KDC_ERR_S_PRINCIPAL_UNKNOWN

[g]

Hello,
If someone could help me out it would be great.

Layout:

1 windows 2000 ad domain.
1 iis app server with sql7 sitting on it, domain account "services" is
used to srun the service.
domain name domain.ca
iis app server host/netbios name is appserver
iis+app server on a windows 2003 machine (unused will be moving apps over)
sql2000 on windows 2000 (unused)
8 nt4 domains that trust the windows 2000 domain.
apps on the iis server use the username of the user to allocate data, when
the user logs into iis. (set to integrated)
sql data is pulled by the app and not by the user, permissions are set for
the app, on the databases.


getting a ton of errors only on appserver event id 594, since the middle
of last month.

Kerberos Error Message was received:
on logon session InitializeSecurityContext
Client Time:
Server Time:
Error Code: 18:0:26.0000 1/2/2004 (null) 0x7
Extended Error: KDC_ERR_S_PRINCIPAL_UNKNOWN
Client Realm:
Client Name:
Server Realm: DOMAIN.CA
Server Name: krbtgt/DOMAIN.CA
Target Name: MSSQLSvc/appserver.domain.ca:[email protected]
Error Text:
File:
Line:
Error Data is in record data.

Is the mssqlsvc a user name? on appserver or the domain?, or a "service"
name like SRV records?
Target Name: MSSQLSvc/appserver.domain.ca:[email protected] How could i find
out what is requesting that name?

I have the docs for SPN and sql2000 but I have sql7 on this machine?

thanks for any help.

 

[Diana Smith [MSFT]]

Hello,

This error maps to the following:

#define KDC_ERR_S_PRINCIPAL_UNKNOWN ((KERBERR) 0x7 ) //Server not found
in Kerberos database

0x7 (KRB_ERR_S_PRINCIPAL_UNKNOWN) "Server not found in Kerberos database"
-------------------------------------------------------------------------

The KDC could not translate the server principal name from the KDC request
into an account in the Active Directory. Generally, verifying whether the
server account exists and has propagated to the domain controller that
generated the error. Checking Active Directory replication may provides an
indication of why the error occurred.

Also if the server is not at least Windows 2000, there will not be any
service principal names registered because that server is not capable of
authenticating with Kerberos. In this case, this error can be ignored
because the client will then switch to NTLM for authentication.

Thank You.

Diana

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[g]

Hello,
Thank you for your input.

Two things,
no dc generated this error, this error is on the appserver (windows
2000) event logs.

what server is it talking about? appserver.domain.ca? or the
mssqlsvc/appserver.domain.ca?

Sorry but I just dont get it, is the server kerberos is not finding is
appserver.domain.ca, which is in ad and was working just fine for months.
or the nonexistant user mssqlsvc local user of
appserver.domain.ca? is that what mssqlsvc/appserver.domain.ca mean?


On a side note, where can I find out more about the output of the actual
event error. Like what each field actually means.

 

[Diana Smith [MSFT]]

Hello,

It looks like it is referencing the service principal name for the MSSQLSvc
on the appserver.

 

[Richard McCall [MSFT]]

You have recently changed the account that the SQL service starts up as.
When
you do this SQL registers the SPN on the user account. The SQL server you
configured with a second account was <computername> in the event log. You
can use ADSIedit to remove the SPN from the First account. If you are unsure
which account the you can use this ldifde and search the output for the SPN
string.

ldifde -f ldif.txt - t 3268 -d "dc=domain,dc=com" -l serviceprincipalname -r
"(serviceprincipalname=MSSQL*)" -p subtree