Re: Kerberos authentication fails

From: raul (raultruco_at_flashmail.com)
Date: 06/10/04


Date: 9 Jun 2004 23:52:43 -0700

Hello, we had have kerberos log activated yesterday while we test the
system. We received basically 2 kind of event log messages. I
copy/paste (I have traslated they ... it could not match the original
english labels):

Notes:
   DC Server Name: GPRSServer01 (DC, Sql Server, A.Directory, ...)
   Domain DNS name: distromel.gprs
   Client Server Name: GPRSServer03 (when service is running)
   

* System Event logs in GPRSServer03
****************************************************************
An error message was received from Kerberos: in logon
 Client time:
 Server time: 10:33:9.0000 6/9/2004 Z
 Error code: 0xd KDC_ERR_BADOPTION
 Extended error: 0xc00000bb KLIN(0)
 Client Domain:
 Client Name:
 Server domain: DISTROMEL.GPRS
 Server name: host/gprsserver03.distromel.gprs
 Destiny name: host/gprsserver03.distromel.gprs@DISTROMEL.GPRS
 Error text:
 File: 9
 Line: ab8

* System Event logs in GPRSServer01
****************************************************************

(15 messeages in a morning of the following type. I think this is
caused by other services, not ours)
An error message was received from Kerberos: in logon

 Client time:
 Server time: 10:47:48.0000 6/9/2004 Z
 Error code: 0x7 KDC_ERR_S_PRINCIPAL_UNKNOWN
 Extended error:
 Client Domain:
 Client Name:
 Server domain: DISTROMEL.GPRS
 Server name: cifs/distromel.gprs
 Destiny name: cifs/distromel.gprs@DISTROMEL.GPRS
 Error text:
 File: 9
 Line: ab8

(5-6 messeages in a morning of the following type)
An error message was received from Kerberos: in logon

 Client time:
 Server time: 10:37:48.0000 6/9/2004 Z
 Error code: 0xd KDC_ERR_BADOPTION
 Extended error: 0xc00000bb KLIN(0)
 Client Domain:
 Client Name:
 Server domain: DISTROMEL.GPRS
 Server name: host/gprsserver01.distromel.gprs
 Destiny name: host/gprsserver01.distromel.gprs@DISTROMEL.GPRS
 Error text:
 File: 9
 Line: ab8

I hope it will be enough,

Thanks and best regards,
Raul Truco

"Steven Umbach" <n9rou@n0spam-comcast.net> wrote in message news:<8qJxc.72773$Ly.64525@attbi_s01>...
> I don't know what the problem is but if you have not done such you may want to
> enable kerberos logging to give you more detail of what is going on in the
> kerberos process - not that I could interpret the results --- Steve
>
> http://support.microsoft.com/?id=262177
>
> "raul" <raultruco@flashmail.com> wrote in message
> news:67a710d7.0406090539.6bd9a4a8@posting.google.com...
> > Hello,
> >
> > We have a problem autenticating a user between 2 machines in the same
> > domain with Kerberos. I'll try to explain our scenario.
> >
> > We have a Windows 2003 Server (Enterprise Edition) acting as Domain
> > Controller with Sql Server 2000 Sp3 running on it. Sql Server process
> > runs with a custom uesr domain account (SqlCustomUser) (no
> > Localsystem account). In the same domain we have another Windows 2003
> > Server with a custom Windows Service (developed with .Net) which runs
> > with another domain user account (ServiceCustomUser). We have
> > configure the Sql Server to grant access to this service user and the
> > service connects to Sql Server using Windows Autentication.
> >
> > When our service try to connect to a d.b., Kerberos authentication
> > fails after 1-2 minutes, and finally the conection is stablished using
> > NTLM. This is our conclusion after reading several articles and forums
> > of the web. We have tried several workarounds (Delegation, creation of
> > 'Service Principal Names' with SetSpn.exe, ...) but we haven't get it
> > yet.
> >
> > Any idea will be well appreciated
> >
> > Raśl Truco,
> >
> > More info: There isn't any firewall, the network is a standar
> > ethernet, and if we use Sql Autentication all works ok.



Relevant Pages

  • Re: Kerberos with Windows Integrated authentication
    ... behaviour if your Web server is in the client broweser's Internet zone. ... referencing it by computer name rather than FQDN), the browser will request ... Obviously, if you want to use Kerberos for authentication, you will either ...
    (microsoft.public.windows.server.security)
  • Re: Kerberised NFS
    ... Kerberised NFS presumably requires authentication and encryption between client and server, so presumably the client needs to get a ticket prior to contacting the server. ... server with kerberos security options, and successfully automounting user's home directories on client machines when they log in. ...
    (comp.protocols.kerberos)
  • Re: Server not found in Kerberos Database
    ... Server not found in Kerberos Database ... When I am trying to do a kinit on the client, ... I have a KDC on Win2003 and a client which is a Linux is trying = ...
    (comp.protocols.kerberos)
  • Re: Kerberos authentication fails
    ... we had have kerberos log activated yesterday while we test the ... Client Server Name: ... * System Event logs in GPRSServer03 ... Server domain: DISTROMEL.GPRS ...
    (microsoft.public.sqlserver)
  • Re: xp workstations unable to log-in to win 2003 domain at boot-up
    ... ..what do you think/ ill check the event logs and send you whateveer ... > Can you access this share from your client... ... I did reboot the server after changing the various settings. ... >>> To be able to go to the internet you will have to set up DNS on DC ...
    (microsoft.public.windows.server.setup)