RE: Event ID 3 Kerberos
- From: Ruchi Manuja <RuchiManuja@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 5 Jun 2008 01:03:01 -0700
Hello
Possible Causes and Resolutions:
• Impending expiration of a TGT.
Resolution
Confirm the cause by verifying the expiration time on the TGT. To do this,
use the Kerberos List parameter tgt. If you confirm that this is the cause,
you need do nothing more, because the TGT will be automatically renewed or a
new one will be requested if needed. For example, Windows XP and Windows
Server 2003 will recover from this automatically.
• The SPN to which the client is attempting to delegate credentials is not
in its Allowed-to-delegate-to list.
Resolution
1.
Use Network Monitor to determine the SPN to which the client is attempting
to delegate credentials. You will need this information in a later step.
2.
Click Start, click Run, and then open Active Directory Users and Computers
by typing the following:
dsa.msc
3.
Right-click the user or service account that has problems authenticating,
and then click Properties.
4.
Click the Delegation tab.
5.
The Allowed-to-delegate-to list is the list of servers shown under the
heading, Services to which this account can present delegated credentials.
6.
Add the SPN the client is attempting to delegate to (information from the
captured data you obtained in Step 1) to the Allowed-to-delegate-to list for
that client. This will tell the KDC that this client is indeed allowed to
authenticate to this service. The KDC will then grant the client the
appropriate ticket.
For information about setting up service accounts for delegation, see “HOW
TO: Configure Computer Accounts and User Accounts So That They Are Trusted
for Delegation in Windows Server 2003 Enterprise Edition” in the Microsoft
Knowledge Base at http://go.microsoft.com/fwlink/?LinkId=23067.
• The server does not support constrained delegation or protocol transition.
(Windows 2000 does not support constrained delegation or protocol transition.)
Reference:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerberr.mspx#EIB
I hope the above helps.
Thanks
"TomJerzey" wrote:
I get this error on one of my dc's. I get an error every 5 to 10 minutes in.
the system log. Can not seem to find any additional information. Thanks for
your help.
Event Type: Error
Event Source: Kerberos
Event Category: None
Event ID: 3
Date: 6/2/2008
Time: 5:17:26 AM
User: N/A
Computer: Domain Controller
Description:
A Kerberos Error Message was received:
on logon session
Client Time:
Server Time: 9:17:26.0000 6/2/2008 Z
Error Code: 0xd KDC_ERR_BADOPTION
Extended Error: 0xc00000bb KLIN(0)
Client Realm:
Client Name:
Server Realm: Domain Name
Server Name: host/domain controller.domain name
Target Name: host/domaincontroller.comain name@domain name
Error Text:
File: 9
Line: ae0
Error Data is in record data.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 30 15 a1 03 02 01 03 a2 0.??....c
0008: 0e 04 0c bb 00 00 c0 00 ...??..??.
0010: 00 00 00 03 00 00 00 .......
- Prev by Date: RE: Replication Error, Due to Screwed up FSMO
- Next by Date: Re: Nsername/Password replication
- Previous by thread: Re: Event ID 3 Kerberos
- Next by thread: Re: Minimum Password Length
- Index(es):
Relevant Pages
|
