Re: Kerberos' role in a 'std. setup' without bells & whistles

From: Steven L Umbach (
Date: 06/30/05

  • Next message: Steven L Umbach: "Re: Admin / Domain Admin rights problem"
    Date: Thu, 30 Jun 2005 15:05:57 -0500

    Kerberos is the default authentication method used in a Windows 2000/2003
    domain and Windows 2000/2003/XP Pro computers can use it and will use it by
    default. This is not something that can or should be disabled. Computers and
    users authenticate with the KDC and use the tickets to access domain
    resources. If kerberos fails the users/computers should be able to fall back
    to lm/ntlm/ntlmv2 though things like ipsec policy, if used, may fail
    without kerberos authentication.

    Active Directory and kerberos depends heavily on DNS and if DNS is not
    configured correctly [as in ISP dns servers being listed as a preferred dns
    server in tcp/ip properties of a domain computer] all kinds on problems can
    happen in the domain. Simple network connectivity problems can also cause
    similar problems. What I would suggest is that you first make sure your DNS
    is working correctly and use the support tools netdiag, dcdiag, and gpotool
    on your domain controllers and netdiag on domain computers to check for
    domain/AD/dns/network connectivity health. The link below has a lot of good
    information about Active Directory dns and the support tools are located in
    the support/tools folder of the installation disk of the appropriate
    operating system.

    The link below is good information on troubleshooting kerberos if problems
    persist after you have verified that your domain is otherwise a well oiled
    machine. I also pasted the info on that error. Kerberos is time sensitive
    and all domain computers need to be in synch time wise [default skew
    tolerance is five minutes] and should be automatically but this is still
    something to check on the problem computer. When checking a computers time
    always check day/date/year/time zone/AM or PM in addition to the time. By
    default the maximum lifetime for a user ticket is ten hours. --- Steve

    0x20 - KRB_AP_ERR_TKT_EXPIRED: Ticket expired
    Associated internal Windows error codes

    Corresponding debug output messages
          . DebugLog("Trying to renew a ticket past its renew time\n")

          . DebugLog("Trying to renew an expired ticket\n")

    Possible Cause and Resolution
          . The smaller the value for the Maximum lifetime for user ticket
    Kerberos policy setting, the more likely it is that this error will occur.
    Because ticket renewal is automatic, you should not have to do anything if
    you get this message.


          To change the Maximum lifetime for user ticket setting:

               Click Start, click All Programs, click Administrative Tools, and
    then click Domain Security Policy.

               Click Accounts Policies, and then click Kerberos Policy.

               Increase the value for Maximum lifetime for user ticket.

               Run gpupdate /force on any client computer on which you want this
    policy change to take effect immediately.

    "Kim Noer" <> wrote in message
    > Hi there...
    > I haven't quite figured out just yet, what my DC uses Kerberos for, so can
    > anyone here clue me in, what it is used for[1]? I've figured out it's
    > about issueing tickets in some security context, and that my DC current
    > acts as a Kerberos Key Distribution Center- and it somehow relates to
    > LDAP/AD. But a look in my event log shows that it runs in a rather fault
    > way -
    > Event ID 594 :
    > A Kerberos Error Message was received:
    > on logon session InitializeSecurityContext
    > Client Time:
    > Server Time:
    > Error Code: 4:30:5.0000 6/30/2005 (null) 0x20
    > Extended Error: KRB_AP_ERR_TKT_EXPIRED
    > Client Realm:
    > Client Name:
    > Server Realm: domain.tld
    > Server Name: krbtgt/domain.tld
    > Target Name: krbtgt/domain.tld@domain.tld
    > Error Text:
    > File:
    > Line:
    > Error Data is in record data.
    > And since I apparently don't know what the server is using Kerberos for it
    > makes it difficult to nick this error. Futhermore, a search on this error,
    > indicates to me that it's quite an extensive task to fix it - eek!
    > A "klist tickets" shows some tickets that have expired, but not reviewed -
    > Server: myDC@domain.tld
    > KerbTicket Encryption Type: RSADSI RC4-HMAC(NT
    > End Time: 6/17/2005 7:16:25
    > Renew Time: 6/23/2005 21:16:25
    > - presumeably, this failure to renew the ticket, is what generets the
    > error in the event log?
    > [1] I primarily need some quick advice that enables to either investigate
    > further (read up on Kerberos etc.) if you think I need Kerberos, or some
    > advice on how to disable Kerberos, if you think I don't need Kerberos.
    > --
    > I doubt, therefore I might be.

  • Next message: Steven L Umbach: "Re: Admin / Domain Admin rights problem"

    Relevant Pages

    • Re: Is "SPN advertisement" or well-known SPNs a security hole?
      ... connect to his machine by spoofing DNS or some other means. ... server and the Kerberos service principal name used in the mutual ... In Jeffrey's example, the client locates the ... normative or required by Kerberos. ...
    • Re: Subordinate Certificate Server - No templates?!
      ... Disregard the wins warning but the dns and kerberos warnings could ... list of preferred dns servers for your new CA server. ... new certificate as a CA not to replace any existing certificates but to add ...
    • Re: Working out a OS X 10.4 Tiger ssh implementation issue, slow logins
      ... port of the OpenSSH release; it has code added to it. ... order to construct a ticket request for the SSH server, ... for the ticket request instead of going to the DNS. ... client will try to find the Kerberos context for the server via the DNS ...
    • Re: KRB_AP_ERR_MODIFIED Error on Windows2003 Server
      ... DNS problems can cause this error as well. ... attempting to contact systema so the Kerberos Key Distribution Center ... encrypts the service ticket with systema's password but poor DNS causes the ... KRB_AP_ERR_MODIFIED Error on Windows2003 Server ...
    • Re: Critical Errors in System Log
      ... EventID: 4 Source: Kerberos ... The kerberos client received a KRB_AP_ERR_MODIFIED error from the server ... ip address and update its host record on the DNS server. ...