Re: Kerberos authentication fails

From: Steven L Umbach (n9rou_at_nscomcast.net)
Date: 06/10/04 

Date: Thu, 10 Jun 2004 15:18:20 GMT

I wish I could be more help, but don't know offhand what the problem could
be. I did find another link that may help that also includes a white paper
on troubleshootong kerberos errors. It may also be worthwhile searching
http://google.com web and groups for those error messages and
http://eventid.net is a great place to find info about particular events
found in the logs in Event Viewer. --- Steve

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/
security/tkerberr.mspx

"raul" <raultruco@flashmail.com> wrote in message
news:67a710d7.0406092252.200f8fe3@posting.google.com...
> Hello, we had have kerberos log activated yesterday while we test the
> system. We received basically 2 kind of event log messages. I
> copy/paste (I have traslated they ... it could not match the original
> english labels):
>
> Notes:
> DC Server Name: GPRSServer01 (DC, Sql Server, A.Directory, ...)
> Domain DNS name: distromel.gprs
> Client Server Name: GPRSServer03 (when service is running)
>
>
> * System Event logs in GPRSServer03
> ****************************************************************
> An error message was received from Kerberos: in logon
> Client time:
> Server time: 10:33:9.0000 6/9/2004 Z
> Error code: 0xd KDC_ERR_BADOPTION
> Extended error: 0xc00000bb KLIN(0)
> Client Domain:
> Client Name:
> Server domain: DISTROMEL.GPRS
> Server name: host/gprsserver03.distromel.gprs
> Destiny name: host/gprsserver03.distromel.gprs@DISTROMEL.GPRS
> Error text:
> File: 9
> Line: ab8
>
> * System Event logs in GPRSServer01
> ****************************************************************
>
> (15 messeages in a morning of the following type. I think this is
> caused by other services, not ours)
> An error message was received from Kerberos: in logon
>
> Client time:
> Server time: 10:47:48.0000 6/9/2004 Z
> Error code: 0x7 KDC_ERR_S_PRINCIPAL_UNKNOWN
> Extended error:
> Client Domain:
> Client Name:
> Server domain: DISTROMEL.GPRS
> Server name: cifs/distromel.gprs
> Destiny name: cifs/distromel.gprs@DISTROMEL.GPRS
> Error text:
> File: 9
> Line: ab8
>
> (5-6 messeages in a morning of the following type)
> An error message was received from Kerberos: in logon
>
> Client time:
> Server time: 10:37:48.0000 6/9/2004 Z
> Error code: 0xd KDC_ERR_BADOPTION
> Extended error: 0xc00000bb KLIN(0)
> Client Domain:
> Client Name:
> Server domain: DISTROMEL.GPRS
> Server name: host/gprsserver01.distromel.gprs
> Destiny name: host/gprsserver01.distromel.gprs@DISTROMEL.GPRS
> Error text:
> File: 9
> Line: ab8
>
> I hope it will be enough,
>
> Thanks and best regards,
> Raul Truco
>
>
> "Steven Umbach" <n9rou@n0spam-comcast.net> wrote in message
news:<8qJxc.72773$Ly.64525@attbi_s01>...
> > I don't know what the problem is but if you have not done such you may
want to
> > enable kerberos logging to give you more detail of what is going on in
the
> > kerberos process - not that I could interpret the results --- Steve
> >
> > http://support.microsoft.com/?id=262177
> >
> > "raul" <raultruco@flashmail.com> wrote in message
> > news:67a710d7.0406090539.6bd9a4a8@posting.google.com...
> > > Hello,
> > >
> > > We have a problem autenticating a user between 2 machines in the same
> > > domain with Kerberos. I'll try to explain our scenario.
> > >
> > > We have a Windows 2003 Server (Enterprise Edition) acting as Domain
> > > Controller with Sql Server 2000 Sp3 running on it. Sql Server process
> > > runs with a custom uesr domain account (SqlCustomUser) (no
> > > Localsystem account). In the same domain we have another Windows 2003
> > > Server with a custom Windows Service (developed with .Net) which runs
> > > with another domain user account (ServiceCustomUser). We have
> > > configure the Sql Server to grant access to this service user and the
> > > service connects to Sql Server using Windows Autentication.
> > >
> > > When our service try to connect to a d.b., Kerberos authentication
> > > fails after 1-2 minutes, and finally the conection is stablished using
> > > NTLM. This is our conclusion after reading several articles and forums
> > > of the web. We have tried several workarounds (Delegation, creation of
> > > 'Service Principal Names' with SetSpn.exe, ...) but we haven't get it
> > > yet.
> > >
> > > Any idea will be well appreciated
> > >
> > > Raśl Truco,
> > >
> > > More info: There isn't any firewall, the network is a standar
> > > ethernet, and if we use Sql Autentication all works ok.

Relevant Pages

  • Re: Kerberos authentication fails
    ... on troubleshootong kerberos errors. ... > An error message was received from Kerberos: ... > Client Domain: ... > Line: ab8 ...
    (microsoft.public.sqlserver)
  • RE: Security Event Log Repeating... Access errors
    ... Tony thanks for the quick reply. ... A Kerberos Error Message was received: ... Client Realm: ... >> Workstation Name: EDECANUSBASE ...
    (microsoft.public.windows.server.sbs)
  • Re: Server not found in Kerberos Database
    ... Server not found in Kerberos Database ... When I am trying to do a kinit on the client, ... I have a KDC on Win2003 and a client which is a Linux is trying = ...
    (comp.protocols.kerberos)
  • Re: Kerberos authentication fails
    ... we had have kerberos log activated yesterday while we test the ... Client Server Name: ... * System Event logs in GPRSServer03 ... Server domain: DISTROMEL.GPRS ...
    (microsoft.public.win2000.security)
  • Re: Kerberos authentication fails
    ... we had have kerberos log activated yesterday while we test the ... Client Server Name: ... * System Event logs in GPRSServer03 ... Server domain: DISTROMEL.GPRS ...
    (microsoft.public.sqlserver)