Regular intermittent Kerberos failures

---

• From: JimLad <jamesdbirch@xxxxxxxxxxx>
• Date: Fri, 24 Aug 2007 06:58:47 -0700

---

Hi,

This is a last desperate call for help. About once a week, for
between
2 and 10 minutes, users are unable to log in to our main web
application (ASP based). They get the following message:

'Failed to generate SSPI context'

Looking at the System Log on the web server displays the following
messages for the web site and SQL SPNs:

'The Security System detected an authentication error for the server
HTTP/<website name>. The failure code from authentication protocol
Kerberos was "The time at the Primary Domain Controller is different
than the time at the Backup Domain Controller or member server by too
large an amount.
(0xc0000133)".'

' The Security System detected an authentication error for the server
MSSQLSvc/S05010010.corp.dnsdom.net:1433. The failure code from
authentication protocol Kerberos was "The time at the Primary Domain
Controller is different than the time at the Backup Domain Controller
or member server by too large an amount.
(0xc0000133)".'

I have used net time to check the times on the Domain Controller, web
server and db server. Can't see any problems. Our system guys have
been through the 'Failed to generate SSPI context' knowledge base
articles.

I haven't seen anything referring to this as a regularly repeating
intermittent problem. We are getting worried cos there is always the
chance it won't come back up!

I also notice that the Kerberos group policy "Maximum Tolerance for
Computer Clock Synchronization" is not defined. Does this need to be
defined or will it automatically use the default of 5 minutes?

Any help very gratefully received.

Cheers,

James

.

---

• Follow-Ups:
  • Re: Regular intermittent Kerberos failures
    • From: Anthony

• Prev by Date: Re: Client OK but can't ping
• Next by Date: dcdiag error
• Previous by thread: Re: Re-connecting existing clients to a new server
• Next by thread: Re: Regular intermittent Kerberos failures
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: NTLM and Kerberos ... I would have to open port 88 to my Domain Controller? ... How would IE know which server is the Domain Controller (my home computer is ... Kerberos requires the user to obtain a Kerberos Service Ticket for the ... even attempt Kerberos authentication for sites in the Internet zone. ... (microsoft.public.inetserver.iis.security) Re: Client performance problem windows 2003 server... ... >Subject: Re: Client performance problem windows 2003 server... ... >Deploying Active Directory for Branch Office Environments ... >results from not having a domain controller in a particular site. ... incorrectly applied site coverage will be bad for clients ... (microsoft.public.windows.server.networking) Re: Client performance problem windows 2003 server... ... Testing server: Verkstadsgatan\VERKTYG ... Deploying Active Directory for Branch Office Environments ... results from not having a domain controller in a particular site. ... incorrectly applied site coverage will be bad for clients ... (microsoft.public.windows.server.networking) RE: NTDS.dit file is currupt ... "microsoft" wrote:> We are currently facing a serious problem with one our client server. ... > After rebooting the machine in directory services restore mode, I had> followed the steps below; ntdsutil neither defrag Active Directory Database> nor repair. ... Restart the domain controller. ... Check the integrity of the Active Directory database. ... (microsoft.public.win2000.active_directory) Re: Thoroughly confused SBS 2003 Server ... fact I first had SBS running on the box that now has the Server Enterprise ... A year ago or moe I put up the second server and made it a domain controller ... The replication generated an error: ... (microsoft.public.windows.server.sbs)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(14)