Kerberos Error Question

P

PC

Hi,

I've turned on Kerberos logging to help diagnose a problem I've been having
but the error I'm receiving has me a bit puzzled. The error is as follows:

Event Type: Error
Event Source: Kerberos
Event Category: None
Event ID: 594
Date: 15/09/2004
Time: 11:57:41
User: N/A
Computer: ServerName
Description:
A Kerberos Error Message was received:
on logon session InitializeSecurityContext
Client Time:
Server Time:
Error Code: 10:57:41.0000 9/15/2004 (null) 0x20
Extended Error: KRB_AP_ERR_TKT_EXPIRED
Client Realm:
Client Name:
Server Realm: DomainName
Server Name: krbtgt/DomainName
Target Name: krbtgt/DomainName@DomainName
Error Text:
File:
Line:
Error Data is in record data.

As you can see there is a discrepancy above where event viewer on the server
shows the Time of the error as 11:57:41 but the Kerberos error code shows
the time as 10:57:41.

There is no time discrepancy on this server (i.e. net time command displays
the correct time).

"Adjust for Daylight Saving time" is selected on this server so the time
displayed is one hour ahead of the actual time (GMT in my case) Could this
be the reason for the apparent discrepancy above?

Thanks
 
S

Steven L Umbach

I would check that all computers are using the same settings - time, timezone, and
daylight settings option. There is definitely a time problem. Kerberos only allows a
five minute time difference per domain policy. --- Steve
 
P

PC

Hi Steve, Thanks for the reply.

I have check all systems in the domain again and I'm absolutely positive
there is no difference in Time and timezone/daylight settings. some thing
else is causing this problem.

Is there anything else you can think of to help me diagnose this problem?

Thanks

Paul
 
S

Steven L Umbach

Hmm. That is bizarre. The only thing I can think of is to see if the computer clock
is correct which may require a boot into cmos settings. I don't know if it would make
a difference or not if it is off time. Running netdiag support tool on a domain
computer should tell if their is an ongoing problem with kerberos. It would be good
to run the whole tool and you can get further info on a failed tests with the "
netdiag /test:kerberos /debug " command. Though written for Windows 2003 Server, the
last link is a recent Microsoft doc on troubleshooting kerberos errors. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;321708b --- netdiag and how
to install it
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerberr.mspx
-- troubleshooting kerberos errors.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

kerberos errors 1
Kerberos Error Message 6
kerberos 4
Kerberos' role in a 'std. setup' without bells & whistles 8
Kerberos Error 594 1
Kerberos Error 1
What is this telling me? 1
Event ID 594 1

Top