Re: Kerberos Error Getting Ticket From Domain: krb5kdc_err_s_principal_unknown

But then how do you explain that the same member server asks for a ticket
using the domain controller's name (krbtgt/my-dc1) and succeeds? Requests
using the domain fail. Requests by the same member server for the domain
controller succeed. And I'm probably wording this incorrectly. I guess
what the member server is asking for is a ticket that grants it a right to
converse and ask services from the domain controller?

In any case, if the machine is not recognized as a member of the domain,
then how is it that domain logins are working, and how is it that the member
server is able to use file shares on the domain controller?

--
Will


"Roger Abell [MVP]" <mvpNoSpam@xxxxxxx> wrote in message
news:emwhPA3lGHA.3732@xxxxxxxxxxxxxxxxxxxxxxx
From what you have said it sounds like you are misinterpreting what is
happening. It is not that the DC is not recognizing the domain, but that
it is not recognizing the machine as a member of the domain, and hence
it is not granting a TGT to it. This might be because the join has
problems
or perhaps the times are too far out of sync.

"Will" <westes-usc@xxxxxxxxxxxxxx> wrote in message
news:w4WdnfD8c87mBAbZnZ2dnUVZ_sWdnZ2d@xxxxxxxxxxxxxxx
Member server A is contacting domain controller my-dc1 in domain
hq.corp.com. What I am seeing in the sniffer trace is that the member
server asks the my-dc1 domain controller in its role as a Kerberos
ticket
granter for a ticket to the domain (i.e., krbtgt/hq.corp.com). The
domain
controller is returning krb5kdc_err_s_principal_unknown. That can't be
good? What is the expected result when a member server asks for a
ticket
for the entire domain?

The following line in the trace shows the member server asking for the
Kerberos ticket for the domain controller krbtgt/my-dc1 and this it does
obtain.

What would cause the domain controller to not recognize its own domain
in
the Kerberos ticket request?

--
Will






.

Relevant Pages

  • Re: Remote site loses access to member server when WAN goes down
    ... They are connected with a VPN between two hardware ... >> the remote office lost access to the local member server. ... >> I did not realize that cutting off access to the domain controller would ...
    (microsoft.public.windows.server.sbs)
  • Re: Kerberos Error Getting Ticket From Domain: krb5kdc_err_s_principal_unknown
    ... Requests by the same member server for the domain ... what the member server is asking for is a ticket that grants it a right to ... server is able to use file shares on the domain controller? ...
    (microsoft.public.windows.server.security)
  • Re: Remote site loses access to member server when WAN goes down
    ... "I can't make the remote member server a backup domain controller in an SBS ...
    (microsoft.public.windows.server.sbs)
  • Re: I need a little IPSec help, please.
    ... PC is a member server. ... "Server " default IPSec policy. ... create a new Group Policy Object underneath the Default Domain Controller ...
    (microsoft.public.cert.exam.mcsa)
  • Re: Object picker
    ... >Point this member server to a Domain Controller in the ... >hosting these groups for primary DNS. ... >recieving errors somewhere that say no domain controller ... >Object Picker relies on API's that rely on the resolution ...
    (microsoft.public.win2000.security)