Re: Win2k kerberos problems

From: Al Blake (al@blakes.net)
Date: 04/12/03 

From: "Al Blake" <al@blakes.net>
Date: Sat, 12 Apr 2003 12:08:55 +1000

I've been there and read that one already but I am still confused :(
As the member server is an IIS box we have enabled 'trust for delegation' on
the server account in AD.
Now does this means that the 'member server' thinks of itself as the ADC?
The explanation in the link you gave states:

Generally, verifying whether the server account exists and has propagated to
the DC that generated the error.

All three machines throwing errors on the IIS box are in the domain on both
of our ADCs. Also, why is Kerberos referring to the machines by IP, rather
than using the hostname (which is valid in the dns, we checked).
Al.

"Dmitry Kulshitsky" <dimkin_remove_@mbox.com.au> wrote in message
news:032301c2ffee$2b53d990$a601280a@phx.gbl...
> Please read this:
> http://www.eventid.net/display.asp?
> eventid=4&source=Kerberos
>
> >-----Original Message-----
> >Every couple of minutes we are seeing the following
> messages in the
> >event log of a MEMBER server (not a DC) on our domain:
> >Event Type: Error
> >Event Source: Kerberos
> >Event Category: None
> >Event ID: 4
> >Date: 11/04/2003
> >Time: 3:22:21 PM
> >User: N/A
> >Computer: CHIMERA
> >Description:
> >The function InitializeSecurityContext received a
> Kerberos Error
> >Message:
> > on logon session
> > Client Time:
> > Server Time: 5:22:21.0000 4/11/2003 (null)
> > Error Code: 0x7 KDC_ERR_S_PRINCIPAL_UNKNOWN
> > Client Realm:
> > Client Name:
> > Server Realm: CGGS.ACT.EDU.AU
> > Server Name: krbtgt/CGGS.ACT.EDU.AU
> > Target Name: HOST/172.16.0.30@CGGS.ACT.EDU.AU
> > Error Text:
> > File:
> > Line:
> > Error Data is in record data.
> >
> >We see thousands of these messages a day and they refer
> to three IP
> >numbers:
> >172.16.0.30 - our ISA firewall which is in its own AD
> domain
> >192.168.31.22 - the secondary IP of our Exchange server
> >192.168.32.32 - a utility win2k workstation.
> >
> >Now each of these ips has the correct reverse lookup that
> resolves to
> >a hostname when you run nslookup. But kerberos still logs
> the error
> >using the IP number.
> >
> >Also,
> >why is a win2k member server (it's our intranet IIS box)
> logging these
> >errors rather than a dc?
> >Is one of the problems due to the fact that the exchange
> server has
> >two IPs so we can run two seperate web sites on it. The
> primary IP
> >will resolve as the same name as the machine object in AD
> but the
> >secondary resolves to a different name, that exists in
> the dns but NOT
> >in AD.
> >
> >Any suggestions as to how we can fix this as these
> thousands of errors
> >mean we dont tend to notice other errors.
> >Al Blake, Australia
> >.
> >