Re: Kerberos' role in a 'std. setup' without bells & whistles

From: Kim Noer (kn_at_nospam.dk)
Date: 07/03/05 

Date: Sun, 3 Jul 2005 18:17:00 +0200

"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:%23bAmTokfFHA.3316@TK2MSFTNGP14.phx.gbl

> Anyway, let us know how things turn out for you.

After some sniffing around I came up with nothing. All the computers I checked,
had the right time, and a minute within the 'DC time'.

Checking the event log shows that two Kerberos 594 event ID errors. Both entries
very poor on details (read:none) -

Event Type: Error
Event Source: Kerberos
Event Category: None
Event ID: 594
Date: 03-07-2005
Time: 13:14:51
User: N/A
Computer: ThePDC
Description:
A Kerberos Error Message was received:
         on logon session InitializeSecurityContext
 Client Time:
 Server Time:
 Error Code: 11:14:51.0000 7/3/2005 (null) 0x20
 Extended Error: KRB_AP_ERR_TKT_EXPIRED
 Client Realm:
 Client Name:
 Server Realm: domain.tld
 Server Name: krbtgt/domain.tld
 Target Name: krbtgt/domain.tld@domain.tld
 Error Text:
 File:
 Line:
 Error Data is in record data.

Event Type: Error
Event Source: Kerberos
Event Category: None
Event ID: 594
Date: 03-07-2005
Time: 13:15:14
User: N/A
Computer: ThePDC
Description:
A Kerberos Error Message was received:
         on logon session InitializeSecurityContext
 Client Time:
 Server Time:
 Error Code: 11:15:14.0000 7/3/2005 (null) 0x20
 Extended Error: KRB_AP_ERR_TKT_EXPIRED
 Client Realm:
 Client Name:
 Server Realm: domain.tld
 Server Name: krbtgt/domain.tld
 Target Name: krbtgt/domain.tld@domain.tld
 Error Text:
 File:
 Line:
 Error Data is in record data.

>From what I ca read, it's the actual PDC that have problems with expirering
tickets..?
The corresponding security entries are -Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 677
Date: 03-07-2005
Time: 13:14:51
User: NT AUTHORITY\SYSTEM
Computer: ThePDC
Description:
Service Ticket Request Failed:
         User Name: User Domain:
         Service Name: krbtgt/domain.tld
         Ticket Options: 0x2
         Failure Code: 0x20
         Client Address: 127.0.0.1

Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 677
Date: 03-07-2005
Time: 13:15:14
User: NT AUTHORITY\SYSTEM
Computer: ThePDC
Description:
Service Ticket Request Failed:
         User Name: ThePDC$
         User Domain: domain.tld
         Service Name: krbtgt/domain.tld
         Ticket Options: 0x2
         Failure Code: 0x20
         Client Address: 127.0.0.1
Now I can do what Steven suggested, that is changing the lifetime for the
tickets, but isn't that just a symptom treatment more than an actual fix? I
mean, shouldn't this expirering thingy just work "out of the box"-- I doubt,
therefore I might be.

Relevant Pages

  • Event ID:3 Numerous Kerberos Errors
    ... Server: krbtgt/domain.COM@xxxxxxxxxx ... A Kerberos Error Message was received: ... Client Realm: ... Error Data is in record data. ...
    (microsoft.public.windows.server.general)
  • Re: lots of kerberos errors on DC
    ... > A Kerberos Error Message was received: ... > Client Realm: ... It is saying that the server principal name cannot be found in the ...
    (microsoft.public.windows.server.active_directory)
  • Kerberos Error badoption
    ... I am getting the following error on Windows 2003 server in two domains. ... A Kerberos Error Message was received: ... Client Realm: ...
    (microsoft.public.windows.server.general)
  • Re: A question about windows service access netdriver privilege
    ... I have add a key to lsa to enable the Kerberos, and do the steps again, ... A Kerberos Error Message was received: ... Client Realm: ... Server Realm: BJCCE.BEA.COM ...
    (microsoft.public.vc.language)
  • Re: What doesnt lend itself to OO?
    ... >> proxy and instructs the server to constuct the real object. ... rather than client code. ... If 'clock' is instantiated in the server, ... > for the server interface at the OOA level. ...
    (comp.object)