
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409
| Message-ID: <[email protected]>
| Newsgroups: microsoft.public.win2000.active_directory
| NNTP-Posting-Host: 204-145-245-200.enm.com 204.145.245.200
| Path:
cpmsftngxa10.phx.gbl!TK2MSFTNGXA05.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP12
phx.gbl
| Xref: cpmsftngxa10.phx.gbl microsoft.public.win2000.active_directory:77138
| X-Tomcat-NG: microsoft.public.win2000.active_directory
|
| Thank you for your reply...
|
| There have been no changes to the DCs (3 in all) at the time this started
| happening. The First instance that caused us to notice hte issue was that
| some users could not Print. It turned out that their communications with
the
| print server (just a member Server) was not working, Looking at the Event
| Viewer is where we saw the KERBEROS event 4s.
|
| Users can log into the domain just fine, and its not all users that have
the
| issue. To help Correct the problem we have been removing all DNS, and WINS
| entries for the user, their machine and any associated IP address, then
had
| them run the latest updates.
|
| Then after further checking I ran the netdiag.exe and fame across the
| KERBEROS test failing...
|
| DCDIAG on the DCs comes back clean.
| NETDIAG on the DCs came back clean too.
|
| My Exchange server (Member Server) is failing the Kerberos Test too...
| I've run the 'netdom reset' on it and its in the same shape.
| NETDOM Verify comes back okay...
|
| So what else do you need to know about the domain and network?
|
| There are 3 DCs. 2 of which are GCs. We have an Exchange 2000 and 2003
| server.
| We have 4 offices. Each with a local Member server used for Printing, &
| DHCP.
| there are anywhere from 30-4 workstations per office.
|
| the Three Remote Office Member Servers failed the Kerberos Tests with
| Netdiag.
| A few Local Servers failed the test (Exchange 2K, 2K+3, SMS, File)
| A few local Servers passed the tests (Web & SQL, Terminal Server:)
|
| The way I got a few servers to pass the test was to remove them from the
| domain (added them to a workgroup) then deleted all the info in AD about
| them, then added them back to the domain.
|
| Removing them from the domain and then adding them back does not seem to
do
| it. Seems like you really need to delete the account from ADUG. for it to
| take.
|
| I'm scared to do that with the Exchange servers... The Remote server in
| case I cant get a hold of them from remote...
|
| Any Assistance would be appreciated..
|
| Thanks...
|
|
| | > Sounds like you may have lost your secure channel connection to the DC.
| > Was this working fine with users logging on successfully and then the
| > problem began? If so, what changes were made to the domain just prior
to
| > this problem occurring? Did someone change permissions on the DCs,
modify
| > group policy, stop W32Time, anything like that? Can users logon to
their
| > local machine but not the domain? Can you logon as an admin?
| >
| > How many domain controllers are in this domain? Any errors in dcdiag or
| > netdiag on the DC? We need a bit more information about your domain
| > configuration and what happened on your network to be able to give you
| good
| > direction.
| >
| > To reset secure channel connections, try the following arrticle:
| > 216393 Resetting Computer Accounts in Windows 2000 and Windows XP
| > http://support.microsoft.com/?id=216393
| >
| > David Pharr, (e-mail address removed)
| >
| > This posting is provided "AS IS" with no warranties, and confers no
| rights.
| > --------------------
| > | From: "Scott Townsend" <[email protected]>
| > | Subject: [FATAL] Kerberos does not have a ticket for <any of my
servers>
| > | Date: Fri, 16 Apr 2004 13:32:45 -0700
| > | Lines: 136
| > | X-Priority: 3
| > | X-MSMail-Priority: Normal
| > | X-Newsreader: Microsoft Outlook Express 6.00.2800.1409
| > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409
| > | Message-ID: <#[email protected]>
| > | Newsgroups: microsoft.public.win2000.active_directory
| > | NNTP-Posting-Host: 204-145-245-200.enm.com 204.145.245.200
| > | Path:
| >
|
cpmsftngxa10.phx.gbl!TK2MSFTNGXA05.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP09
| > phx.gbl
| > | Xref: cpmsftngxa10.phx.gbl
| microsoft.public.win2000.active_directory:76815
| > | X-Tomcat-NG: microsoft.public.win2000.active_directory
| > |
| > | Help!!!
| > |
| > | I'm having Kerberos Issues!!!
| > |
| > | May of my users are getting denied access to servers.
| > |
| > | In their System Log they have Errors similar to the following:
| > | Event Type: Error
| > | Event Source: Kerberos
| > | Event Category: None
| > | Event ID: 4
| > | Date: 04/16/2004
| > | Time: 12:28:51 AM
| > | User: N/A
| > | Computer: COMPUTER-XP
| > | Description:
| > | The kerberos client received a KRB_AP_ERR_MODIFIED error from the
server
| > | host/server.domain.com. This indicates that the password used to
| encrypt
| > | the kerberos service ticket is different than that on the target
server.
| > | Commonly, this is due to identically named machine accounts in the
| target
| > | realm (<domain>.COM), and the client realm. Please contact your
system
| > | administrator.
| > |
| > | For more information, see Help and Support Center at
| > | http://go.microsoft.com/fwlink/events.asp.
| > |
| > |
| > | On the servers I see the Corresponding Errors in the Security Log:
| > |
| > | Event Type: Failure Audit
| > | Event Source: Security
| > | Event Category: Logon/Logoff
| > | Event ID: 529
| > | Date: 04/16/2004
| > | Time: 10:03:28 AM
| > | User: NT AUTHORITY\SYSTEM
| > | Computer: SERVER
| > | Description:
| > | Logon Failure:
| > | Reason: Unknown user name or bad password
| > | User Name:
| > | Domain:
| > | Logon Type: 3
| > | Logon Process: Kerberos
| > | Authentication Package: Kerberos
| > | Workstation Name: -
| > | Caller User Name: -
| > | Caller Domain: -
| > | Caller Logon ID: -
| > | Caller Process ID: -
| > | Transited Services: -
| > | Source Network Address: 10.1.0.17
| > | Source Port: 0
| > |
| > |
| > | For more information, see Help and Support Center at
| > | http://go.microsoft.com/fwlink/events.asp.
| > |
| > | When I run netdiag I get the following on the server machines:
| > |
| > | NetBT name test. . . . . . . . . . : Passed
| > | [WARNING] You don't have a single interface with the <00>
| 'WorkStation
| > | Service', <03> 'Messenger Service', <20> 'WINS' names defined.
| > |
| > | Kerberos test. . . . . . . . . . . : Failed
| > | [FATAL] Kerberos does not have a ticket for :
| > | And depending on the server the name is in the
| > folloing
| > | formats:
| > | <host/server-name.domain.COM.>
| > | <server-name$>
| > |
| > |
| > | I've been working with one server trying to get its kerberos ticket
back
| > in
| > | line and I've done the following to it with no Success:
| > | Renamed it (twice) and added it back to the domain
| > | ran the netdom remove and netdom join
| > | Went to ADUG and did a Reset Account
| > |
| > | I've turned on Kerberos Logging inthe registry:
| > |
| > | I now get the following when I boot the server:
| > | Event Type: Error
| > | Event Source: Kerberos
| > | Event Category: None
| > | Event ID: 594
| > | Date: 4/16/2004
| > | Time: 1:01:06 PM
| > | User: N/A
| > | Computer: SERVER
| > | Description:
| > | A Kerberos Error Message was received:
| > | on logon session InitializeSecurityContext
| > | Client Time:
| > | Server Time:
| > | Error Code: 20:1:6.0000 4/16/2004 (null) 0x34
| > | Extended Error: KRB_ERR_RESPONSE_TOO_BIG
| > | Client Realm:
| > | Client Name:
| > | Server Realm: <domain>.COM
| > | Server Name: LDAP/DC-server.<domain>.COM
| > | Target Name: LDAP/DC-Server.<domain>.COM@<domain>.COM
| > | Error Text:
| > | File:
| > | Line:
| > | Error Data is in record data.
| > |
| > |
| > | Event Type: Error
| > | Event Source: Kerberos
| > | Event Category: None
| > | Event ID: 594
| > | Date: 4/16/2004
| > | Time: 1:01:38 PM
| > | User: N/A
| > | Computer: SERVER-SUPPORT
| > | Description:
| > | A Kerberos Error Message was received:
| > | on logon session InitializeSecurityContext
| > | Client Time:
| > | Server Time:
| > | Error Code: 20:1:38.0000 4/16/2004 (null) 0x34
| > | Extended Error: KRB_ERR_RESPONSE_TOO_BIG
| > | Client Realm:
| > | Client Name:
| > | Server Realm: HAYDON-MILL.COM
| > | Server Name: LDAP/DC-server.<domain>.COM
| > | Target Name: LDAP/DC-Server.<domain>.COM@<domain>.COM
| > | Error Text:
| > | File:
| > | Line:
| > | Error Data is in record data.
| > |
| > |
| > |
| > |
| > |
| > |
| >
|
|
|
Click to expand...
 
S

Scott Townsend

Looks like setting the transport to TCP Helped... I rebooted the DC and the
Exch2003 Server and the E2003 Server is not complaining anymore. I've also
rebooted a few of the remote offices and they are happy again!!!

Hip Hip Hurray!

Now would this be causing my Exch2000 and Exch 2003 Servers to not be
communicating to each other? After the reboot of both, they still dont see
each other. )-; I Have several messages in the Queue waiting to be
delivered.

The Exch2000 server only has a few accounts on it. Those users mail stays in
the outbox. The mail that is sent to them from the outside is delivered to
the Exch2003 Server and then sites in the Queue for the 2000 server.

This started happening at the same time I was getting the Kerberos errors.

Thanks,
Scott<-



"David Pharr [MSFT]" said:
That KRB_ERR_RESPONSE_TOO_BIG message seems to indicate that the UDP packet
was too large for Kerberos to read. Try forcing Kerberos to use TCP per
the following kb article:

244474 How to Force Kerberos to Use TCP Instead of UDP
http://support.microsoft.com/?id=244474

Run SET L on the clients to find out which machine is their authenticating
domain controller. Then set the registry entry on the authenticating DC
and a couple of clients experiencing the problem to see if that corrects
the issue. If it does, you will need to set it on all the machines in the
environment.

Let me know whether or not that works.

David Pharr, (e-mail address removed)

This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| From: "Scott Townsend" <[email protected]>
| References: <#[email protected]>
<[email protected]>
| Subject: Re: [FATAL] Kerberos does not have a ticket for <any of my
servers>
| Date: Tue, 20 Apr 2004 08:49:02 -0700
| Lines: 240
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2800.1409
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409
| Message-ID: <[email protected]>
| Newsgroups: microsoft.public.win2000.active_directory
| NNTP-Posting-Host: 204-145-245-200.enm.com 204.145.245.200
| Path:
cpmsftngxa10.phx.gbl!TK2MSFTNGXA05.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP12
phx.gbl
| Xref: cpmsftngxa10.phx.gbl microsoft.public.win2000.active_directory:77138
| X-Tomcat-NG: microsoft.public.win2000.active_directory
|
| Thank you for your reply...
|
| There have been no changes to the DCs (3 in all) at the time this started
| happening. The First instance that caused us to notice hte issue was that
| some users could not Print. It turned out that their communications with
the
| print server (just a member Server) was not working, Looking at the Event
| Viewer is where we saw the KERBEROS event 4s.
|
| Users can log into the domain just fine, and its not all users that have
the
| issue. To help Correct the problem we have been removing all DNS, and WINS
| entries for the user, their machine and any associated IP address, then
had
| them run the latest updates.
|
| Then after further checking I ran the netdiag.exe and fame across the
| KERBEROS test failing...
|
| DCDIAG on the DCs comes back clean.
| NETDIAG on the DCs came back clean too.
|
| My Exchange server (Member Server) is failing the Kerberos Test too...
| I've run the 'netdom reset' on it and its in the same shape.
| NETDOM Verify comes back okay...
|
| So what else do you need to know about the domain and network?
|
| There are 3 DCs. 2 of which are GCs. We have an Exchange 2000 and 2003
| server.
| We have 4 offices. Each with a local Member server used for Printing, &
| DHCP.
| there are anywhere from 30-4 workstations per office.
|
| the Three Remote Office Member Servers failed the Kerberos Tests with
| Netdiag.
| A few Local Servers failed the test (Exchange 2K, 2K+3, SMS, File)
| A few local Servers passed the tests (Web & SQL, Terminal Server:)
|
| The way I got a few servers to pass the test was to remove them from the
| domain (added them to a workgroup) then deleted all the info in AD about
| them, then added them back to the domain.
|
| Removing them from the domain and then adding them back does not seem to
do
| it. Seems like you really need to delete the account from ADUG. for it to
| take.
|
| I'm scared to do that with the Exchange servers... The Remote server in
| case I cant get a hold of them from remote...
|
| Any Assistance would be appreciated..
|
| Thanks...
|
|
| | > Sounds like you may have lost your secure channel connection to the DC.
| > Was this working fine with users logging on successfully and then the
| > problem began? If so, what changes were made to the domain just prior
to
| > this problem occurring? Did someone change permissions on the DCs,
modify
| > group policy, stop W32Time, anything like that? Can users logon to
their
| > local machine but not the domain? Can you logon as an admin?
| >
| > How many domain controllers are in this domain? Any errors in dcdiag or
| > netdiag on the DC? We need a bit more information about your domain
| > configuration and what happened on your network to be able to give you
| good
| > direction.
| >
| > To reset secure channel connections, try the following arrticle:
| > 216393 Resetting Computer Accounts in Windows 2000 and Windows XP
| > http://support.microsoft.com/?id=216393
| >
| > David Pharr, (e-mail address removed)
| >
| > This posting is provided "AS IS" with no warranties, and confers no
| rights.
| > --------------------
| > | From: "Scott Townsend" <[email protected]>
| > | Subject: [FATAL] Kerberos does not have a ticket for <any of my
servers>
| > | Date: Fri, 16 Apr 2004 13:32:45 -0700
| > | Lines: 136
| > | X-Priority: 3
| > | X-MSMail-Priority: Normal
| > | X-Newsreader: Microsoft Outlook Express 6.00.2800.1409
| > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409
| > | Message-ID: <#[email protected]>
| > | Newsgroups: microsoft.public.win2000.active_directory
| > | NNTP-Posting-Host: 204-145-245-200.enm.com 204.145.245.200
| > | Path:
| >
|
cpmsftngxa10.phx.gbl!TK2MSFTNGXA05.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP09
| > phx.gbl
| > | Xref: cpmsftngxa10.phx.gbl
| microsoft.public.win2000.active_directory:76815
| > | X-Tomcat-NG: microsoft.public.win2000.active_directory
| > |
| > | Help!!!
| > |
| > | I'm having Kerberos Issues!!!
| > |
| > | May of my users are getting denied access to servers.
| > |
| > | In their System Log they have Errors similar to the following:
| > | Event Type: Error
| > | Event Source: Kerberos
| > | Event Category: None
| > | Event ID: 4
| > | Date: 04/16/2004
| > | Time: 12:28:51 AM
| > | User: N/A
| > | Computer: COMPUTER-XP
| > | Description:
| > | The kerberos client received a KRB_AP_ERR_MODIFIED error from the
server
| > | host/server.domain.com. This indicates that the password used to
| encrypt
| > | the kerberos service ticket is different than that on the target
server.
| > | Commonly, this is due to identically named machine accounts in the
| target
| > | realm (<domain>.COM), and the client realm. Please contact your
system
| > | administrator.
| > |
| > | For more information, see Help and Support Center at
| > | http://go.microsoft.com/fwlink/events.asp.
| > |
| > |
| > | On the servers I see the Corresponding Errors in the Security Log:
| > |
| > | Event Type: Failure Audit
| > | Event Source: Security
| > | Event Category: Logon/Logoff
| > | Event ID: 529
| > | Date: 04/16/2004
| > | Time: 10:03:28 AM
| > | User: NT AUTHORITY\SYSTEM
| > | Computer: SERVER
| > | Description:
| > | Logon Failure:
| > | Reason: Unknown user name or bad password
| > | User Name:
| > | Domain:
| > | Logon Type: 3
| > | Logon Process: Kerberos
| > | Authentication Package: Kerberos
| > | Workstation Name: -
| > | Caller User Name: -
| > | Caller Domain: -
| > | Caller Logon ID: -
| > | Caller Process ID: -
| > | Transited Services: -
| > | Source Network Address: 10.1.0.17
| > | Source Port: 0
| > |
| > |
| > | For more information, see Help and Support Center at
| > | http://go.microsoft.com/fwlink/events.asp.
| > |
| > | When I run netdiag I get the following on the server machines:
| > |
| > | NetBT name test. . . . . . . . . . : Passed
| > | [WARNING] You don't have a single interface with the <00>
| 'WorkStation
| > | Service', <03> 'Messenger Service', <20> 'WINS' names defined.
| > |
| > | Kerberos test. . . . . . . . . . . : Failed
| > | [FATAL] Kerberos does not have a ticket for :
| > | And depending on the server the name is in the
| > folloing
| > | formats:
| > | <host/server-name.domain.COM.>
| > | <server-name$>
| > |
| > |
| > | I've been working with one server trying to get its kerberos ticket
back
| > in
| > | line and I've done the following to it with no Success:
| > | Renamed it (twice) and added it back to the domain
| > | ran the netdom remove and netdom join
| > | Went to ADUG and did a Reset Account
| > |
| > | I've turned on Kerberos Logging inthe registry:
| > |
| > | I now get the following when I boot the server:
| > | Event Type: Error
| > | Event Source: Kerberos
| > | Event Category: None
| > | Event ID: 594
| > | Date: 4/16/2004
| > | Time: 1:01:06 PM
| > | User: N/A
| > | Computer: SERVER
| > | Description:
| > | A Kerberos Error Message was received:
| > | on logon session InitializeSecurityContext
| > | Client Time:
| > | Server Time:
| > | Error Code: 20:1:6.0000 4/16/2004 (null) 0x34
| > | Extended Error: KRB_ERR_RESPONSE_TOO_BIG
| > | Client Realm:
| > | Client Name:
| > | Server Realm: <domain>.COM
| > | Server Name: LDAP/DC-server.<domain>.COM
| > | Target Name: LDAP/DC-Server.<domain>.COM@<domain>.COM
| > | Error Text:
| > | File:
| > | Line:
| > | Error Data is in record data.
| > |
| > |
| > | Event Type: Error
| > | Event Source: Kerberos
| > | Event Category: None
| > | Event ID: 594
| > | Date: 4/16/2004
| > | Time: 1:01:38 PM
| > | User: N/A
| > | Computer: SERVER-SUPPORT
| > | Description:
| > | A Kerberos Error Message was received:
| > | on logon session InitializeSecurityContext
| > | Client Time:
| > | Server Time:
| > | Error Code: 20:1:38.0000 4/16/2004 (null) 0x34
| > | Extended Error: KRB_ERR_RESPONSE_TOO_BIG
| > | Client Realm:
| > | Client Name:
| > | Server Realm: HAYDON-MILL.COM
| > | Server Name: LDAP/DC-server.<domain>.COM
| > | Target Name: LDAP/DC-Server.<domain>.COM@<domain>.COM
| > | Error Text:
| > | File:
| > | Line:
| > | Error Data is in record data.
| > |
| > |
| > |
| > |
| > |
| > |
| >
|
|
|
Click to expand...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Kerberos Errors on Domain Controllers 2
Event ID: 4 & Kerberos 1
Kerberos error 594 to loopback address 1
Kerberos Error 2
Help in finding account lockout source 6
kerberos - the saga continues 0
kdc_err_s_principal_unknown ? 4
Event ID : 40960 LSAsrv / SPNego 2

Top