Re: Kerberos' role in a 'std. setup' without bells & whistles
From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: Thu, 30 Jun 2005 15:05:57 -0500
Kerberos is the default authentication method used in a Windows 2000/2003
domain and Windows 2000/2003/XP Pro computers can use it and will use it by
default. This is not something that can or should be disabled. Computers and
users authenticate with the KDC and use the tickets to access domain
resources. If kerberos fails the users/computers should be able to fall back
to lm/ntlm/ntlmv2 though things like ipsec policy, if used, may fail
without kerberos authentication.
Active Directory and kerberos depends heavily on DNS and if DNS is not
configured correctly [as in ISP dns servers being listed as a preferred dns
server in tcp/ip properties of a domain computer] all kinds on problems can
happen in the domain. Simple network connectivity problems can also cause
similar problems. What I would suggest is that you first make sure your DNS
is working correctly and use the support tools netdiag, dcdiag, and gpotool
on your domain controllers and netdiag on domain computers to check for
domain/AD/dns/network connectivity health. The link below has a lot of good
information about Active Directory dns and the support tools are located in
the support/tools folder of the installation disk of the appropriate
The link below is good information on troubleshooting kerberos if problems
persist after you have verified that your domain is otherwise a well oiled
machine. I also pasted the info on that error. Kerberos is time sensitive
and all domain computers need to be in synch time wise [default skew
tolerance is five minutes] and should be automatically but this is still
something to check on the problem computer. When checking a computers time
always check day/date/year/time zone/AM or PM in addition to the time. By
default the maximum lifetime for a user ticket is ten hours. --- Steve
0x20 - KRB_AP_ERR_TKT_EXPIRED: Ticket expired
Associated internal Windows error codes
Corresponding debug output messages
. DebugLog("Trying to renew a ticket past its renew time\n")
. DebugLog("Trying to renew an expired ticket\n")
Possible Cause and Resolution
. The smaller the value for the Maximum lifetime for user ticket
Kerberos policy setting, the more likely it is that this error will occur.
Because ticket renewal is automatic, you should not have to do anything if
you get this message.
To change the Maximum lifetime for user ticket setting:
Click Start, click All Programs, click Administrative Tools, and
then click Domain Security Policy.
Click Accounts Policies, and then click Kerberos Policy.
Increase the value for Maximum lifetime for user ticket.
Run gpupdate /force on any client computer on which you want this
policy change to take effect immediately.
"Kim Noer" <email@example.com> wrote in message
> Hi there...
> I haven't quite figured out just yet, what my DC uses Kerberos for, so can
> anyone here clue me in, what it is used for? I've figured out it's
> about issueing tickets in some security context, and that my DC current
> acts as a Kerberos Key Distribution Center- and it somehow relates to
> LDAP/AD. But a look in my event log shows that it runs in a rather fault
> way -
> Event ID 594 :
> A Kerberos Error Message was received:
> on logon session InitializeSecurityContext
> Client Time:
> Server Time:
> Error Code: 4:30:5.0000 6/30/2005 (null) 0x20
> Extended Error: KRB_AP_ERR_TKT_EXPIRED
> Client Realm:
> Client Name:
> Server Realm: domain.tld
> Server Name: krbtgt/domain.tld
> Target Name: firstname.lastname@example.org
> Error Text:
> Error Data is in record data.
> And since I apparently don't know what the server is using Kerberos for it
> makes it difficult to nick this error. Futhermore, a search on this error,
> indicates to me that it's quite an extensive task to fix it - eek!
> A "klist tickets" shows some tickets that have expired, but not reviewed -
> Server: myDC@domain.tld
> KerbTicket Encryption Type: RSADSI RC4-HMAC(NT
> End Time: 6/17/2005 7:16:25
> Renew Time: 6/23/2005 21:16:25
> - presumeably, this failure to renew the ticket, is what generets the
> error in the event log?
>  I primarily need some quick advice that enables to either investigate
> further (read up on Kerberos etc.) if you think I need Kerberos, or some
> advice on how to disable Kerberos, if you think I don't need Kerberos.
> I doubt, therefore I might be.