Re: Event ID 3 Kerberos KDC_ERR_S_PRINCICAL_UNKNOWN

Hi Paul,
Thanks for the reply.
I have enabled logging and this is where the messages are coming from.
I am seeing these messages (0xd and 0x7) on the only 2 DCs. Not too sure why
there is the cifs/127.0.0.1 setup as the Server Name and Target Name. Where
would these be set?

Running Kerbtray, I see that when I am logged in I have connections to:
cifs/SAN1 (not 127.0.0.1)
host/DC1
krbtgt/domain.loc

When I look at the Encryption types, the Ticket Encryption Type and Key
Encryption Type are the same for cifs and host but the Key Encryption Type is
different (etype 0) for the krbtgt.

Cheers
Giles


"Paul Bergson [MVP-DS]" wrote:

From what it appears, a client is making a request for a ticket for a
service that Kerberos doesn't know about.

You can enable tracing on Kerberos to see if you can determine what is going
on:
http://support.microsoft.com/?id=262177

You can also look at tickets currently used on your client with a Windows
Resource Kit executable named KerbTray.exe.

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

"Giles Ogram" <Giles Ogram@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:07BD04DA-F971-4F32-B773-248F05A807E1@xxxxxxxxxxxxxxxx
Hello,
I am getting a load of these errors along with KDC_ERR_BADOPTION messages
as
well.
We get users having very slow logons.

05/03/2007 12:33:36 Kerberos Error None 3 N/A DCAADC001 "A Kerberos Error
Message was received:
on logon session
Client Time:
Server Time: 12:33:36.0000 3/5/2007 Z
Error Code: 0xd KDC_ERR_BADOPTION
Extended Error: 0xc00000bb KLIN(0)
Client Realm:
Client Name:
Server Realm: domain.com
Server Name: host/dc1.domain.com
Target Name: host/dc1.domain.com@xxxxxxxxxx
Error Text:
File: 9
Line: ae0
Error Data is in record data."

05/03/2007 12:29:00 Kerberos Error None 3 N/A DCAADC001 "A Kerberos Error
Message was received:
on logon session
Client Time:
Server Time: 12:29:0.0000 3/5/2007 Z
Error Code: 0x7 KDC_ERR_S_PRINCIPAL_UNKNOWN
Extended Error:
Client Realm:
Client Name:
Server Realm: domain.com
Server Name: cifs/127.0.0.1
Target Name: cifs/127.0.0.1@xxxxxxxxxx
Error Text:
File: 9
Line: ae0
Error Data is in record data."

Regards
Giles Ogram



.

Relevant Pages

  • Re: Event ID 3 Kerberos KDC_ERR_S_PRINCICAL_UNKNOWN
    ... Paul Bergson ... there is the cifs/127.0.0.1 setup as the Server Name and Target Name. ... Encryption Type are the same for cifs and host but the Key Encryption Type ... Error Data is in record data." ...
    (microsoft.public.windows.server.active_directory)
  • Kerberos authentication problems
    ... I'm trying to get Windows authentication working for MS SQL Server ... using a domain account. ... Error: Client Realm: Client Name: Server Realm: dbg Server Name: ... ab8 Error Data is in record data. ...
    (microsoft.public.sqlserver.security)
  • Re: kerberos
    ... Client Realm: ... Server Realm: MYDOMAIN.COM ... Error Data is in record data. ...
    (microsoft.public.win2000.security)
  • Re: SetSPN problem
    ... > Jasper Smith (SQL Server MVP) ... > Client Realm: ... > Error Data is in record data. ...
    (microsoft.public.sqlserver.security)
  • Re: Re: RE: Prob: failed to verify krb5 credentials: Server not
    ... Client Realm: SRV.TEST.LAN ... Encryption type: des-cbc-md5 ... Server Name: ...
    (comp.protocols.kerberos)