Re: Kerberos Error Message
From: Tim Springston [MS] (tspring_at_online.microsoft.com)
Date: 09/13/04
- Next message: Keith Langmead: "SUS patch installs & required reboots"
- Previous message: Brian Rosario: "Domain Controller Administration"
- In reply to: PC: "Re: Kerberos Error Message"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 13 Sep 2004 10:36:14 -0500
Is the Windows Time Service (a.k.a W32Time) started and set to automatic on
the domain controller which you reboot to alleviate the problem?
-- Tim Springston Microsoft Corporation This posting is provided "AS IS" with no warranties, and confers no rights. "PC" <paulm DOT c at iol DOT ie> wrote in message news:eD41dIYmEHA.3452@TK2MSFTNGP15.phx.gbl... > Thanks for the replies. > > I think you are correct with regards to the time issue but I'm not sure > how > to resolve this. Opti_Mystic_69 mention about what appears to be a > discrepency between the clinet and server times in my original post. It > would appear from my post that there is a discrepency but when I check the > servers there is no apparent discrepancies. All servers report the correct > time and date. > > To back track, I have an on going problem where some clients receive an > error when logging on that there is a time discrepancy. This occurs > although > I know for certain there is no time difference between client and server. > I > order to enable authentication I have to restart the KDC on one of my DC > (This is one of 2 DC's but it doesn't host any fsmo roles.) Immediatly I > restart the KDC on this DC the user can logon. > > This happens on only a few machines but nothing seems to work to fix it. I > have tried removing and rejoining the clients. Net diag tests on kerberos > and DNS seem fine. > > Is there someway I could find out why I'm getting time discrepancy errors > and Time related Kerberos errors when there doesn't seem to be any > difference in time on the network? > > Again thanks for your help > > Paul > > > > "Tim Springston [MS]" <tspring@online.microsoft.com> wrote in message > news:OaCvPMTmEHA.416@TK2MSFTNGP10.phx.gbl... >> Opti_Mystic_69 is correct, sounds like a time difference. >> >> A good resource for troubleshooting Kerberos errors is the relatively new >> whitepaper below: >> >> Troubleshooting Kerberos Errors >> > http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerberr.mspx >> >> -- >> Tim Springston >> Microsoft Corporation >> This posting is provided "AS IS" with no warranties, and confers no > rights. >> >> >> "opti_mystic_69" <anonymous@discussions.microsoft.com> wrote in message >> news:030901c4979c$a808d520$a501280a@phx.gbl... >> > Paulm, >> > >> > The error you are receiving (0x20) indicated that the >> > Ticket Granting Ticket has been revoked. This is usually >> > related to a date / time problem, as TGT's are time >> > sensitive. I noticed that in the text of the error you >> > posted that your server date indicates as 10/9/2004 and >> > your client date indicates as 9/9/2004. Also, there >> > appears to be a difference of an hour between the two >> > clocks. Perhaps you should verify that the date and time >> > on both server and clients are synchronized...? I believe >> > that this is the root of the issue. >> > >> > Hope this helps. Please post back with any more questions. >> > >> > Opti_mystic_69 >> > >> > >> >>-----Original Message----- >> >>Hi, >> >> >> >>Hi Have a windows 2000 domain controllor. This server >> > doesn't perform and >> >>Operations master roles. I have turned on Kerberos >> > logging as I have been >> >>having some time sycronisation problem with some clients >> > on the network. >> >> >> >>I'm receiveing a kerberos error every few hours (The >> > doesn't seem to be any >> >>pattern as to when these errors occur). I have looked at >> > eventID (EventID >> >>talks about domain trusts but this is a single domain >> > with no trusts) and >> >>searched on google but I can't find anything about this >> > specific error (Note >> >>in the error code: 0x20). The error is as follows: >> >> >> >>Event Type: Error >> >>Event Source: Kerberos >> >>Event Category: None >> >>Event ID: 594 >> >>Date: 10/09/2004 >> >>Time: 02:26:05 >> >>User: N/A >> >>Computer: DCServer1 >> >>Description: >> >>A Kerberos Error Message was received: >> >> on logon session InitializeSecurityContext >> >> Client Time: >> >> Server Time: >> >> Error Code: 1:26:5.0000 9/10/2004 (null) 0x20 >> >> Extended Error: KRB_AP_ERR_TKT_EXPIRED >> >> Client Realm: >> >> Client Name: >> >> Server Realm: MyDomainName >> >> Server Name: krbtgt/MyDomainName >> >> Target Name: krbtgt/MyDomainName@MyDomainName >> >> Error Text: >> >> File: >> >> Line: >> >> Error Data is in record data. >> >> >> >>For more information, see Help and Support Center at >> >>http://go.microsoft.com/fwlink/events.asp. >> >> >> >> >> >>Does anybody know why I'm receiving this error or where I >> > can find more >> >>information about it. >> >> >> >>Thanks >> >> >> >> >> >>Paul >> >> >> >> >> >>. >> >> >> >> > >
- Next message: Keith Langmead: "SUS patch installs & required reboots"
- Previous message: Brian Rosario: "Domain Controller Administration"
- In reply to: PC: "Re: Kerberos Error Message"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
