Re: Kerberos Query

JohnH wrote:
Hi everyone,

I've managed to cause myself a bit of a problem with Kerberos that I'm not 100% sure how to diagnose... I've got two web servers, we'll say server1 (Win2k web server) and server2 (win2k3 web server - indended to replace server1 hardware, which is now eol).

The plan was to migrate server1 to server 2, but keep the same IP address due to a unknown number of badly-coded applications referencing the server by IP. So we built server2 on another IP address and copied all the websites and data over. The final plan was to remove server1 from the domain and shut it down, then change the address of server2 to the desired IP address (and create an alias for server1 in DNS to direct all traffic to server2).

Due to a mistake by myself I ended up having the two web servers on the network at the same time with the same address - which was stupid I know. The result of this was that all web traffic is fine to the new server, but if I try to connect to a fileshare using \\server1\share, it now shows an error about a duplicate name on the network. If you do this from server1 itself, it actually shows a Windows authentication prompt, but no credentials work and you end up with an access denied error.

Initally I was getting a KRB_AP_ERR_MODIFIED error logged in the eventlog. Since then I've removed server2 from the domain, made sure all computer accounts, DNS entries and WINS entries are all removed for both server1 and server2, then re-added server2 to the domain but I still get the same error dialog windows, but no eventlog errors.

I'm now a bit lost as to where to troubleshoot next - any help would be much appreciated. Thanks.

Just thinking with you here...

If I understand the situation correctly I believe you are thinking in the right direction.

It's as if the share is being accessed with the 'old name' causing the kerberos KDC to encrypt the service ticket with the 'old password'. That would also explain the error. (I would have expected something in the event viewer though)

As on how to move further on this quest... Have you considered enabling Kerberos event logging? http://support.microsoft.com/default.aspx?scid=kb;EN-US;262177

Next step would be wireshark I'm afraid...

--

/ ) Regards,
/ /_________
_|__|__) Paul Weterings
/ (O_) http://www.servercare.nl
__/ (O_)
____(O_)
.

Relevant Pages

  • Re: Kerberos Query
    ... Thanks Paul, ... Plus to create an alias on the machine edit: ... we'll say server1 ... Due to a mistake by myself I ended up having the two web servers on the ...
    (microsoft.public.windows.server.active_directory)
  • Re: Kerberos Query
    ... I would go into dns and validate both forward and reverse names for both ... Plus to create an alias on the machine edit: ... we'll say server1 ... Due to a mistake by myself I ended up having the two web servers on the ...
    (microsoft.public.windows.server.active_directory)
  • Re: Server Replizieren sich nicht
    ... Wenn ich dann versuche Verbindung mit dem Domänencontroller herzustellen (Server1 aber auch bei Server2) ... bekomme ich eine weitere Fehlermeldung ... Wenn der Server wieder da ist, dann kannst Du die Startart vom Kerberos Schlüsselverteilungscenter wieder auf "automatisch" stellen und auch starten. ...
    (microsoft.public.de.german.win2000.networking)
  • gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==
    ... I have a Kerberos infrastructure and trying to do SSO via ssh to ... to several servers, but not to server1. ... client sends to server1: ...
    (comp.security.ssh)
Quantcast