Re: Kerberos errors in event log, authentication, IPSec transport mode on port 445 issues

From: Kristin Thomas [MSFT] (kthomas_at_online.microsoft.com)
Date: 03/17/04 

Date: Wed, 17 Mar 2004 14:52:40 GMT

Edward,

That error looks like it can't find a valid Security Cert, try following
this article to see if it helps:

323342 HOW TO: Install a Certificate for Use with IP Security in Windows
Server
http://support.microsoft.com/?id=323342

Also have you used IPSec Monitor to try to troubleshoot this?

324269 HOW TO: Use IPSec Monitor in Windows Server 2003
http://support.microsoft.com/?id=324269

Best Regards,

Kristin Thomas, MCSE, MCP
Microsoft Enterprise Network Support

Get Secure! - www.microsoft.com/security

=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
| From: "Edward W. Ray \(502974\)" <homeboy@greekgod.net>
| References: <Obev50ECEHA.684@tk2msftngp13.phx.gbl>
<TRZahNFCEHA.1672@cpmsftngxa06.phx.gbl>
<#oE48quCEHA.3064@tk2msftngp13.phx.gbl>
<coNHA32CEHA.564@cpmsftngxa06.phx.gbl>
| Subject: Re: Kerberos errors in event log, authentication, IPSec
transport mode on port 445 issues
| Date: Tue, 16 Mar 2004 20:09:39 -0800

|
| Kristin:
|
| I made the change you suggested, the Kerberos errors subsided a little. I
| was able to make the change to all but one of the XP clients, so it may be
| coming from that one, I am not sure and will be unable to make the change
to
| that machine because the user is performing detailed simulations.
|
| IPSec is still a mystery. The link is established between the Windows
2003
| File server and the Windows 2003 DC, then fails. I get the following
error
| message (deletion by peer seems to be the issues, why it is deleted I do
not
| know):
|
| Event Type: Failure Audit
| Event Source: Security
| Event Category: Logon/Logoff
| Event ID: 547
| Date: 3/16/2004
| Time: 7:58:00 PM
| User: NT AUTHORITY\NETWORK SERVICE
| Computer: BLACKDOG
| Description:
| IKE security association negotiation failed.
| Mode:
| Key Exchange Mode (Main Mode)
|
| Filter:
| Source IP Address 192.168.1.99
| Source IP Address Mask 255.255.255.255
| Destination IP Address 192.168.1.102
| Destination IP Address Mask 255.255.255.255
| Protocol 0
| Source Port 0
| Destination Port 0
| IKE Local Addr 192.168.1.99
| IKE Peer Addr 192.168.1.102
| IKE Source Port 500
| IKE Destination Port 500
| Peer Private Addr
|
| Peer Identity:
| Kerberos based Identity: bigdogmedina$@MMICMANHOMENET.LOCAL
| Peer IP Address: 192.168.1.102
|
| Failure Point:
| Me
|
| Failure Reason:
| IKE SA deleted by peer before establishment completed
|
| Extra Status:
| Processed first (SA) payload
| Initiator. Delta Time 49
| 0x0 0x0
|
|
| For more information, see Help and Support Center at
| http://go.microsoft.com/fwlink/events.asp.
|
|
|
|
|
| "Kristin Thomas [MSFT]" <kthomas@online.microsoft.com> wrote in message
| news:coNHA32CEHA.564@cpmsftngxa06.phx.gbl...
| > Edward,
| >
| > It sounds like you are having Kerberos over UDP issues, the packet is
too
| > big for UDP so it ends up fragmented and failing. Try forcing Kerberos
| over
| > TCP by following this article:
| >
| > 244474 How to Force Kerberos to Use TCP Instead of UDP
| > http://support.microsoft.com/?id=244474
| >
| > Best Regards,
| >
| > Kristin Thomas, MCSE, MCP
| > Microsoft Enterprise Network Support
| >
| > Get Secure! - www.microsoft.com/security
| >
| > =====================================================
| > When responding to posts, please "Reply to Group" via
| > your newsreader so that others may learn and benefit
| > from your issue.
| > =====================================================
| > This posting is provided "AS IS" with no warranties, and confers no
| rights.
| >
| > --------------------
| > | From: "Edward W. Ray \(502974\)" <homeboy@greekgod.net>
| > | References: <Obev50ECEHA.684@tk2msftngp13.phx.gbl>
| > <TRZahNFCEHA.1672@cpmsftngxa06.phx.gbl>
| > | Subject: Re: Kerberos errors in event log, authentication, IPSec
| > transport mode on port 445 issues
| > | Date: Mon, 15 Mar 2004 16:07:56 -0800
| >
| > |
| > | No netdiag errors until I enable IPSec transport mode on port 445
| between
| > | file server and DC. Then secure channel fails. No netdiag errors
when
| > | IPSec "Permit" is used. Kerberos errors persist:
| > |
| > | Event Type: Error
| > | Event Source: Kerberos
| > | Event Category: None
| > | Event ID: 3
| > | Date: 3/15/2004
| > | Time: 3:55:12 PM
| > | User: N/A
| > | Computer: BLACKDOG
| > | Description:
| > | A Kerberos Error Message was received:
| > | on logon session
| > | Client Time:
| > | Server Time: 23:55:11.0000 3/15/2004 Z
| > | Error Code: 0x34 KRB_ERR_RESPONSE_TOO_BIG
| > | Extended Error:
| > | Client Realm:
| > | Client Name:
| > | Server Realm: MMICMANHOMENET.LOCAL
| > | Server Name:
| ldap/bigdogmedina.mmicmanhomenet.local/mmicmanhomenet.local
| > | Target Name:
| > |
| >
|
ldap/bigdogmedina.mmicmanhomenet.local/mmicmanhomenet.local@MMICMANHOMENET.L
| > | OCAL
| > | Error Text:
| > | File: 9
| > | Line: ac0
| > | Error Data is in record data.
| > |
| > | For more information, see Help and Support Center at
| > | http://go.microsoft.com/fwlink/events.asp.
| > |
| > |
| > | Event Type: Error
| > | Event Source: Kerberos
| > | Event Category: None
| > | Event ID: 3
| > | Date: 3/15/2004
| > | Time: 3:46:05 PM
| > | User: N/A
| > | Computer: BLACKDOG
| > | Description:
| > | A Kerberos Error Message was received:
| > | on logon session
| > | Client Time:
| > | Server Time: 23:46:4.0000 3/15/2004 Z
| > | Error Code: 0xd KDC_ERR_BADOPTION
| > | Extended Error: 0xc00000bb KLIN(0)
| > | Client Realm:
| > | Client Name:
| > | Server Realm: MMICMANHOMENET.LOCAL
| > | Server Name: host/blackdog.mmicmanhomenet.local
| > | Target Name: host/blackdog.mmicmanhomenet.local@MMICMANHOMENET.LOCAL
| > | Error Text:
| > | File: 9
| > | Line: ac0
| > | Error Data is in record data.
| > |
| > | For more information, see Help and Support Center at
| > | http://go.microsoft.com/fwlink/events.asp.
| > | Data:
| > | 0000: 03a11530 a2030102 bb0c040e 00c00000
| > | 0010: 03000000 000000
| > |
| > |
| > |
| > |
| > |
| >
|
|
|

Relevant Pages

  • Re: Kerberos errors in event log, authentication, IPSec transport mode on port 445 issues
    ... I made the change you suggested, the Kerberos errors subsided a little. ... IKE security association negotiation failed. ... IKE Peer Addr 192.168.1.102 ... > | Client Realm: ...
    (microsoft.public.windows.server.networking)
  • WMI Access Denied
    ... My client attempts to retrieve the state of the HostInstance on the BTS machine using WMI. ... I am NOT using kerberos, other than an attempt to set the ManagementScope Authority property to "kerberos: ... If BTS and SQL are on the same machine, we avoid the "two hop" security and everything works, so it's a security issue somewhere in the chain. ...
    (microsoft.public.biztalk.general)
  • [NEWS] Cisco VPN 3000 Kerberos Authentication Implementation Remote Code Execution And DoS
    ... Get your security news from a reliable source. ... over IPSec, and Cisco WebVPN ... Kerberos Key Distribution Center may be vulnerable to remote code ... The second vulnerability consists of an infinite loop in the Abstract ...
    (Securiteam)
  • Re: Server not found in Kerberos Database
    ... Server not found in Kerberos Database ... When I am trying to do a kinit on the client, ... I have a KDC on Win2003 and a client which is a Linux is trying = ...
    (comp.protocols.kerberos)
  • RE: Security Event Log Repeating... Access errors
    ... Tony thanks for the quick reply. ... A Kerberos Error Message was received: ... Client Realm: ... >> Workstation Name: EDECANUSBASE ...
    (microsoft.public.windows.server.sbs)