Kerberos authentication problems

vince.iacoboni_at_db.com
Date: 12/22/04

• Next message: Kevin McDonnell [MSFT]: "Re: IIS, SQL DMZ question"
• Previous message: John Bell: "Re: To DMZ or not DMZ"
• Next in thread: Kevin McDonnell [MSFT]: "RE: Kerberos authentication problems"
• Reply: Kevin McDonnell [MSFT]: "RE: Kerberos authentication problems"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: 22 Dec 2004 13:07:05 -0800

I'm trying to get Windows authentication working for MS SQL Server
using a domain account. The symptom I'm getting is 'Login failed for
user (null). Not associated with a trusted connection.' errors when
attempting to connect using Windows authentication.

- The service account (dbg\svca_abcmsp) has "Trust this user for
delation to any service (Kerberos only)" enabled.
- "Account is sensitive and cannot be delegated" is cleared.
- The account is in the Local Administrators group on the two SQL
machines.
- The two computer accounts have "Trust this computer for delegation to
any service (Kerberos only)" enabled.
- ASDI Edit shows the service account has the following
servicePrincipalNames defined:
MSSQLSvc/nycpbasp2417.us.db.com:1433
MSSQLSvc/nycpbasp2418.us.db.com:1433

- I turned on Kerberos logging and got the following results:

Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.

------------------------------------------------------------------------------
Listing the events in 'system' log of host 'NYCPBASP2418'
------------------------------------------------------------------------------
Type: Error
Event: 3
Date Time: 12/22/2004 3:10:18 PM
Source: Kerberos
ComputerName: NYCPBASP2418
Category: None
User: N/A
Description: A Kerberos Error Message was received: on logon
session dbg\svca_abcmsp Client Time: Server Time: 20:9:20.0000
12/22/2004 Z Error Code: 0x34 KRB_ERR_RESPONSE_TOO_BIG Extended
Error: Client Realm: Client Name: Server Realm: dbg Server Name:
krbtgt/dbg Target Name: krbtgt/dbg@dbg Error Text: File: e Line:
6b5 Error Data is in record data.

Type: Error
Event: 3
Date Time: 12/22/2004 3:10:18 PM
Source: Kerberos
ComputerName: NYCPBASP2418
Category: None
User: N/A
Description: A Kerberos Error Message was received: on logon
session Client Time: Server Time: 20:9:20.0000 12/22/2004 Z Error
Code: 0x7 KDC_ERR_S_PRINCIPAL_UNKNOWN Extended Error: Client Realm:
Client Name: Server Realm: DBG.ADS.DB.COM Server Name:
host/nycpbasp2418.us.db.com Target Name:
host/nycpbasp2418.us.db.com@DBG.ADS.DB.COM Error Text: File: 9
Line: ab8 Error Data is in record data.

Type: Error
Event: 3
Date Time: 12/22/2004 3:10:22 PM
Source: Kerberos
ComputerName: NYCPBASP2418
Category: None
User: N/A
Description: A Kerberos Error Message was received: on logon
session svca_abcmsp@db.com Client Time: Server Time: 20:9:24.0000
12/22/2004 Z Error Code: 0x34 KRB_ERR_RESPONSE_TOO_BIG Extended
Error: Client Realm: Client Name: Server Realm: DBG.ADS.DB.COM
Server Name: krbtgt/DBG.ADS.DB.COM Target Name:
krbtgt/DBG.ADS.DB.COM@DBG.ADS.DB.COM Error Text: File: e Line: 6b5
Error Data is in record data.

Type: Error
Event: 3
Date Time: 12/22/2004 3:10:35 PM
Source: Kerberos
ComputerName: NYCPBASP2418
Category: None
User: N/A
Description: A Kerberos Error Message was received: on logon
session Client Time: Server Time: 20:9:37.0000 12/22/2004 Z Error
Code: 0x7 KDC_ERR_S_PRINCIPAL_UNKNOWN Extended Error: Client Realm:
Client Name: Server Realm: DBG.ADS.DB.COM Server Name:
host/nycpbasp2418.us.db.com Target Name:
host/nycpbasp2418.us.db.com@DBG.ADS.DB.COM Error Text: File: 9
Line: ab8 Error Data is in record data.

Type: Error
Event: 3
Date Time: 12/22/2004 3:12:29 PM
Source: Kerberos
ComputerName: NYCPBASP2418
Category: None
User: N/A
Description: A Kerberos Error Message was received: on logon
session Client Time: Server Time: 20:11:47.0000 12/22/2004 Z Error
Code: 0x7 KDC_ERR_S_PRINCIPAL_UNKNOWN Extended Error: Client Realm:
Client Name: Server Realm: DBG.ADS.DB.COM Server Name:
cifs/balppasd1009 Target Name: cifs/balppasd1009@DBG.ADS.DB.COM Error
Text: File: 9 Line: ab8 Error Data is in record data.

Type: Error
Event: 3
Date Time: 12/22/2004 3:12:29 PM
Source: Kerberos
ComputerName: NYCPBASP2418
Category: None
User: N/A
Description: A Kerberos Error Message was received: on logon
session NYCPBASP2418\Devadmin Client Time: Server Time:
20:11:47.0000 12/22/2004 Z Error Code: 0x18 KDC_ERR_PREAUTH_FAILED
Extended Error: Client Realm: Client Name: Server Realm: dbg
Server Name: krbtgt/dbg Target Name: krbtgt/dbg@dbg Error Text:
File: e Line: 6b5 Error Data is in record data.

Type: Error
Event: 3
Date Time: 12/22/2004 3:12:29 PM
Source: Kerberos
ComputerName: NYCPBASP2418
Category: None
User: N/A
Description: A Kerberos Error Message was received: on logon
session Client Time: Server Time: 20:11:47.0000 12/22/2004 Z Error
Code: 0x7 KDC_ERR_S_PRINCIPAL_UNKNOWN Extended Error: Client Realm:
Client Name: Server Realm: DBG.ADS.DB.COM Server Name:
cifs/nycpbasd2411 Target Name: cifs/nycpbasd2411@DBG.ADS.DB.COM Error
Text: File: 9 Line: ab8 Error Data is in record data.

- I'm not so worried about the cifs/ SPNs, that's probably because the
account logged in to the service is a local admin account only, not a
domain account. I'm concerned with the 0x7 errors mentioning the host/
SPN.

- After seeing the log errors, I had a domain admin run

SETSPN -R nycpbasp2418

When I look at that computer account in ADSI Edit, I see the following
servicePrincipalNames:
HOST/nycpbasp2418$
HOST/nycpbasp2418$.DBG

I expected to see a FQDN there, so I wonder if this is part of the
problem. Or, should I have requested that the domain admin run SETSPN
-R svca_abcmsp instead?

I'd appreciate any help someone can render on this.
Vince
Sr. DBA, Deutsche Bank

• Next message: Kevin McDonnell [MSFT]: "Re: IIS, SQL DMZ question"
• Previous message: John Bell: "Re: To DMZ or not DMZ"
• Next in thread: Kevin McDonnell [MSFT]: "RE: Kerberos authentication problems"
• Reply: Kevin McDonnell [MSFT]: "RE: Kerberos authentication problems"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages RE: Cant install Windows Small Business 2003 Client ... Make sure that the Small Business Server ... that if the client computer is asking for the user and password is because is ... Try deleting one computer and create a new user account and recreate the ... computer object to see if that account can be use connectcomputer then. ... (microsoft.public.windows.server.sbs) Re: Using EFS with Network Shares and SFU 3.5 ... It does not take EFS into account. ... could again use the sharing server audit logs to see if success ... Read extended attribute and Read data, since the NFS client may ... Windows and *nix clients. ... (microsoft.public.windows.server.security) RE: configuring client users ... This newsgroup only focuses on SBS technical issues. ... | Thread-Topic: configuring client users ... |> computer to SBS server while we need use "set up computer wizard" to ... |> For user account issue, please understand that if you join the client ... (microsoft.public.windows.server.sbs) RE: configuring client users ... > Welcome to SBS newsgroup. ... we use "connect computer wizard" to connect the client ... > computer to SBS server while we need use "set up computer wizard" to set up ... > best interest to rerun the wizard again to add the client computer account ... (microsoft.public.windows.server.sbs) Re: Adv Client with Workgroup Computers ... I was trying to use the SMS tools from the SMS server to initiate harware ... Inv for example the account is a domain account but the Client PC is in a ... Is there a procedure for installing the ADV client localy on a workgroup ... I have manually added to the WINS server. ... (microsoft.public.sms.admin)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint