Re: Kerberos Issue
From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 04/07/05
- Next message: Steven L Umbach: "Re: unable to enable "success" option of "Audit object access" und"
- Previous message: Steven L Umbach: "Re: iis lockdown"
- In reply to: Ralish: "Kerberos Issue"
- Next in thread: Ralish: "RE: Kerberos Issue"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 6 Apr 2005 19:31:13 -0500
I think I replied to you yesterday. Did you try netdiag and dcdiag? They can
provide helpful information. I would run netdiag first. It may not be that
kerberos is causing the problem but instead is a symptom of the problem as a
result of other problems. In particular I would make sure that dns is
configured correctly and netdiag will show if there are dns problems or not
along with problems with secure channel/computer account. Netdiag with the
/debug switch will give a lot of information. Domain controller normally
point to the pdc fsmo for the domain and then themselves as their preferred
dns server. The link below is on kerberos troubleshooting. --- Steve
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerberr.mspx
"Ralish" <Ralish@discussions.microsoft.com> wrote in message
news:07E1B94A-C934-41E7-804C-7D16900A01A8@microsoft.com...
>I have been tearing my hair out over an issue with this Windows Server 2003
> machine for days now. Thankfully, I have made some progress in diagnosing
> the
> problem, but I am unsure how to proceed.
>
> In short, the Active Directory service starts up, but is unable to load
> the
> global catalog - citing access denied.
>
> Furthermore, as a result, all services that depend on Active Directory,
> such
> as DNS, DHCP, Certificate Services, etc... are unable to establish
> communication and fail as well.
>
> I have tracked the issue down to an authentication issue with Kerberos.
>
> The system appears to be unable to authenticate as itself, with the
> Security
> Log flooded with Events from 'Security' with Event ID '675':
>
> Pre-authentication failed:
> User Name: LFN-SVR-1$
> User ID: LFN\LFN-SVR-1$
> Service Name: krbtgt/LFN.NET
> Pre-Authentication Type: 0x2
> Failure Code: 0x18
> Client Address: 127.0.0.1
>
> LFN-SVR-1 is the name of the machine and LFN is the short domain name.
>
> I have also downloaded the MS Resource Tools Kit - and used klist.exe.
>
> klist tickets - Informs me that there are 0 cached tickets...
> klist tgt - 'Error calling function LsaCallAuthenticationPackage: 0
> The operation completed successfully.
> Substatus: 0x8009030e
>
> Any and all help would be greatly appreciated in solving this problem.
>
> Yours hopefully,
>
> Ralish
- Next message: Steven L Umbach: "Re: unable to enable "success" option of "Audit object access" und"
- Previous message: Steven L Umbach: "Re: iis lockdown"
- In reply to: Ralish: "Kerberos Issue"
- Next in thread: Ralish: "RE: Kerberos Issue"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
