RE: Kerebos and authentication issues
- From: v-branee@xxxxxxxxxxxxxxxxxxxx ("Brandy Nee [MSFT]")
- Date: Wed, 18 Jan 2006 05:02:58 GMT
Dear Customer,
Thank you for posting to the SBS Newsgroup.
I understand that you have several remote servers connect SBS 2K3 Server
with DOD VPN, and your issue is these remote servers cannot communicate
with the SBS 2K3 Server. If I have misunderstood your concern, please let
me know.
My reply is a bit long, so please take your time to read through all my
reply, then apply the steps:
Before we start, we need to confirm following information with you:
a. I am not sure what exact "remote server" is, I assume they are all
Windows Server 2003. Am I right?
b. It seems that you got Event ID 4 on the SBS 2K3 Server and the remote
servers. Am I right?
Explanation:
========================
The Kerberos Error 4 error "KRB_AP_ERR_MODIFIED" was added in XP and
Windows 2003 in response to issues around Kerberos failures seen in the
field. In short this error indicates that the ticket was encrypted with a
password which is different than the password currently on the target
server.
Explanation of the Error
========================
This event will occur if you present a service ticket to a principal
(target computer) which cannot decrypt it. Normally the service ticket is
encrypted using the shared secret of the machine account's password as a
basis for the encryption used to encrypt the service ticket. The password
is known only to the KDC (Domain controllers) and the target machine. The
client presents encrypted session ticket it received from the KDC to the
target server. If the server can decrypt the ticket, the server then knows
that it was encrypted by a trusted source (the DC) and the presenter (the
client) is also trusted. If the target server has a different password
than the DCs, the session ticket cannot be decrypted and the failure occurs.
Cases can cause this error:
========================
1. DHCP allocated recently released addresses to clients requesting an
address. In this circumstance the client will obtain the recently released
ip address and update its host record on the DNS server. If Server queries
a dns server for the clients address and is returned the ip address that
was just assigned to another client. This generates the error because the
new client is not able to decrypt its part of the kerberos ticket.
Generally, this will occur if DHCP scope is running out. If that is the
case, you need to increase the DHCP scope.
2. WINS / DNS mis-configuration. The name of the target server is
mistakenly resolved to a different machine.
3. Service mis-configuration such as incorrect SPN registration.
4. Corrupted Secure Channel between DCs
.
- Follow-Ups:
- RE: Kerebos and authentication issues
- From: Linzi
- RE: Kerebos and authentication issues
- Prev by Date: Re: Pop3 Connector / SMTP Virtual Server Problem SBS 2000
- Next by Date: Re: Exchange2k3 SP2 = no more server active sync
- Previous by thread: Re: Possible to shift SBS 2003 to new hard drive without reinstalling?
- Next by thread: RE: Kerebos and authentication issues
- Index(es):
Relevant Pages
|
