Re: Kerberos machine authentication - apparent authentication failures

From: Steven L Umbach (
Date: 05/30/05

Date: Mon, 30 May 2005 13:49:50 -0500

When you joined your computer to the domain your wireless network card was
initialized and working properly. However when you reboot your computer the
network card does not initialize fast enough in order to have the computer
authenticate to the domain. The computer does not necessarily need to
authenticate to the domain resources in order for a user to access domain
resources particularly if cached logons are enabled. With cached logons you
are logged with cached domain credentials to the local computer. When you
try to access domain shares while logged on with cached credentials you are
denied access until you can authenticate to a domain controller as a user.
By the time you attempt such your network card is probably initialized and
thus you can access the domain controller, be authenticated, and then access
a domain share. Another downside of not having the computer account
authenticated to the domain is that the computer configuration Group Policy
will not be applied/refreshed at startup.

You should have logging of account logon events enabled in Domain Controller
Security Policy which it is by default in Windows 2003 and also enable
auditing of logon events on your domain computers which may also provide
helpful information including if cached logons are being used. The set
command when run on a domain computer will also show the authenticating
computer/domain controller.

While kerberos is the default authentication protocol of choice, fallback
can be done to lm/ntlm/ntlmv2 in a Windows 2000/2003 domain. Kerberos
failure is not usually as problematic as is problems with the computer
account as shown by errors/failed test with trust/secure channel as shown
with netdiag. Kerberos authentication for the "computer" is however required
for domain negotiation ipsec policy using ESP/AH if using default
authentication for the ipsec policy. Also keep in mind that the netdiag
/debug switch may also give more detailed info on why a test failed.

I bet that if you hard wire one of your domain computers to the network that
you will not see the problem with kerberos anymore. Also since you are
interested in troubleshooting you will find packet sniffing very helpful for
a problem such as yours or many other problems. In your case monitoring
packet activity on the domain controller while a domain computer is booting
up will tell a lot, particularly if you have a capture of a successful
domain computer account logon to compare to. Windows 2003 Server has the
built in netmon though I personally much prefer Ethereal which is free. Also
dns configuration for the domain MUST be correct or all sorts of problems
will ensue. The first link below is a good quick read on dns for an Active
Directory domain and the second is on troubleshooting kerberos errors which
can be displayed in the security logs of domain controllers. --- Steve

"JCB_MCSE_wannabe" <> wrote in
> NOTE: This post was incorrectly posted under "Access Security"
> previously.
> I misinterpreted the topic as resource access, not MS Access database
> product...oh well!....
> I am new to networking. I recently built a small AD-integrated DNS domain
> network for labbing purposes using my TechNet Plus Server 2003 Ent. OS.
> The
> single server is also running DNS and DHCP. All of my clients (yeah, all
> of them - I did say SMALL!) are running XPsp2. Hosts connect to the
> network
> using wireless cards through a linksys NAT-enabled router/switch. The
> server
> is hard wired to one of the switch ports on the linksys. I am using
> 128-bit
> WEP encryption
> and further control access using a MAC table of allowed hosts on the
> wireless. Three machines are workstations and three are laptop/portables.
> I successfully joined the client machines to the domain. They receive
> DHCP-assigned IP addresses. However, when I run the Netdiag commmand, I
> receive PASSING results for all tested parameters, EXCEPT the Kerberos
> test
> which gives a: " [FATAL] Kerberos does not have a ticket for
> host/mymachinename.mydomainname" result.
> The strange thing is that immediately after I joined the machines to the
> domain and ran Netdiag, a PASSING Kerberos result is obtained. HOWEVER,
> once
> the machines are restarted, the Kerberos test yields a consistent FAILED
> status. With Server2003/XP, I thought Kerberos v.5 was the default
> authentication protocol. If my machine is not being authenticated, how
> come
> I can still access domain resources? Should my audit logs show a "logon"
> event instead of an "account logon" event if my machine is not
> authenticated?
> Does anyone have an explanation? I would prefer guidance on how to
> efficiently troubleshoot this problem and not just a "here, do this"
> solution. The REAL problem is I don't yet have the troubleshooting skills
> to effectively address the apparent Kerberos authentication failures.
> Any help would be appreciated.