Kerberos Error Message

[PC]

Hi,

Hi Have a windows 2000 domain controllor. This server doesn't perform and
Operations master roles. I have turned on Kerberos logging as I have been
having some time sycronisation problem with some clients on the network.

I'm receiveing a kerberos error every few hours (The doesn't seem to be any
pattern as to when these errors occur). I have looked at eventID (EventID
talks about domain trusts but this is a single domain with no trusts) and
searched on google but I can't find anything about this specific error (Note
in the error code: 0x20). The error is as follows:

Event Type: Error
Event Source: Kerberos
Event Category: None
Event ID: 594
Date: 10/09/2004
Time: 02:26:05
User: N/A
Computer: DCServer1
Description:
A Kerberos Error Message was received:
on logon session InitializeSecurityContext
Client Time:
Server Time:
Error Code: 1:26:5.0000 9/10/2004 (null) 0x20
Extended Error: KRB_AP_ERR_TKT_EXPIRED
Client Realm:
Client Name:
Server Realm: MyDomainName
Server Name: krbtgt/MyDomainName
Target Name: krbtgt/MyDomainName@MyDomainName
Error Text:
File:
Line:
Error Data is in record data.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.


Does anybody know why I'm receiving this error or where I can find more
information about it.

Thanks


Paul

 

[Steven L Umbach]

First check that basic dns configuration is correct as dns misconfiguration is the
root of most domain problems. Domain controllers must point to themselves and/or the
pdc fsmo domain controller. See the link below on AD dns FAQ.

http://support.microsoft.com/default.aspx?scid=kb;en-us;291382

You can also use the support tools netdiag and dcdiag to check for domain controller
health. The both will run a battery of tests to check for proper configuration
including kerberos and you can use the /v switch with netdiag as in " netdiag
/test:kerberos /v ". --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;321708 -- netdiag and how to
install support tools.

 

[opti_mystic_69]

Paulm,

The error you are receiving (0x20) indicated that the
Ticket Granting Ticket has been revoked. This is usually
related to a date / time problem, as TGT's are time
sensitive. I noticed that in the text of the error you
posted that your server date indicates as 10/9/2004 and
your client date indicates as 9/9/2004. Also, there
appears to be a difference of an hour between the two
clocks. Perhaps you should verify that the date and time
on both server and clients are synchronized...? I believe
that this is the root of the issue.

Hope this helps. Please post back with any more questions.

Opti_mystic_69

 

[Tim Springston [MS]]

Opti_Mystic_69 is correct, sounds like a time difference.

A good resource for troubleshooting Kerberos errors is the relatively new
whitepaper below:

Troubleshooting Kerberos Errors
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerberr.mspx

 

[PC]

Thanks for the replies.

I think you are correct with regards to the time issue but I'm not sure how
to resolve this. Opti_Mystic_69 mention about what appears to be a
discrepency between the clinet and server times in my original post. It
would appear from my post that there is a discrepency but when I check the
servers there is no apparent discrepancies. All servers report the correct
time and date.

To back track, I have an on going problem where some clients receive an
error when logging on that there is a time discrepancy. This occurs although
I know for certain there is no time difference between client and server. I
order to enable authentication I have to restart the KDC on one of my DC
(This is one of 2 DC's but it doesn't host any fsmo roles.) Immediatly I
restart the KDC on this DC the user can logon.

This happens on only a few machines but nothing seems to work to fix it. I
have tried removing and rejoining the clients. Net diag tests on kerberos
and DNS seem fine.

Is there someway I could find out why I'm getting time discrepancy errors
and Time related Kerberos errors when there doesn't seem to be any
difference in time on the network?

Again thanks for your help

Paul

 

[Lisa_at_work]

Here ya go...we sync with the USNO and it works good.


Troubleshooting Windows Time Service Problems
http://tinyurl.com/5mqal

Provides troubleshooting information about Windows Time
service
http://tinyurl.com/669p6

Microsoft - Windows Time service
http://tinyurl.com/5lyvq

 

[Tim Springston [MS]]

Is the Windows Time Service (a.k.a W32Time) started and set to automatic on
the domain controller which you reboot to alleviate the problem?

--
Tim Springston
Microsoft Corporation
This posting is provided "AS IS" with no warranties, and confers no rights.