Need Help Understanding Kerberos SPN Problem
- From: "Will" <DELETE_westes@xxxxxxxxxxxxxxxxxx>
- Date: Sat, 15 Jul 2006 12:03:39 -0700
I either don't understand how to use SETSPN, or I have some serious problem
with Kerberos in our domain. For a domain hq.corp.com and a domain
controller my-dc1, the following SETSPN commands executed at the console of
the domain controller are returning errors indicating the account doesn't
exist:
SETSPN -L hq.corp.com
SETSPN -L my-dc1
I've read the Microsoft documents on troubleshooting Kerberos, and I don't
understand SPNs any better after reading those than I did before. They
talk about SPNs in some very vague way and they don't give examples to tie
SPNs together concretely with objects you see in the actual AD management
applications.
I see the special reserved user account krbtgt, and I gather this is an SPN?
I'm getting krb5kdc_err_s_principal_unknown errors on some member servers
when they request a Kerberos host/hq.corp.com ticket.
I don't understand if member servers should be getting the host/<domain>
ticket.
I don't understand why they need it or how they use it.
I don't understand what the implications are if they don't get this ticket.
I don't understand how this relates to SPNs.
I don't understand how to investigate the cause of this.
I don't understand how to fix it.
Mostly, I don't understand. :)
Any help in understanding if we have a problem here is appreciated.
--
Will
.
- Follow-Ups:
- Re: Need Help Understanding Kerberos SPN Problem
- From: Joe Richards [MVP]
- Re: Need Help Understanding Kerberos SPN Problem
- From: Al Mulnick
- Re: Need Help Understanding Kerberos SPN Problem
- Prev by Date: Re: SYSVOL replication stops after DCPROMO
- Next by Date: Re: SYSVOL replication stops after DCPROMO
- Previous by thread: Re: domain controller with file server consequences
- Next by thread: Re: Need Help Understanding Kerberos SPN Problem
- Index(es):
Relevant Pages
|
