RE: Authentication Issue

From: Ralish (Ralish_at_discussions.microsoft.com)
Date: 04/05/05 

Date: Tue, 5 Apr 2005 04:49:04 -0700

Furthermore, this event log message may be of use:

SOURCE: Kerberos
CATEGORY: None
Event ID: 4
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server
host/lfn-svr-1.lfn.net. The target name used was
ldap/lfn-svr-1.LFN.net/LFN.net@LFN.net. This indicates that the password used
to encrypt the kerberos service ticket is different than that on the target
server. Commonly, this is due to identically named machine accounts in the
target realm (LFN.NET), and the client realm. Please contact your system
administrator.

Where LFN-SVR-1 = the server name and LFN.net = the domain...

"Ralish" wrote:

> I am maintaining a Windows Server 2003 system (recently
> upgraded to Service Pack 1).
>
> Recently, we have started to experience some severe
> authentication issues, that are crippling the server's
> services. In short, all network services that rely on or
> communicate with Active Directory (eg. DNS, DHCP,
> Certificate Services, etc...), are unable to establish
> communication. I get error messages in the Event Log
> concerning this.
>
> However, from what I can tell, the root of the problem
> lies with this message from LsaSrv:
>
> Source: LSASRV
> Category: SPNEGO (Negotiator)
> Event ID: 40960
> The Security System detected an authentication error for
> the server cifs/LFN-SVR-1. The failure code from
> authentication protocol Kerberos was "The attempted logon
> is invalid. This is either due to a bad username or
> authentication information.
> (0xc000006d)".
>
> Where LFN-SVR-1 is the name of this server.
>
> I get similar error messages with the same error code
> except where cifs is ldap or DNS usually. How would I go
> about resolving this error?

Relevant Pages

  • Re: Kerberos logon to Terminal Server prevents folder redirection
    ... Pass-through refers to the client browser passing through credentials to the Web Interface server; so you can still use Pass-through without enabling the option "Use Kerberos authentication to connect to servers". ...
    (microsoft.public.windows.server.security)
  • Re: Integrated Windows Authentication Timeout?
    ... Is it possible that a different host name is being used for one of the subsequent requests that would break Kerberos auth? ... If you have "Negotiate" authentication set in the metabase, then this can still negotiate down to NTLM if for some reason the protocol thinks that Kerberos is unavailable. ... server. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: iis problems with some xp clients - kerberos issue?
    ... is the browser even attempting Kerberos Authentication? ... the webserver failing to get a service ticket for the SQL Server etc. ... Check that the site is in IE's Intranet zone (IE doesn't attempt to Kerberos ... Both access SQL ...
    (microsoft.public.inetserver.iis.security)
  • Re: REPOST - IIS6 /WebDAV/NTLM/Kerberos and Remote Storage
    ... >are using to authentication. ... Kerberos tickets target a service ... >authenticate to IIS from the client browser. ... structure on a Win2K server. ...
    (microsoft.public.inetserver.iis)
  • Update: Problems authenticating users via AD with Kerberos on Solaris 9
    ... However, since MIT does not implement TCP, the request fails. ... We have a Solaris 9 server that we configured to authenticate users via ... Active Directory using Kerberos. ... up but recently for whatever reason, Kerberos authentication does not ...
    (SunManagers)