Kerberos' role in a 'std. setup' without bells & whistles
From: Kim Noer (kn_at_nospam.dk)
Date: Thu, 30 Jun 2005 19:29:48 +0200
I haven't quite figured out just yet, what my DC uses Kerberos for, so can
anyone here clue me in, what it is used for? I've figured out it's about
issueing tickets in some security context, and that my DC current acts as a
Kerberos Key Distribution Center- and it somehow relates to LDAP/AD. But a
look in my event log shows that it runs in a rather fault way -
Event ID 594 :
A Kerberos Error Message was received:
on logon session InitializeSecurityContext
Error Code: 4:30:5.0000 6/30/2005 (null) 0x20
Extended Error: KRB_AP_ERR_TKT_EXPIRED
Server Realm: domain.tld
Server Name: krbtgt/domain.tld
Target Name: firstname.lastname@example.org
Error Data is in record data.
And since I apparently don't know what the server is using Kerberos for it
makes it difficult to nick this error. Futhermore, a search on this error,
indicates to me that it's quite an extensive task to fix it - eek!
A "klist tickets" shows some tickets that have expired, but not reviewed -
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT
End Time: 6/17/2005 7:16:25
Renew Time: 6/23/2005 21:16:25
- presumeably, this failure to renew the ticket, is what generets the error
in the event log?
 I primarily need some quick advice that enables to either investigate
further (read up on Kerberos etc.) if you think I need Kerberos, or some
advice on how to disable Kerberos, if you think I don't need Kerberos.
-- I doubt, therefore I might be.