Re: Kerberos authentication fails

From: Steven L Umbach (n9rou_at_nscomcast.net)
Date: 06/10/04 

Date: Thu, 10 Jun 2004 15:18:20 GMT

I wish I could be more help, but don't know offhand what the problem could
be. I did find another link that may help that also includes a white paper
on troubleshootong kerberos errors. It may also be worthwhile searching
http://google.com web and groups for those error messages and
http://eventid.net is a great place to find info about particular events
found in the logs in Event Viewer. --- Steve

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/
security/tkerberr.mspx

"raul" <raultruco@flashmail.com> wrote in message
news:67a710d7.0406092252.200f8fe3@posting.google.com...
> Hello, we had have kerberos log activated yesterday while we test the
> system. We received basically 2 kind of event log messages. I
> copy/paste (I have traslated they ... it could not match the original
> english labels):
>
> Notes:
> DC Server Name: GPRSServer01 (DC, Sql Server, A.Directory, ...)
> Domain DNS name: distromel.gprs
> Client Server Name: GPRSServer03 (when service is running)
>
>
> * System Event logs in GPRSServer03
> ****************************************************************
> An error message was received from Kerberos: in logon
> Client time:
> Server time: 10:33:9.0000 6/9/2004 Z
> Error code: 0xd KDC_ERR_BADOPTION
> Extended error: 0xc00000bb KLIN(0)
> Client Domain:
> Client Name:
> Server domain: DISTROMEL.GPRS
> Server name: host/gprsserver03.distromel.gprs
> Destiny name: host/gprsserver03.distromel.gprs@DISTROMEL.GPRS
> Error text:
> File: 9
> Line: ab8
>
> * System Event logs in GPRSServer01
> ****************************************************************
>
> (15 messeages in a morning of the following type. I think this is
> caused by other services, not ours)
> An error message was received from Kerberos: in logon
>
> Client time:
> Server time: 10:47:48.0000 6/9/2004 Z
> Error code: 0x7 KDC_ERR_S_PRINCIPAL_UNKNOWN
> Extended error:
> Client Domain:
> Client Name:
> Server domain: DISTROMEL.GPRS
> Server name: cifs/distromel.gprs
> Destiny name: cifs/distromel.gprs@DISTROMEL.GPRS
> Error text:
> File: 9
> Line: ab8
>
> (5-6 messeages in a morning of the following type)
> An error message was received from Kerberos: in logon
>
> Client time:
> Server time: 10:37:48.0000 6/9/2004 Z
> Error code: 0xd KDC_ERR_BADOPTION
> Extended error: 0xc00000bb KLIN(0)
> Client Domain:
> Client Name:
> Server domain: DISTROMEL.GPRS
> Server name: host/gprsserver01.distromel.gprs
> Destiny name: host/gprsserver01.distromel.gprs@DISTROMEL.GPRS
> Error text:
> File: 9
> Line: ab8
>
> I hope it will be enough,
>
> Thanks and best regards,
> Raul Truco
>
>
> "Steven Umbach" <n9rou@n0spam-comcast.net> wrote in message
news:<8qJxc.72773$Ly.64525@attbi_s01>...
> > I don't know what the problem is but if you have not done such you may
want to
> > enable kerberos logging to give you more detail of what is going on in
the
> > kerberos process - not that I could interpret the results --- Steve
> >
> > http://support.microsoft.com/?id=262177
> >
> > "raul" <raultruco@flashmail.com> wrote in message
> > news:67a710d7.0406090539.6bd9a4a8@posting.google.com...
> > > Hello,
> > >
> > > We have a problem autenticating a user between 2 machines in the same
> > > domain with Kerberos. I'll try to explain our scenario.
> > >
> > > We have a Windows 2003 Server (Enterprise Edition) acting as Domain
> > > Controller with Sql Server 2000 Sp3 running on it. Sql Server process
> > > runs with a custom uesr domain account (SqlCustomUser) (no
> > > Localsystem account). In the same domain we have another Windows 2003
> > > Server with a custom Windows Service (developed with .Net) which runs
> > > with another domain user account (ServiceCustomUser). We have
> > > configure the Sql Server to grant access to this service user and the
> > > service connects to Sql Server using Windows Autentication.
> > >
> > > When our service try to connect to a d.b., Kerberos authentication
> > > fails after 1-2 minutes, and finally the conection is stablished using
> > > NTLM. This is our conclusion after reading several articles and forums
> > > of the web. We have tried several workarounds (Delegation, creation of
> > > 'Service Principal Names' with SetSpn.exe, ...) but we haven't get it
> > > yet.
> > >
> > > Any idea will be well appreciated
> > >
> > > Raśl Truco,
> > >
> > > More info: There isn't any firewall, the network is a standar
> > > ethernet, and if we use Sql Autentication all works ok.

Relevant Pages

  • Re: Kerberos authentication fails
    ... on troubleshootong kerberos errors. ... > An error message was received from Kerberos: ... > Client Domain: ... > Line: ab8 ...
    (microsoft.public.sqlserver)
  • RE: Security Event Log Repeating... Access errors
    ... Tony thanks for the quick reply. ... A Kerberos Error Message was received: ... Client Realm: ... >> Workstation Name: EDECANUSBASE ...
    (microsoft.public.windows.server.sbs)
  • Re: Server not found in Kerberos Database
    ... Server not found in Kerberos Database ... When I am trying to do a kinit on the client, ... I have a KDC on Win2003 and a client which is a Linux is trying = ...
    (comp.protocols.kerberos)
  • Problems unwrapping SPNEGO token for Single Signon (SSO) in WebLogic Server 8.1.
    ... but cannot get WebLogic to unwrap the SPNEGO token so it authenticates using Kerberos. ... We've tried adding the AllowTGTSessionKey registry key on client and server, but that didn't change it either. ... Enable Integrated Windows Authentication ...
    (comp.protocols.kerberos)
  • Re: Kerberos authentication fails
    ... we had have kerberos log activated yesterday while we test the ... Client Server Name: ... * System Event logs in GPRSServer03 ... Server domain: DISTROMEL.GPRS ...
    (microsoft.public.win2000.security)