Re: Ldap Binding + Kerbros error
- From: "Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 21 Feb 2007 11:57:04 -0600
I was suggesting to perform an LDAP query using the exact filter a specified
in my mail. You should query against the global catalog, not just a
specific domain, as SPNs are forest wide. You can use whatever LDAP query
tool you like for this. ADFind from www.joeware.net is a very popular and
capable command line LDAP query tool. I tend to use ldp.exe for most of my
searches. The exact syntax will vary depending on which tool you decide to
use.
A servicePrincipalName (SPN) is the Kerberos name of a service on the
network. It is kind of like the userPrincipalName of a user that is used to
identify a user via Kerberos. Remember that Kerberos is a mutual
authentication protocol, so the client authenticates with the server and the
server authenticates with the client. Both have to work for Kerb auth to
function. SPNs are associated with accounts in AD which can be user or
computer accounts. An SPN gets associated with a service based on the
account that is used to execute the Windows process that "is" the service.
The built in NETWORK SERVICE and SYSTEM accounts on a local machine will use
the machine account's credentials on the network, so the SPNs for services
run under those accounts are associated with the machine account.
In order to authenticate with the server, the client attempts to get a
service ticket for the service it is trying to access. It does this by
forming a servicePrincipalName based on the type of service being accessed,
the network port and the name of the service. In your case, the client is
trying to do LDAP for a server called dc3.mydomain.local, so the SPN it
forms is "ldap/dc3.mydomain.local". It asks the KDC for a service ticket to
access that service. Note that this is one reason why Kerberos doesn't work
when you use IP addresses to access a service. The SPNs are always
associated with NetBIOS and DNS names.
The KDC then figures out which account in the forest has that
servicePrincipalName (or a "catch all" that matches it) and creates the
service ticket encrypted specifically for that service account. The client
then sends that ticket to the service for authentication. However, if the
KDC creates a service ticket for an account different from the account that
is actually running the remote service, the remote service will not be able
to decrypt it and you'll see that error. This usually happens if there is
more than one account with the same SPN and the KDC chooses the wrong one,
but can happen for other reasons.
That's what that error was telling you. Unfortunately, if you don't know
how Kerberos works (most people don't), it sounds like a bunch of gibberish.
This is the eternal problem with error messages. :)
So, basically we are trying to figure out if more than one account in the
forest has that SPN as our starting point for troubleshooting.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"khaled azzaz" <khaledazzaz@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:FBDCA843-1F46-470E-BF61-709138967067@xxxxxxxxxxxxxxxx
Thanks Joe
And Thanks for the encouraging news 2 "bad" in one message lol :)
thw question is i am not sure how to search for that object. Do you mean
search for the object DC3 which is a dmonain controller and a GC at the
same
time too.
Forgive me what is SPN? I was reading about that and did not get exactly
what they are saying.
Thnaks man
"Joe Kaplan" wrote:
Search the GC for any objects matching
(servicePrincipalName=ldap/dc3.mydomain.local). If there are two or
more,
that is bad. Also, if that SPN is associated with an account that isn't
that particular DC, that is also bad.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"khaled azzaz" <khaledazzaz@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:674B5E5D-D753-4636-8362-CF883F942895@xxxxxxxxxxxxxxxx
Hi I have 3 DC 2003 in one domain, they are all GC, DNS servers. I have
an
exchange server as a member server. Everything working fine except of
some
errors in the event viewers that i was not minding because they are the
usual
warning, erros. I can ping any one of them, resolved FQDN. I introduced
a
new
member server to install additional exchange server. on that member
server
i
got an event id of 8026 Ldap Binding error to one of the dc. Also i got
a
kerberos error too event id 4 KB_AP_MODIFED error:
Event Type: Error
Event Source: Kerberos
Event Category: None
Event ID: 4
Date: 2/16/2007
Time: 11:32:01 AM
User: N/A
Computer: EXCHANGE-1
Description:
The kerberos client received a KRB_AP_ERR_MODIFIED error from the
server
host/dc2.mydomain.local. The target name used was
ldap/dc3.mydomain.local.
This indicates that the password used to encrypt the kerberos service
ticket
is different than that on the target server. Commonly, this is due to
identically named machine accounts in the target realm
(MYDOMAIN.LOCAL),
and
the client realm. Please contact your system administrator.
Here some additional information :
Event Type: Error
Event Source: MSExchangeAL
Event Category: Service Control
Event ID: 8260
Date: 2/16/2007
Time: 1:58:46 PM
User: N/A
Computer: EXCHANGE-1
Description:
Could not open LDAP session to directory 'dc3.mydomain.local' using
local
service credentials. Cannot access Address List configuration
information.
Make sure the server 'dc3.mydomain.local' is running.
Please, Any help
.
- References:
- Re: Ldap Binding + Kerbros error
- From: Joe Kaplan
- Re: Ldap Binding + Kerbros error
- From: khaled azzaz
- Re: Ldap Binding + Kerbros error
- Prev by Date: Re: account access monitoring software
- Next by Date: Re: Replacing Windows 2003 DC Server with new hardware
- Previous by thread: Re: Ldap Binding + Kerbros error
- Next by thread: Re: Replacing Windows 2003 DC Server with new hardware
- Index(es):
Relevant Pages
|
