Re: Kerberos and Service Ticket Failure nightmares

From: mike (hartnettmd@hotmail.com)
Date: 01/22/03 

From: "mike" <hartnettmd@hotmail.com>
Date: Wed, 22 Jan 2003 13:40:57 -0800

Service is krbtg/domainname.com
User Name is the Client Computer Name.

This shows me which client is experiencing the problem,
which is all of them. Kerberos requesting a renewal from
the Ticket Grant Service and fails. What this indicates to
me as this happens on start ups, password changes & just
about all the time. I know that computer passwords are
handled automatically, these are my Domain Kerberos
Settings for both Domain Controller & Domain policy.
Maximum lifetime for Service Ticket 600 minutes.
Maximum lifetime for user Ticket 10 hours
Maximum lifetime for user ticket renewal 10 days
Maximum tolerance for clock synch 60 minutes

Thanks Ondra,
Mike

>-----Original Message-----
>Event ID: 677 (0x02a5)
> Type: Failure Audit
>Description: Service Ticket Request Failed:
>Description: Authentication Ticket Request Failed
> User Name: %1 Supplied Realm
Name: %2
> Service Name: %3 Ticket Options: %4
> Failure Code: %5 Client Address: %6
>
>What is shown in "ServiceName" and "UserName"?
>
>Ondra.
>
>
>"Karl Levinson [x y] mvp" <levinson_k@excite.com> píše v
diskusním příspěvku
>news:OQrVbWbwCHA.2668@TK2MSFTNGP12...
>> I can't think of anything except to check the time on
the workstation and
>> server, and possibly also the time zones on both.
>>
>>
>> "Mike" <hartnettmmd@hotmail.com> wrote in message
>> news:03c201c2c19a$7901ca40$d4f82ecf@TK2MSFTNGXA11...
>> > Hi All,
>> > I have W2K Servers SP3 that generate hundreds of
Event 677
>> > Failure Code 0x20. The net effect is that users cant
>> > change their passwords without having the computer
account
>> > reset. To try and get around this problem i have
scheduled
>> > a batch that resets computer accounts hourly using
Netdom.
>> > From what i gather a password change requests the
Service
>> > Ticket Update prior to granting access to Security
>> > Accounts Manager , intern allowing a users account to
be
>> > changed. If that part fails then access to SAM fails,
and
>> > user cant change their password.
>> > The computer account reset works most of the time but
not
>> > always. I know this is a Kereberos issue, but the
solution
>> > escapes me.
>> >
>> > Would appreciate any suggestions, this is driving me
nuts.
>> > Thanks,
>> > Mike
>>
>>
>
>
>.
>

Relevant Pages

  • default idle logoff policy?
    ... One other thought...I noticed that part of the default Account ... Policies/Kerberos Policy specifies the "Maximum lifetime for user ... ticket" as 10 hours. ...
    (microsoft.public.windows.server.sbs)
  • Re: Sample Logon Script
    ... > Re-entered push account and here is some of the CCM.log ... > Submitted request successfully SMS_CLIENT_CONFIG_MANAGER ... > name "ZRWKSHYMAN", in queue "Processing". ... > ---> Trying each entry in the SMS Client Remote ...
    (microsoft.public.sms.admin)
  • Re: Sample Logon Script
    ... Re-entered push account and here is some of the CCM.log ... Stored request "ZRWKSHYMAN", machine name "ZRWKSHYMAN", ... Getting a new request from queue "Retry" after 100 ...
    (microsoft.public.sms.admin)
  • Re: Sample Logon Script
    ... Check to make sure the account specified has local admin rights on the ... >>> Getting a new request from queue "Retry" after 100 ...
    (microsoft.public.sms.admin)
  • Re: MBNA Visa authorized user account problem
    ... Recently I sent MBNA a certified mail return receipt requested letter ... challenging the debt according to the criteria of the Fair Credit ... I would be making my request to write-off the ... around the time I requested the account be frozen. ...
    (misc.consumers)
Quantcast