Re: Kerberos authentication fails

From: raul (raultruco_at_flashmail.com)
Date: 06/10/04


Date: 9 Jun 2004 23:52:43 -0700

Hello, we had have kerberos log activated yesterday while we test the
system. We received basically 2 kind of event log messages. I
copy/paste (I have traslated they ... it could not match the original
english labels):

Notes:
   DC Server Name: GPRSServer01 (DC, Sql Server, A.Directory, ...)
   Domain DNS name: distromel.gprs
   Client Server Name: GPRSServer03 (when service is running)
   

* System Event logs in GPRSServer03
****************************************************************
An error message was received from Kerberos: in logon
 Client time:
 Server time: 10:33:9.0000 6/9/2004 Z
 Error code: 0xd KDC_ERR_BADOPTION
 Extended error: 0xc00000bb KLIN(0)
 Client Domain:
 Client Name:
 Server domain: DISTROMEL.GPRS
 Server name: host/gprsserver03.distromel.gprs
 Destiny name: host/gprsserver03.distromel.gprs@DISTROMEL.GPRS
 Error text:
 File: 9
 Line: ab8

* System Event logs in GPRSServer01
****************************************************************

(15 messeages in a morning of the following type. I think this is
caused by other services, not ours)
An error message was received from Kerberos: in logon

 Client time:
 Server time: 10:47:48.0000 6/9/2004 Z
 Error code: 0x7 KDC_ERR_S_PRINCIPAL_UNKNOWN
 Extended error:
 Client Domain:
 Client Name:
 Server domain: DISTROMEL.GPRS
 Server name: cifs/distromel.gprs
 Destiny name: cifs/distromel.gprs@DISTROMEL.GPRS
 Error text:
 File: 9
 Line: ab8

(5-6 messeages in a morning of the following type)
An error message was received from Kerberos: in logon

 Client time:
 Server time: 10:37:48.0000 6/9/2004 Z
 Error code: 0xd KDC_ERR_BADOPTION
 Extended error: 0xc00000bb KLIN(0)
 Client Domain:
 Client Name:
 Server domain: DISTROMEL.GPRS
 Server name: host/gprsserver01.distromel.gprs
 Destiny name: host/gprsserver01.distromel.gprs@DISTROMEL.GPRS
 Error text:
 File: 9
 Line: ab8

I hope it will be enough,

Thanks and best regards,
Raul Truco

"Steven Umbach" <n9rou@n0spam-comcast.net> wrote in message news:<8qJxc.72773$Ly.64525@attbi_s01>...
> I don't know what the problem is but if you have not done such you may want to
> enable kerberos logging to give you more detail of what is going on in the
> kerberos process - not that I could interpret the results --- Steve
>
> http://support.microsoft.com/?id=262177
>
> "raul" <raultruco@flashmail.com> wrote in message
> news:67a710d7.0406090539.6bd9a4a8@posting.google.com...
> > Hello,
> >
> > We have a problem autenticating a user between 2 machines in the same
> > domain with Kerberos. I'll try to explain our scenario.
> >
> > We have a Windows 2003 Server (Enterprise Edition) acting as Domain
> > Controller with Sql Server 2000 Sp3 running on it. Sql Server process
> > runs with a custom uesr domain account (SqlCustomUser) (no
> > Localsystem account). In the same domain we have another Windows 2003
> > Server with a custom Windows Service (developed with .Net) which runs
> > with another domain user account (ServiceCustomUser). We have
> > configure the Sql Server to grant access to this service user and the
> > service connects to Sql Server using Windows Autentication.
> >
> > When our service try to connect to a d.b., Kerberos authentication
> > fails after 1-2 minutes, and finally the conection is stablished using
> > NTLM. This is our conclusion after reading several articles and forums
> > of the web. We have tried several workarounds (Delegation, creation of
> > 'Service Principal Names' with SetSpn.exe, ...) but we haven't get it
> > yet.
> >
> > Any idea will be well appreciated
> >
> > Raśl Truco,
> >
> > More info: There isn't any firewall, the network is a standar
> > ethernet, and if we use Sql Autentication all works ok.