RE: [FATAL] Kerberos does not have a ticket for <any of my servers>

From: David Pharr [MSFT] (dpharr_at_microsoft.com)
Date: 04/19/04 

Date: Mon, 19 Apr 2004 21:21:57 GMT

Sounds like you may have lost your secure channel connection to the DC.
Was this working fine with users logging on successfully and then the
problem began? If so, what changes were made to the domain just prior to
this problem occurring? Did someone change permissions on the DCs, modify
group policy, stop W32Time, anything like that? Can users logon to their
local machine but not the domain? Can you logon as an admin?

How many domain controllers are in this domain? Any errors in dcdiag or
netdiag on the DC? We need a bit more information about your domain
configuration and what happened on your network to be able to give you good
direction.

To reset secure channel connections, try the following arrticle:
216393 Resetting Computer Accounts in Windows 2000 and Windows XP
http://support.microsoft.com/?id=216393

David Pharr, dpharr@online.microsoft.com

This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| From: "Scott Townsend" <scott-i@.-N0-SPAMplease.enm.com>
| Subject: [FATAL] Kerberos does not have a ticket for <any of my servers>
| Date: Fri, 16 Apr 2004 13:32:45 -0700
| Lines: 136
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2800.1409
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409
| Message-ID: <#DdW6H$IEHA.624@TK2MSFTNGP09.phx.gbl>
| Newsgroups: microsoft.public.win2000.active_directory
| NNTP-Posting-Host: 204-145-245-200.enm.com 204.145.245.200
| Path:
cpmsftngxa10.phx.gbl!TK2MSFTNGXA05.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP09
phx.gbl
| Xref: cpmsftngxa10.phx.gbl microsoft.public.win2000.active_directory:76815
| X-Tomcat-NG: microsoft.public.win2000.active_directory
|
| Help!!!
|
| I'm having Kerberos Issues!!!
|
| May of my users are getting denied access to servers.
|
| In their System Log they have Errors similar to the following:
| Event Type: Error
| Event Source: Kerberos
| Event Category: None
| Event ID: 4
| Date: 04/16/2004
| Time: 12:28:51 AM
| User: N/A
| Computer: COMPUTER-XP
| Description:
| The kerberos client received a KRB_AP_ERR_MODIFIED error from the server
| host/server.domain.com. This indicates that the password used to encrypt
| the kerberos service ticket is different than that on the target server.
| Commonly, this is due to identically named machine accounts in the target
| realm (<domain>.COM), and the client realm. Please contact your system
| administrator.
|
| For more information, see Help and Support Center at
| http://go.microsoft.com/fwlink/events.asp.
|
|
| On the servers I see the Corresponding Errors in the Security Log:
|
| Event Type: Failure Audit
| Event Source: Security
| Event Category: Logon/Logoff
| Event ID: 529
| Date: 04/16/2004
| Time: 10:03:28 AM
| User: NT AUTHORITY\SYSTEM
| Computer: SERVER
| Description:
| Logon Failure:
| Reason: Unknown user name or bad password
| User Name:
| Domain:
| Logon Type: 3
| Logon Process: Kerberos
| Authentication Package: Kerberos
| Workstation Name: -
| Caller User Name: -
| Caller Domain: -
| Caller Logon ID: -
| Caller Process ID: -
| Transited Services: -
| Source Network Address: 10.1.0.17
| Source Port: 0
|
|
| For more information, see Help and Support Center at
| http://go.microsoft.com/fwlink/events.asp.
|
| When I run netdiag I get the following on the server machines:
|
| NetBT name test. . . . . . . . . . : Passed
| [WARNING] You don't have a single interface with the <00> 'WorkStation
| Service', <03> 'Messenger Service', <20> 'WINS' names defined.
|
| Kerberos test. . . . . . . . . . . : Failed
| [FATAL] Kerberos does not have a ticket for :
| And depending on the server the name is in the
folloing
| formats:
| <host/server-name.domain.COM.>
| <server-name$>
|
|
| I've been working with one server trying to get its kerberos ticket back
in
| line and I've done the following to it with no Success:
| Renamed it (twice) and added it back to the domain
| ran the netdom remove and netdom join
| Went to ADUG and did a Reset Account
|
| I've turned on Kerberos Logging inthe registry:
|
| I now get the following when I boot the server:
| Event Type: Error
| Event Source: Kerberos
| Event Category: None
| Event ID: 594
| Date: 4/16/2004
| Time: 1:01:06 PM
| User: N/A
| Computer: SERVER
| Description:
| A Kerberos Error Message was received:
| on logon session InitializeSecurityContext
| Client Time:
| Server Time:
| Error Code: 20:1:6.0000 4/16/2004 (null) 0x34
| Extended Error: KRB_ERR_RESPONSE_TOO_BIG
| Client Realm:
| Client Name:
| Server Realm: <domain>.COM
| Server Name: LDAP/DC-server.<domain>.COM
| Target Name: LDAP/DC-Server.<domain>.COM@<domain>.COM
| Error Text:
| File:
| Line:
| Error Data is in record data.
|
|
| Event Type: Error
| Event Source: Kerberos
| Event Category: None
| Event ID: 594
| Date: 4/16/2004
| Time: 1:01:38 PM
| User: N/A
| Computer: SERVER-SUPPORT
| Description:
| A Kerberos Error Message was received:
| on logon session InitializeSecurityContext
| Client Time:
| Server Time:
| Error Code: 20:1:38.0000 4/16/2004 (null) 0x34
| Extended Error: KRB_ERR_RESPONSE_TOO_BIG
| Client Realm:
| Client Name:
| Server Realm: HAYDON-MILL.COM
| Server Name: LDAP/DC-server.<domain>.COM
| Target Name: LDAP/DC-Server.<domain>.COM@<domain>.COM
| Error Text:
| File:
| Line:
| Error Data is in record data.
|
|
|
|
|
|

Relevant Pages

  • Re: Kerberos with Windows Integrated authentication
    ... behaviour if your Web server is in the client broweser's Internet zone. ... referencing it by computer name rather than FQDN), the browser will request ... Obviously, if you want to use Kerberos for authentication, you will either ...
    (microsoft.public.windows.server.security)
  • Re: Kerberised NFS
    ... Kerberised NFS presumably requires authentication and encryption between client and server, so presumably the client needs to get a ticket prior to contacting the server. ... server with kerberos security options, and successfully automounting user's home directories on client machines when they log in. ...
    (comp.protocols.kerberos)
  • Re: Kerberos authentication fails
    ... we had have kerberos log activated yesterday while we test the ... Client Server Name: ... * System Event logs in GPRSServer03 ... Server domain: DISTROMEL.GPRS ...
    (microsoft.public.sqlserver)
  • Re: Kerberos authentication fails
    ... we had have kerberos log activated yesterday while we test the ... Client Server Name: ... * System Event logs in GPRSServer03 ... Server domain: DISTROMEL.GPRS ...
    (microsoft.public.win2000.security)
  • Re: Server not found in Kerberos Database
    ... Server not found in Kerberos Database ... When I am trying to do a kinit on the client, ... I have a KDC on Win2003 and a client which is a Linux is trying = ...
    (comp.protocols.kerberos)