Kerberos Issue

From: Ralish (Ralish_at_discussions.microsoft.com)
Date: 04/06/05

Next message: Arek Iskra [MVP]: "Re: Kerberos Issue"
Previous message: Mathew: "Active Directory - Domain groups - How to get the names and right of users contains in groups ???"
Next in thread: Arek Iskra [MVP]: "Re: Kerberos Issue"
Reply: Arek Iskra [MVP]: "Re: Kerberos Issue"
Reply: Steven L Umbach: "Re: Kerberos Issue"
Reply: Ralish: "RE: Kerberos Issue"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 6 Apr 2005 03:09:04 -0700

I have been tearing my hair out over an issue with this Windows Server 2003
machine for days now. Thankfully, I have made some progress in diagnosing the
problem, but I am unsure how to proceed.

In short, the Active Directory service starts up, but is unable to load the
global catalog - citing access denied.

Furthermore, as a result, all services that depend on Active Directory, such
as DNS, DHCP, Certificate Services, etc... are unable to establish
communication and fail as well.

I have tracked the issue down to an authentication issue with Kerberos.

The system appears to be unable to authenticate as itself, with the Security
Log flooded with Events from 'Security' with Event ID '675':

Pre-authentication failed:
         User Name: LFN-SVR-1$
         User ID: LFN\LFN-SVR-1$
         Service Name: krbtgt/LFN.NET
         Pre-Authentication Type: 0x2
         Failure Code: 0x18
         Client Address: 127.0.0.1

LFN-SVR-1 is the name of the machine and LFN is the short domain name.

I have also downloaded the MS Resource Tools Kit - and used klist.exe.

klist tickets - Informs me that there are 0 cached tickets...
klist tgt - 'Error calling function LsaCallAuthenticationPackage: 0
The operation completed successfully.
Substatus: 0x8009030e

Any and all help would be greatly appreciated in solving this problem.

Yours hopefully,

Ralish

Next message: Arek Iskra [MVP]: "Re: Kerberos Issue"
Previous message: Mathew: "Active Directory - Domain groups - How to get the names and right of users contains in groups ???"
Next in thread: Arek Iskra [MVP]: "Re: Kerberos Issue"
Reply: Arek Iskra [MVP]: "Re: Kerberos Issue"
Reply: Steven L Umbach: "Re: Kerberos Issue"
Reply: Ralish: "RE: Kerberos Issue"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Rollback to NT4 domain from 2000 mixed mode
... fallback to lm/ntlm/ntlmv2 authentication if kerberos can not be used. ... >> This is more of an Active Directory question than Group Policy so I ... Also if you applied any security templates, ...
(microsoft.public.win2000.group_policy)
Solaris Security Summary
... Administering Security on the Solaris OE ... Configuration control, facility management, and system ... Authentication: The ability to prove who you are. ...
(comp.unix.solaris)
Re: Grant Administrative Access to a Domain Controller
... Anyone with a good understanding of AD and Windows security will easily see ways of compromising the environment. ... Do not give enhanced rights to Domain Controllers to anyone you don't trust with Domain and/or Enterprise Admins. ... Just know that minimal access can be parlayed into even more access and try as you might, you cannot secure Active Directory from people with server operator or admin or several other levels of access rights on a DC. ...
(microsoft.public.windows.server.active_directory)
Re: Enabling telnet, ftp, pop3 for root...
... Where did I say ANYTHING about not using authentication. ... You're presenting it like direct root login would be a total security ... DON'T have access to the port. ...
(alt.os.linux)
Re: Enabling telnet, ftp, pop3 for root...
... Where did I say ANYTHING about not using authentication. ... You're presenting it like direct root login would be a total security ... The ssh account is only used for remote login. ... secret to get to your SSH port is as easy as sniffing. ...
(alt.os.linux)