Re: Kerberos' role in a 'std. setup' without bells & whistles
From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: Thu, 30 Jun 2005 20:46:07 -0700
As Steve suggests, before trying to fix Kerberos itself, check whether
you need to fix its key dependencies of DNS and timesync (which can
be off due to DNS).
Kerb in a tiny nutshell is that at authentication a TGT, ticket granting
ticket, is received. This TGT is the passport for getting service tickets
for accessing services (resources). The TGT is obtained in a fancy
dance of three parties, and afterwards act like a token of the holder's
identity, such that when presented to the KDC it is key to getting
tickets and hence access to services.
The steps in the "fancy dance" underlying this must be completed
withina set time from when they start, so it is critical that all parties
to the dance believe it is the same time. The PDC emulator of each
domain is responsible for this time sync service for its domain, and
the PDC emulator of the forest root domain is responsible for telling
all the other PDC emulators what time it really is.
So, if for example, your domain does not have a PDC FSMO at the
moment. eventual chaos follows. Or, if the DNS records are not
up-to-date and correctly pointing to the PDC FSMO, machines do
not find it in order to get in sync (which, if they are out of sync
means they will likely stay out of sync since they will not be allowed
to use the other lookup methods with LDAP inquey to AD to find
their PDC FSMO. Again, choas follows.
So, start by ruling out issues with the dependencies of Kerberos.
Run netdiag and dcdiag on each of your domain controller for a
first step to see if these utilities like things.
-- Roger Abell Microsoft MVP (Windows Security) "Kim Noer" <email@example.com> wrote in message news:eOfBSlZfFHA.1444@TK2MSFTNGP10.phx.gbl... > Hi there... > > I haven't quite figured out just yet, what my DC uses Kerberos for, so can > anyone here clue me in, what it is used for? I've figured out it's about > issueing tickets in some security context, and that my DC current acts as a > Kerberos Key Distribution Center- and it somehow relates to LDAP/AD. But a > look in my event log shows that it runs in a rather fault way - > > Event ID 594 : > > A Kerberos Error Message was received: > on logon session InitializeSecurityContext > Client Time: > Server Time: > Error Code: 4:30:5.0000 6/30/2005 (null) 0x20 > Extended Error: KRB_AP_ERR_TKT_EXPIRED > Client Realm: > Client Name: > Server Realm: domain.tld > Server Name: krbtgt/domain.tld > Target Name: firstname.lastname@example.org > Error Text: > File: > Line: > Error Data is in record data. > > And since I apparently don't know what the server is using Kerberos for it > makes it difficult to nick this error. Futhermore, a search on this error, > indicates to me that it's quite an extensive task to fix it - eek! > > A "klist tickets" shows some tickets that have expired, but not reviewed - > > Server: myDC@domain.tld > KerbTicket Encryption Type: RSADSI RC4-HMAC(NT > End Time: 6/17/2005 7:16:25 > Renew Time: 6/23/2005 21:16:25 > > - presumeably, this failure to renew the ticket, is what generets the error > in the event log? > >  I primarily need some quick advice that enables to either investigate > further (read up on Kerberos etc.) if you think I need Kerberos, or some > advice on how to disable Kerberos, if you think I don't need Kerberos. > > -- > I doubt, therefore I might be. > >