Re: Kerberos Error Getting Ticket From Domain: krb5kdc_err_s_principal_unknown

---

• From: "Will" <westes-usc@xxxxxxxxxxxxxx>
• Date: Wed, 5 Jul 2006 23:13:15 -0700

---

I used all of the checks in DNSLINT on both domain controllers, and those
did not turn up any errors. Those did not name an "SPN" however.

I ran NetDiag /v and that turned up nothing.

Dcdiag /v didn't turn up errors either.

I looked at Setspn, but that seems fairly trivial and didn't really do much
diagnostics. When I ran the argument to verify the SPN it gave strange
messages that it didn't recognize the domain, so maybe there is a problem
there. The error messages were poor so I can't really tell if I got the
syntax wrong, or if there is a DNS record problem.

Can you describe what an SPN record for the domain should look like, and how
do I locate it in the DNS tree, or in ADSIEDIT, or whatever else I would
look in to check it manually?

--
Will


"Roger Abell [MVP]" <mvpNoSpam@xxxxxxx> wrote in message
news:ureE1wenGHA.1444@xxxxxxxxxxxxxxxxxxxxxxx

netlogon or dnslint are the tools for checking whether DCs' DNS
records are correct - there is much more to it than just seeing if
the DCs' names can be resolved to IPs.
setspn can be used to see the existing SPNs and dcdiag is base
tool for checking health of DC availability

"Will" <westes-usc@xxxxxxxxxxxxxx> wrote in message
news:KKGdnRk7DJmRXznZnZ2dnUVZ_s2dnZ2d@xxxxxxxxxxxxxxx

"Roger Abell [MVP]" <mvpNoSpam@xxxxxxx> wrote in message
news:uOfm96emGHA.3880@xxxxxxxxxxxxxxxxxxxxxxx

In any case, if the machine is not recognized as a member of the
domain,
then how is it that domain logins are working, and how is it that the
member
server is able to use file shares on the domain controller?

I was previously responding with best guess given the provided info.
Is the domain name DNS resolvable (should point to the DCs), and
is there an spn registered for the the domain-name ?? If those are
not satisfied then attempt to use that service name to get tgt would

not

be able to work.

How do I check for an SPN for the domain name?

NSLOOKUP on the domain name does produce the IPs of the domain
controllers.

--
Will

.

---

• References:
  • Re: Kerberos Error Getting Ticket From Domain: krb5kdc_err_s_principal_unknown
    • From: Roger Abell [MVP]

• Prev by Date: Re: firewall vs security appliance
• Next by Date: Whats wrong with my CAPolicy.inf file?
• Previous by thread: Re: Kerberos Error Getting Ticket From Domain: krb5kdc_err_s_principal_unknown
• Next by thread: Re: Help - Generate Security Reports
• Index(es):
  • Date
  • Thread

---

Relevant Pages ACE/STEVE ... frssysvol ... DC Server1 is advertising itself as a DC and has DNS ... Failed cannot test for Host SPN ... (microsoft.public.win2000.dns) Re: Confusing Kerberos Error ... I think I'm with you on the DNS error. ... This error is typically caused by a DNS error, or incorrect SPN ... The kerberos ticket is ... A User requests authentication for fileserver1. ... (microsoft.public.windows.server.general) Re: Kerberos Delegation of Authentication ... The SPN I would use is the DNS the web browser would use, ... Kerberos negotiation looks different from an NTLM one, ... >> No, just the SPSAdmin account. ... (microsoft.public.windows.server.active_directory) Re: Application Pools, Domain User Accounts and Service Principal Names ... DNS for that name. ... if you give the machine account the SPN ... have encountered a problem where Windows integrated authentication is ... (microsoft.public.dotnet.framework.aspnet.security) RE: sbs2003 pdc and bdc no DNS name listed. ... New users created in sbs2003 still have no rights to the SQL server. ... SQL has no DNS name. ... A service principal name (SPN) is the ... (microsoft.public.windows.server.sbs)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > microsoft.public.windows.server.security  > 2006-07