kerberos - the saga continues


L

Laurence

The saga continues....

After checking in triplicate everything again..... that is checking
everything i think i need to double hop from iis to sql

and then finding out you can enable kerberos event logging....

I seem to have a couple of possible issues.

1. this kerberos error appears on my IIS box

KDC_ERR_S_PRINCIPAL_UNKNOWN

this would seem to imply the spn is incorrect for the SQL server, which
using ADSI for my account domain\svc_sql contains

MSSQLSvc\ComputerName.domain.co.uk:1433

and for the computer account contains

MSSQLSvc\ComputerName.domain.co.uk:1433

Are these wrong? duplicated? How do you check the kerberos database?

2. This error appears on my SQL box

KDC_ERR_BADOPTION

Why can it not accomodate the request option?

Any thoughts greatfully appreciated


Kerberos V5 Authentication Protocol Error Messages Generated by Windows
Server 2003


Kerberos Error Number Kerberos Error Code Description
0x3
KDC_ERR_BAD_PVNO
Requested protocol version number not supported.

0x6
KDC_ERR_C_PRINCIPAL_UNKNOWN
Client not found in Kerberos database.

0x7
KDC_ERR_S_PRINCIPAL_UNKNOWN
Server not found in Kerberos database.

0x8
KDC_ERR_PRINCIPAL_NOT_UNIQUE
Multiple principal entries in database.

0xA
KDC_ERR_CANNOT_POSTDATE
Ticket not eligible for postdating.

0xB
KDC_ERR_NEVER_VALID
Requested start time is later than end time.

0xC
KDC_ERR_POLICY
KDC policy rejects request.

0xD
KDC_ERR_BADOPTION
KDC cannot accommodate requested option.

0xE
KDC_ERR_ETYPE_NOSUPP
KDC has no support for encryption type.

0xF
KDC_ERR_SUMTYPE_NOSUPP
KDC has no support for checksum type.

0x10
KDC_ERR_PADATA_TYPE_NOSUPP
KDC has no support for pre-authentication data type.

0x12
KDC_ERR_CLIENT_REVOKED
Client's credentials have been revoked.

0x17
KDC_ERR_KEY_EXPIRED
Password has expired - change password to reset.

0x18
KDC_ERR_PREAUTH_FAILED
Pre-authentication information was invalid.

0x19
KDC_ERR_PREAUTH_REQUIRED
Additional pre-authentication required.

0x1B
KDC_ERR_MUST_USE_USER2USER
Server principal valid for user-to-user only.

0x1C
KDC_ERR_PATH_NOT_ACCPETED
KDC Policy rejects transited path.

0x1D
KDC_ERR_SVC_UNAVAILABLE
A service is not available.

0x1F
KRB_AP_ERR_BAD_INTEGRITY
Integrity check on decrypted field failed.

0x20
KRB_AP_ERR_TKT_EXPIRED
Ticket expired.

0x21
KRB_AP_ERR_TKT_NYV
Ticket not yet valid.

0x22
KRB_AP_ERR_REPEAT
Request is a replay.

0x23
KRB_AP_ERR_NOT_US
The ticket isn't for us.

0x24
KRB_AP_ERR_BADMATCH
Ticket and authenticator do not match.

0x25
KRB_AP_ERR_SKEW
Clock skew too great.

0x28
KRB_AP_ERR_MSG_TYPE
Invalid message type.

0x29
KRB_AP_ERR_MODIFIED
Message stream modified.

0x34
KRB_ERR_RESPONSE_TOO_BIG
Response too big for UDP, retry with TCP.

0x3C
KRB_ERR_GENERIC
Generic error (description in e-text).

0x44
KDC_ERR_WRONG_REALM
User-to-user TGT issued different KDC.
 
Ad

Advertisements


Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top