Kerberos Errors on Domain Controllers

S

Steve F

I have been getting constant Kerberos errors in the Event
Logs on the Domain Controllers. We are a WIN2k, mixed
mode Domain & just decomissioned our last NT BDC and are
getting ready to switch to Native mode.

I was originally getting the following error in the
Security Log:

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 537
Date: 12/10/2003
Time: 12:32:50 PM
User: NT AUTHORITY\SYSTEM
Computer: DOMAINCONTROLLER4
Description:
Logon Failure:
Reason: An unexpected error occurred
during logon
User Name:
Domain:
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name:


I then enabled Kerberos error logging via the Registry on
1 DC & then got this error in the SYSTEM LOG :

Event Type: Error
Event Source: Kerberos
Event Category: None
Event ID: 594
Date: 12/10/2003
Time: 11:28:38 AM
User: N/A
Computer: DOMAINCONTROLLER4

Description:
A Kerberos Error Message was received:
on logon session InitializeSecurityContext
Client Time:
Server Time:
Error Code: 16:28:38.0000 12/10/2003 (null) 0x7
Extended Error: KDC_ERR_S_PRINCIPAL_UNKNOWN
Client Realm:
Client Name:
Server Realm: MYDOMAIN.COM
Server Name: krbtgt/MYDOMAIN.COM
Target Name: HOST/[email protected]
Error Text:
File:
Line:

I know that the error refers to a server not being in the
Kerberos database but what server? I know that the
Target mentioned here ( HOST/[email protected] ) is
a legitimate server in my domain. I have received 2 of
these detailed messages ( only had Kerberos logging on
for a short time) both errors are the same with different
Target Names. The Audit failures in the Security Logs
happen every few seconds constantly.

Can I view the kerberos DB? Can I update it somehow?

Thanks,

Steve
 
T

Tim Springston [MSFT]

Hi Steve-

The Kerberos database in an Active Directory domain is AD. The first
thought is to check the user account mentioned for the service prinicipal
name mentioned to see if it is there.

In other words, check APPSERVER4's servicePrincipalname attribute (using
ADSIEdit.msc or LDP.EXE) and see if HOST/[email protected] is there.
It would be best to do this on the DC which logged the error.

Please repost with what you find.
 
T

Tapster

Hi Tim,

I am getting a similar error on my PDC Emulator/Infrastructure
Master/RID Master/GC, except that the SPN being sought is
"HOST/[email protected]". This seems odd. It is certainly not
one of the SPNs the DC has in adsiedit. Why would a server be trying
to lookup its loopback address? One thing to note: We are using
AD-integrated DNS, but the service is not installed on this particular
server. As a DNS client, it points to a couple of other DC/DNS
servers. I noticed today that all the DNS servers have this server
listed on the Name servers tab on the domain properties. Could this
be related to this problem?

Thanks,

David Tappan
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top