Win2k kerberos problems

From: Dmitry Kulshitsky (dimkin_remove_@mbox.com.au)
Date: 04/11/03 

From: "Dmitry Kulshitsky" <dimkin_remove_@mbox.com.au>
Date: Thu, 10 Apr 2003 22:49:51 -0700

Please read this:
http://www.eventid.net/display.asp?
eventid=4&source=Kerberos

>-----Original Message-----
>Every couple of minutes we are seeing the following
messages in the
>event log of a MEMBER server (not a DC) on our domain:
>Event Type: Error
>Event Source: Kerberos
>Event Category: None
>Event ID: 4
>Date: 11/04/2003
>Time: 3:22:21 PM
>User: N/A
>Computer: CHIMERA
>Description:
>The function InitializeSecurityContext received a
Kerberos Error
>Message:
> on logon session
> Client Time:
> Server Time: 5:22:21.0000 4/11/2003 (null)
> Error Code: 0x7 KDC_ERR_S_PRINCIPAL_UNKNOWN
> Client Realm:
> Client Name:
> Server Realm: CGGS.ACT.EDU.AU
> Server Name: krbtgt/CGGS.ACT.EDU.AU
> Target Name: HOST/172.16.0.30@CGGS.ACT.EDU.AU
> Error Text:
> File:
> Line:
> Error Data is in record data.
>
>We see thousands of these messages a day and they refer
to three IP
>numbers:
>172.16.0.30 - our ISA firewall which is in its own AD
domain
>192.168.31.22 - the secondary IP of our Exchange server
>192.168.32.32 - a utility win2k workstation.
>
>Now each of these ips has the correct reverse lookup that
resolves to
>a hostname when you run nslookup. But kerberos still logs
the error
>using the IP number.
>
>Also,
>why is a win2k member server (it's our intranet IIS box)
logging these
>errors rather than a dc?
>Is one of the problems due to the fact that the exchange
server has
>two IPs so we can run two seperate web sites on it. The
primary IP
>will resolve as the same name as the machine object in AD
but the
>secondary resolves to a different name, that exists in
the dns but NOT
>in AD.
>
>Any suggestions as to how we can fix this as these
thousands of errors
>mean we dont tend to notice other errors.
>Al Blake, Australia
>.
>