Re: Kerberos entries in the system log

From: Cliff (cliff.bennett@johnguest.co.uk)
Date: 10/28/02 

From: "Cliff" <cliff.bennett@johnguest.co.uk>
Date: Mon, 28 Oct 2002 03:37:24 -0800

Hi,
I looked in DNS and found that the SOA and Name
Server entries refer to our old domain name. I wasn't
surprised by this as we are still in mixed mode as we
have NT4 BDC's. Am I right in thinking that it's OK, or
should those entries be using the new domain name
we started using when we introduced win2k?

With regard to running Kerbtray, under "names" I got
the following entries...

Client Name: host@DOMAIN2.COM
srever name: Krbtgt/DOMAIN2.COM@DOMAIN2.COM
Target Name: Krbtgt/DOMAIN1@DOMAIN2

Where Domain2 is our current domain name and
DOMAIN1 is our old domain name. It seems as
though our Win9x and NT4 clients still use the old
Domain name when logging on, but the win2k use the
new domain name. I presumed this was because of
the mixed mode and for backward compatability.

Any thoughts??

>-----Original Message-----
>I can only think of a couple of things. One, is it
possible that the
>DNS name for your clients and the DNS name for
your domain are
>different? I know Kerberos can get upset if the DNS
domain of the
>clients is not the same as the KDC and not contained
in the search path.
>
>You could also run the ResKit utility KerbTray and
see if you are
>actually receiving tickets. It's possible that something
is preventing
>your clients from using Kerberos. Your machines
would all fall back to
>NTLMv2. See if you can see any tickets in the client's
ticket cache.
>
>Dan
>
>Cliff wrote:
>> Hi Dan,
>> I'm afraid removing and adding one of the hosts
didn't
>> work.
>> Any other ideas?
>>
>> Cheers,
>> Cliff.
>> >-----Original Message-----
>>
>>>Hi,
>>>I've had a quick look at the log from yesterday (over
>>>3000 entries!!) and just from the first hundred or so
>>>entries there are over 30 different hosts. I'll pick
one
>>>which seems to come up frequently and re-add it
to
>>>the domain as suggested. I'll let you know how it
>>
>> goes.
>>
>>>I don't know if this is relavant but it is the only DC
that
>>>is reporting this error. It's in a mixed mode domain,
>>>acting as the PDC.
>>>
>>>Cheers.
>>>
>>>>-----Original Message-----
>>>>How many hosts are we talking about? Is it
>>>
>> practical
>>
>>>to remove and
>>>
>>>>readd them to the domain. It's possible the
>>>
>> kerberos
>>
>>>key for the host
>>>
>>>>has been corrupted.
>>>>
>>>>Dan
>>>>
>>>>Cliff wrote:
>>>>
>>>>>Hi Dan,
>>>>>We have two subnets and the ip addresses in
the
>>>>
>>>logs
>>>
>>>>>are coming from bothof them. The O/S's of the
>>>>
>>>hosts
>>>
>>>>>concerned are NT4 and Win2k. Some of the
hosts
>>>>>have internet access, others don't, there seems
to
>>>>
>>>be
>>>
>>>>>no pattern to which hosts are generating the
>>>>
>> errors.
>>
>>>>>We have a Firewall between us and the internet.
>>>>
>>>We
>>>
>>>>>tried opening port 88/udp (outgoing and
>>>>
>> incoming),
>>
>>>but
>>>
>>>>>continued to get the errors.
>>>>>
>>>>>Any ideas?
>>>>>
>>>>>Cheers,
>>>>>Cliff.
>>>>>
>>>>>
>>>>>
>>>>>>-----Original Message-----
>>>>>>Looks to me like you have a host requesting a
>>>>>
>>>ticket
>>>
>>>>>granting ticket
>>>>>>from your KDC that is not a member of the
>>>>
>> domain.
>>
>>>>>Is that IP on your
>>>>>
>>>>>
>>>>>>network? Is port 88 open to the internet?
>>>>>>
>>>>>>Dan
>>>>>>
>>>>>>Cliff wrote:
>>>>>>
>>>>>>
>>>>>>>Hi,
>>>>>>>I hope someone can help. I keep getting
entries
>>>>>>
>>>in
>>>
>>>>>the
>>>>>
>>>>>
>>>>>>>system log of a Win2k DC, 3 or 4 every couple
of
>>>>>>>minutes.
>>>>>>>
>>>>>>>"The function initializesecuritycontext recieved
a
>>>>>>>Kerberos Error Message:
>>>>>>> on logon session
>>>>>>>Client Time:
>>>>>>>Server Time: 9:27:51:000 10/18/2002 (null)
>>>>>>>Error code: 0x7
>>>>>>>KDC_ERR_S_PRINCIPAL_UNKNOWN
>>>>>>>client realm:
>>>>>>>Client Name:
>>>>>>>Server Realm: Mydomain.com
>>>>>>>Server Name: krbtgt/Mydomain.com
>>>>>>>Target Name:
>>>>>>
>> Host/55.102.2.33@Mydomain.com
>>
>>>>>>>Error Text
>>>>>>>File:
>>>>>>>Line:
>>>>>>>Error Data is in record data."
>>>>>>>
>>>>>>>Obviously the log fills up VERY quickly and I'd
>>>>>>
>>>really
>>>
>>>>>>>like to get to the bottom of it! I've tried trawling
>>>>>>
>> the
>>
>>>>>net
>>>>>
>>>>>
>>>>>>>for an answer to no avail.
>>>>>>>
>>>>>>>Thanks in advance.
>>>>>>
>>>>>>
>>>>>>.
>>>>>>
>>>>>
>>>>
>>>>.
>>>>
>>>
>>>.
>>>
>>
>
>
>.
>

Relevant Pages

  • Re: Kerberos entries in the system log
    ... Thanks Dan, ... See if you can see any tickets in the client's ... >>>entries there are over 30 different hosts. ...
    (microsoft.public.win2000.security)
  • Re: Help with dcdiag /Test:dns
    ... The server is running Windows 2003 server and holds all 5 FMSO roles ... I can see the internal folder in DNS and it has the _msdcs, _sites, ... PASS - All the DNS entries for DC are registered on DNS server '192.168.1.10' and other DCs also have some of the names registered. ... Remote Access NDIS WAN Driver ...
    (microsoft.public.windows.server.dns)
  • Re: Kerberos entries in the system log
    ... Hi Dan, ... I've run "klist tgt" to see the tickets that I have and one ... of the entries "alttargetdomainname" is incorrect... ... >>>entries there are over 30 different hosts. ...
    (microsoft.public.win2000.security)
  • Re: XP Wkst errors logging onto domain
    ... Lots of stuff pointed to DNS, so I deleted DNS entries and went thru the ... but did NOT select reverse entries 'cause the wizard said that ... >> server cifs/server.domain.local. ...
    (microsoft.public.windows.server.sbs)
  • [SLE] Changing IPs on a SuSE 9.1 system?
    ... The network is composed of 2 Mac OS X systems, ... Naturally the IPs of all machines are going to change. ... So the question is what has to be changed for the new IPs and DNS entries on ... Change the entries and reboot. ...
    (SuSE)