Re: Kerberos Query
- From: JohnH <JohnH@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 9 Oct 2008 02:10:01 -0700
Thanks for the Kerberos logging tip Paul - I've now got some event log errors
to work with.
When I try to access \\server1\share from another machine, I now get the
following event (id 3) on server2:
=====================================
A Kerberos Error Message was received:
on logon session
Client Time:
Server Time: 8:58:19.0000 10/9/2008 Z
Error Code: 0xd KDC_ERR_BADOPTION
Extended Error: 0xc00000bb KLIN(0)
Client Realm:
Client Name:
Server Realm: DOMAIN.COM
Server Name: host/server2.domain.com
Target Name: host/server2.domain.com@xxxxxxxxxx
Error Text:
File: 9
Line: ae0
Error Data is in record data.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
=====================================
So next I tried logging onto server2 and going to \\server1\share (just out
of curiosity), and I get the following two events (both id 3 - in this order):
=====================================
A Kerberos Error Message was received:
on logon session
Client Time:
Server Time: 9:1:45.0000 10/9/2008 Z
Error Code: 0xd KDC_ERR_BADOPTION
Extended Error: 0xc00000bb KLIN(0)
Client Realm:
Client Name:
Server Realm: DOMAIN.COM
Server Name: host/server2.domain.com
Target Name: host/server2.domain.com@xxxxxxxxxx
Error Text:
File: 9
Line: ae0
Error Data is in record data.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
=====================================
A Kerberos Error Message was received:
on logon session
Client Time:
Server Time: 9:2:59.0000 10/9/2008 Z
Error Code: 0x7 KDC_ERR_S_PRINCIPAL_UNKNOWN
Extended Error:
Client Realm:
Client Name:
Server Realm: DOMAIN.COM
Server Name: cifs/server1.domain.com
Target Name: cifs/server1.domain.com@xxxxxxxxxx
Error Text:
File: 9
Line: ae0
Error Data is in record data.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
=====================================
I also tried this on another machine (e.g. created a new alias "dnsalias"
for "computer" and connecting to \\computername\share using \\dnsalias\share)
and I also get the same error - so it's not restricted to just these machines.
Reading on
http://www.microsoft.com/technet/solutionaccelerators/cits/interopmigration/unix/usecdirw/17wsdsu.mspx I've found the following under "Common DNS Issues":
"Kerberos relies on the presence of both forward and reverse lookup entries
in DNS. Check that the host name of each computer can be resolved to its IP
address and that its IP address can be resolved to its host name."
So would you think that means that I've either:
a) It was never going to work because the reverse DNS entry would always
point to server2; or
b) Got a DNS or domain issue; or
c) something altogether different :-)
Either way, it certainly seems that I don't understand Kerberos properly and
am going to do some more reading! But any further advice would be most
welcome.
--
-JohnH
"Paul Weterings" wrote:
Just thinking with you here....
If I understand the situation correctly I believe you are thinking in
the right direction.
It's as if the share is being accessed with the 'old name' causing the
kerberos KDC to encrypt the service ticket with the 'old password'. That
would also explain the error. (I would have expected something in the
event viewer though)
As on how to move further on this quest... Have you considered enabling
Kerberos event logging?
http://support.microsoft.com/default.aspx?scid=kb;EN-US;262177
Next step would be wireshark I'm afraid...
--
/ ) Regards,
/ /_________
_|__|__) Paul Weterings
/ (O_) http://www.servercare.nl
__/ (O_)
____(O_)
- References:
- Kerberos Query
- From: JohnH
- Re: Kerberos Query
- From: Paul Weterings
- Kerberos Query
- Prev by Date: Re: Event ID 13548 ntfrs
- Next by Date: Re: Event ID 13548 ntfrs
- Previous by thread: Re: Kerberos Query
- Next by thread: Re: Kerberos Query
- Index(es):
Relevant Pages
|
