Re: Need Help Understanding Kerberos SPN Problem
- From: "Al Mulnick" <amulnick_No_SPAM@xxxxxxxxxxx>
- Date: Sat, 15 Jul 2006 16:36:14 -0400
First things first. I see this is not the first time you've posted this.
See:
http://groups.google.com/group/comp.protocols.kerberos/browse_thread/thread/b43445ec98f2eba1/7fc0cf8c08c03540?lnk=st&q=krb5kdc_err_s_principal_unknown+site%3Amicrosoft.com&rnum=2&hl=en#7fc0cf8c08c03540
And so I figure you're probably spending a while troubleshooting this. If I
understand this correctly, your troubleshooting started when you had some
machines that couldn't get GPO applied properly. Some suggestions were made
to try removing those machines from the domain and re-adding them in the
hopes that their computer account somehow got messed up. What were the
results of that?
Paul's advice is sound: "For standard Microsoft applications you should not
have to create any SPNs
manually, using Setspn. Once in a while you may find that the DC indicates
that an SPN exits for a member machine, but you really can't use Kerberos to
authenticate to the machine. This is usually fixed by removing the machine
from the domain, rebooting, and rejoining the machine to the domain."
In addition, this is almost always a problem with either the machine account
or name resolution vs. SPN's unless you've done something really odd. To
check, the best way is to use DCDIAG on the domain controller and check the
output.
As for SPN's, if you have not already read this, take a moment and look it
over.
http://www.pluralsight.com/wiki/default.aspx/Keith.GuideBook/WhatIsAServicePrincipalNameSPN.html
Al
"Will" <DELETE_westes@xxxxxxxxxxxxxxxxxx> wrote in message
news:46SdnXOsoO6opiTZnZ2dnUVZ_qWdnZ2d@xxxxxxxxxxxxxxx
I either don't understand how to use SETSPN, or I have some serious problem
with Kerberos in our domain. For a domain hq.corp.com and a domain
controller my-dc1, the following SETSPN commands executed at the console
of
the domain controller are returning errors indicating the account doesn't
exist:
SETSPN -L hq.corp.com
SETSPN -L my-dc1
I've read the Microsoft documents on troubleshooting Kerberos, and I don't
understand SPNs any better after reading those than I did before. They
talk about SPNs in some very vague way and they don't give examples to tie
SPNs together concretely with objects you see in the actual AD management
applications.
I see the special reserved user account krbtgt, and I gather this is an
SPN?
I'm getting krb5kdc_err_s_principal_unknown errors on some member servers
when they request a Kerberos host/hq.corp.com ticket.
I don't understand if member servers should be getting the host/<domain>
ticket.
I don't understand why they need it or how they use it.
I don't understand what the implications are if they don't get this
ticket.
I don't understand how this relates to SPNs.
I don't understand how to investigate the cause of this.
I don't understand how to fix it.
Mostly, I don't understand. :)
Any help in understanding if we have a problem here is appreciated.
--
Will
.
- References:
- Need Help Understanding Kerberos SPN Problem
- From: Will
- Need Help Understanding Kerberos SPN Problem
- Prev by Date: Re: SYSVOL replication stops after DCPROMO
- Next by Date: Re: How to make an AD clone without replication
- Previous by thread: Need Help Understanding Kerberos SPN Problem
- Next by thread: Re: Need Help Understanding Kerberos SPN Problem
- Index(es):
Relevant Pages
|
