Re: [FATAL] Kerberos does not have a ticket for <any of my servers>
From: Scott Townsend (scott-i_at_.-N0-SPAMplease.enm.com)
Date: 04/20/04
- Next message: Scott Townsend: "Re: Kerberos tickets are taking me down.. Help Many servers Fail Kerberos netdiag test..."
- Previous message: Jerold Schulman: "Re: Re: List users in group"
- In reply to: David Pharr [MSFT]: "Re: [FATAL] Kerberos does not have a ticket for <any of my servers>"
- Next in thread: Scott Townsend: "Re: [FATAL] Kerberos does not have a ticket for <any of my servers>"
- Messages sorted by: [ date ] [ thread ]
Date: Tue, 20 Apr 2004 12:09:39 -0700
Thanks again for your help.
I've already Change everyone over to TCP. I've added the GP Admin template
and then set the value to 1. So with a reboot, they should be using TCP.
Most of the Local servers I've been able to get the Kerberos to pass by
dropping them from the Domain and re-adding them.
I'm rebooting the Exchange 2003 Server now to get it update as well as the
DC. so they will be using TCP for Kerberos.
the Set L returned the DC I'm rebooting. I've already Rebooted the other
DCs.
I'll keep you informed.
Thanks,
""David Pharr [MSFT]"" <dpharr@microsoft.com> wrote in message
news:B9Dxs2vJEHA.3564@cpmsftngxa10.phx.gbl...
> That KRB_ERR_RESPONSE_TOO_BIG message seems to indicate that the UDP
packet
> was too large for Kerberos to read. Try forcing Kerberos to use TCP per
> the following kb article:
>
> 244474 How to Force Kerberos to Use TCP Instead of UDP
> http://support.microsoft.com/?id=244474
>
> Run SET L on the clients to find out which machine is their authenticating
> domain controller. Then set the registry entry on the authenticating DC
> and a couple of clients experiencing the problem to see if that corrects
> the issue. If it does, you will need to set it on all the machines in the
> environment.
>
> Let me know whether or not that works.
>
> David Pharr, dpharr@online.microsoft.com
>
> This posting is provided "AS IS" with no warranties, and confers no
rights.
> --------------------
> | From: "Scott Townsend" <scott-i@.-N0-SPAMplease.enm.com>
> | References: <#DdW6H$IEHA.624@TK2MSFTNGP09.phx.gbl>
> <ZkDThRlJEHA.3088@cpmsftngxa10.phx.gbl>
> | Subject: Re: [FATAL] Kerberos does not have a ticket for <any of my
> servers>
> | Date: Tue, 20 Apr 2004 08:49:02 -0700
> | Lines: 240
> | X-Priority: 3
> | X-MSMail-Priority: Normal
> | X-Newsreader: Microsoft Outlook Express 6.00.2800.1409
> | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409
> | Message-ID: <eLMIC8uJEHA.2776@TK2MSFTNGP12.phx.gbl>
> | Newsgroups: microsoft.public.win2000.active_directory
> | NNTP-Posting-Host: 204-145-245-200.enm.com 204.145.245.200
> | Path:
>
cpmsftngxa10.phx.gbl!TK2MSFTNGXA05.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP12
> phx.gbl
> | Xref: cpmsftngxa10.phx.gbl
microsoft.public.win2000.active_directory:77138
> | X-Tomcat-NG: microsoft.public.win2000.active_directory
> |
> | Thank you for your reply...
> |
> | There have been no changes to the DCs (3 in all) at the time this
started
> | happening. The First instance that caused us to notice hte issue was
that
> | some users could not Print. It turned out that their communications with
> the
> | print server (just a member Server) was not working, Looking at the
Event
> | Viewer is where we saw the KERBEROS event 4s.
> |
> | Users can log into the domain just fine, and its not all users that have
> the
> | issue. To help Correct the problem we have been removing all DNS, and
WINS
> | entries for the user, their machine and any associated IP address, then
> had
> | them run the latest updates.
> |
> | Then after further checking I ran the netdiag.exe and fame across the
> | KERBEROS test failing...
> |
> | DCDIAG on the DCs comes back clean.
> | NETDIAG on the DCs came back clean too.
> |
> | My Exchange server (Member Server) is failing the Kerberos Test too...
> | I've run the 'netdom reset' on it and its in the same shape.
> | NETDOM Verify comes back okay...
> |
> | So what else do you need to know about the domain and network?
> |
> | There are 3 DCs. 2 of which are GCs. We have an Exchange 2000 and 2003
> | server.
> | We have 4 offices. Each with a local Member server used for Printing, &
> | DHCP.
> | there are anywhere from 30-4 workstations per office.
> |
> | the Three Remote Office Member Servers failed the Kerberos Tests with
> | Netdiag.
> | A few Local Servers failed the test (Exchange 2K, 2K+3, SMS, File)
> | A few local Servers passed the tests (Web & SQL, Terminal Server:)
> |
> | The way I got a few servers to pass the test was to remove them from the
> | domain (added them to a workgroup) then deleted all the info in AD about
> | them, then added them back to the domain.
> |
> | Removing them from the domain and then adding them back does not seem to
> do
> | it. Seems like you really need to delete the account from ADUG. for it
to
> | take.
> |
> | I'm scared to do that with the Exchange servers... The Remote server in
> | case I cant get a hold of them from remote...
> |
> | Any Assistance would be appreciated..
> |
> | Thanks...
> |
> |
> | ""David Pharr [MSFT]"" <dpharr@microsoft.com> wrote in message
> | news:ZkDThRlJEHA.3088@cpmsftngxa10.phx.gbl...
> | > Sounds like you may have lost your secure channel connection to the
DC.
> | > Was this working fine with users logging on successfully and then the
> | > problem began? If so, what changes were made to the domain just prior
> to
> | > this problem occurring? Did someone change permissions on the DCs,
> modify
> | > group policy, stop W32Time, anything like that? Can users logon to
> their
> | > local machine but not the domain? Can you logon as an admin?
> | >
> | > How many domain controllers are in this domain? Any errors in dcdiag
or
> | > netdiag on the DC? We need a bit more information about your domain
> | > configuration and what happened on your network to be able to give you
> | good
> | > direction.
> | >
> | > To reset secure channel connections, try the following arrticle:
> | > 216393 Resetting Computer Accounts in Windows 2000 and Windows XP
> | > http://support.microsoft.com/?id=216393
> | >
> | > David Pharr, dpharr@online.microsoft.com
> | >
> | > This posting is provided "AS IS" with no warranties, and confers no
> | rights.
> | > --------------------
> | > | From: "Scott Townsend" <scott-i@.-N0-SPAMplease.enm.com>
> | > | Subject: [FATAL] Kerberos does not have a ticket for <any of my
> servers>
> | > | Date: Fri, 16 Apr 2004 13:32:45 -0700
> | > | Lines: 136
> | > | X-Priority: 3
> | > | X-MSMail-Priority: Normal
> | > | X-Newsreader: Microsoft Outlook Express 6.00.2800.1409
> | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409
> | > | Message-ID: <#DdW6H$IEHA.624@TK2MSFTNGP09.phx.gbl>
> | > | Newsgroups: microsoft.public.win2000.active_directory
> | > | NNTP-Posting-Host: 204-145-245-200.enm.com 204.145.245.200
> | > | Path:
> | >
> |
>
cpmsftngxa10.phx.gbl!TK2MSFTNGXA05.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP09
> | > phx.gbl
> | > | Xref: cpmsftngxa10.phx.gbl
> | microsoft.public.win2000.active_directory:76815
> | > | X-Tomcat-NG: microsoft.public.win2000.active_directory
> | > |
> | > | Help!!!
> | > |
> | > | I'm having Kerberos Issues!!!
> | > |
> | > | May of my users are getting denied access to servers.
> | > |
> | > | In their System Log they have Errors similar to the following:
> | > | Event Type: Error
> | > | Event Source: Kerberos
> | > | Event Category: None
> | > | Event ID: 4
> | > | Date: 04/16/2004
> | > | Time: 12:28:51 AM
> | > | User: N/A
> | > | Computer: COMPUTER-XP
> | > | Description:
> | > | The kerberos client received a KRB_AP_ERR_MODIFIED error from the
> server
> | > | host/server.domain.com. This indicates that the password used to
> | encrypt
> | > | the kerberos service ticket is different than that on the target
> server.
> | > | Commonly, this is due to identically named machine accounts in the
> | target
> | > | realm (<domain>.COM), and the client realm. Please contact your
> system
> | > | administrator.
> | > |
> | > | For more information, see Help and Support Center at
> | > | http://go.microsoft.com/fwlink/events.asp.
> | > |
> | > |
> | > | On the servers I see the Corresponding Errors in the Security Log:
> | > |
> | > | Event Type: Failure Audit
> | > | Event Source: Security
> | > | Event Category: Logon/Logoff
> | > | Event ID: 529
> | > | Date: 04/16/2004
> | > | Time: 10:03:28 AM
> | > | User: NT AUTHORITY\SYSTEM
> | > | Computer: SERVER
> | > | Description:
> | > | Logon Failure:
> | > | Reason: Unknown user name or bad password
> | > | User Name:
> | > | Domain:
> | > | Logon Type: 3
> | > | Logon Process: Kerberos
> | > | Authentication Package: Kerberos
> | > | Workstation Name: -
> | > | Caller User Name: -
> | > | Caller Domain: -
> | > | Caller Logon ID: -
> | > | Caller Process ID: -
> | > | Transited Services: -
> | > | Source Network Address: 10.1.0.17
> | > | Source Port: 0
> | > |
> | > |
> | > | For more information, see Help and Support Center at
> | > | http://go.microsoft.com/fwlink/events.asp.
> | > |
> | > | When I run netdiag I get the following on the server machines:
> | > |
> | > | NetBT name test. . . . . . . . . . : Passed
> | > | [WARNING] You don't have a single interface with the <00>
> | 'WorkStation
> | > | Service', <03> 'Messenger Service', <20> 'WINS' names defined.
> | > |
> | > | Kerberos test. . . . . . . . . . . : Failed
> | > | [FATAL] Kerberos does not have a ticket for :
> | > | And depending on the server the name is in the
> | > folloing
> | > | formats:
> | > | <host/server-name.domain.COM.>
> | > | <server-name$>
> | > |
> | > |
> | > | I've been working with one server trying to get its kerberos ticket
> back
> | > in
> | > | line and I've done the following to it with no Success:
> | > | Renamed it (twice) and added it back to the domain
> | > | ran the netdom remove and netdom join
> | > | Went to ADUG and did a Reset Account
> | > |
> | > | I've turned on Kerberos Logging inthe registry:
> | > |
> | > | I now get the following when I boot the server:
> | > | Event Type: Error
> | > | Event Source: Kerberos
> | > | Event Category: None
> | > | Event ID: 594
> | > | Date: 4/16/2004
> | > | Time: 1:01:06 PM
> | > | User: N/A
> | > | Computer: SERVER
> | > | Description:
> | > | A Kerberos Error Message was received:
> | > | on logon session InitializeSecurityContext
> | > | Client Time:
> | > | Server Time:
> | > | Error Code: 20:1:6.0000 4/16/2004 (null) 0x34
> | > | Extended Error: KRB_ERR_RESPONSE_TOO_BIG
> | > | Client Realm:
> | > | Client Name:
> | > | Server Realm: <domain>.COM
> | > | Server Name: LDAP/DC-server.<domain>.COM
> | > | Target Name: LDAP/DC-Server.<domain>.COM@<domain>.COM
> | > | Error Text:
> | > | File:
> | > | Line:
> | > | Error Data is in record data.
> | > |
> | > |
> | > | Event Type: Error
> | > | Event Source: Kerberos
> | > | Event Category: None
> | > | Event ID: 594
> | > | Date: 4/16/2004
> | > | Time: 1:01:38 PM
> | > | User: N/A
> | > | Computer: SERVER-SUPPORT
> | > | Description:
> | > | A Kerberos Error Message was received:
> | > | on logon session InitializeSecurityContext
> | > | Client Time:
> | > | Server Time:
> | > | Error Code: 20:1:38.0000 4/16/2004 (null) 0x34
> | > | Extended Error: KRB_ERR_RESPONSE_TOO_BIG
> | > | Client Realm:
> | > | Client Name:
> | > | Server Realm: HAYDON-MILL.COM
> | > | Server Name: LDAP/DC-server.<domain>.COM
> | > | Target Name: LDAP/DC-Server.<domain>.COM@<domain>.COM
> | > | Error Text:
> | > | File:
> | > | Line:
> | > | Error Data is in record data.
> | > |
> | > |
> | > |
> | > |
> | > |
> | > |
> | >
> |
> |
> |
>
- Next message: Scott Townsend: "Re: Kerberos tickets are taking me down.. Help Many servers Fail Kerberos netdiag test..."
- Previous message: Jerold Schulman: "Re: Re: List users in group"
- In reply to: David Pharr [MSFT]: "Re: [FATAL] Kerberos does not have a ticket for <any of my servers>"
- Next in thread: Scott Townsend: "Re: [FATAL] Kerberos does not have a ticket for <any of my servers>"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
|
