csmout
asked on
Kerberos Problems on Win 2003 Member Servers
We have a Windows 2000 AD domain, and have started to upgrade some of the member servers to Windows Server 2003. We currently have 4 member servers running Win Server 2003 standard.
On one of those, I am preparing to install Exchange Server 2003, and one of the prerequisites is to run netdiag to verify everything is working ok on the network. When I ran the netdiag tool, it reported a FATAL Kerberos error:
[FATAL] Kerberos does not have a ticket for "host/memberserver.domain"
I did some looking around, and found all of the Windows 2003 member servers are experiencing the same problem. Our Windows 2000 member servers seem fine. When I look in the security log on the domain controller , there are all kinds of errors being logged as follows:
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 677
Date: 10/20/2003
Time: 12:02:04 PM
User: NT AUTHORITY\SYSTEM
Computer: "DOMAIN CONTROLLER NAME"
Description:
Service Ticket Request Failed:
User Name:
User Domain:
Service Name:
Ticket Options: 0x40830000
Failure Code: 0xE
Client Address: "MEMBER SERVER IP ADDRESS"
I enabled kerberos logging on a couple of the member servers, and they are recording system events that look as follows:
Event Type: Error
Event Source: Kerberos
Event Category: None
Event ID: 3
Date: 10/20/2003
Time: 12:12:55 PM
User: N/A
Computer: "MEMBER SERVER NAME"
Description:
A Kerberos Error Message was received:
on logon session
Client Time:
Server Time: 16:12:55.0000 10/20/2003 Z
Error Code: 0xe KDC_ERR_ETYPE_NOTSUPP
Extended Error:
Client Realm:
Client Name:
Server Realm: DOMAIN NAME
Server Name: krbtgt/"DOMAIN NAME"
Target Name: host/MEMBER SERVER.DOMAIN@DOMAIN
Error Text:
File: 9
Line: ab8
Error Data is in record data.
0xE is an error code for "kerberos encryption type not supported". I have looked high and low on the net, and found other reports of similar problems, but no solution for the problem. It appears to be some kind of glitch between Windows 2003 member servers, and Windows 2000 Domain controllers. Everything seems to be working OK, but I am hesitant to proceed with the Exchange 2003 setup until this is resolved.
Anyone??
Chris Smout
On one of those, I am preparing to install Exchange Server 2003, and one of the prerequisites is to run netdiag to verify everything is working ok on the network. When I ran the netdiag tool, it reported a FATAL Kerberos error:
[FATAL] Kerberos does not have a ticket for "host/memberserver.domain"
I did some looking around, and found all of the Windows 2003 member servers are experiencing the same problem. Our Windows 2000 member servers seem fine. When I look in the security log on the domain controller , there are all kinds of errors being logged as follows:
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 677
Date: 10/20/2003
Time: 12:02:04 PM
User: NT AUTHORITY\SYSTEM
Computer: "DOMAIN CONTROLLER NAME"
Description:
Service Ticket Request Failed:
User Name:
User Domain:
Service Name:
Ticket Options: 0x40830000
Failure Code: 0xE
Client Address: "MEMBER SERVER IP ADDRESS"
I enabled kerberos logging on a couple of the member servers, and they are recording system events that look as follows:
Event Type: Error
Event Source: Kerberos
Event Category: None
Event ID: 3
Date: 10/20/2003
Time: 12:12:55 PM
User: N/A
Computer: "MEMBER SERVER NAME"
Description:
A Kerberos Error Message was received:
on logon session
Client Time:
Server Time: 16:12:55.0000 10/20/2003 Z
Error Code: 0xe KDC_ERR_ETYPE_NOTSUPP
Extended Error:
Client Realm:
Client Name:
Server Realm: DOMAIN NAME
Server Name: krbtgt/"DOMAIN NAME"
Target Name: host/MEMBER SERVER.DOMAIN@DOMAIN
Error Text:
File: 9
Line: ab8
Error Data is in record data.
0xE is an error code for "kerberos encryption type not supported". I have looked high and low on the net, and found other reports of similar problems, but no solution for the problem. It appears to be some kind of glitch between Windows 2003 member servers, and Windows 2000 Domain controllers. Everything seems to be working OK, but I am hesitant to proceed with the Exchange 2003 setup until this is resolved.
Anyone??
Chris Smout
Hmmm...found something else.
Open the Local Security Settings on the 2003 server (from Administrative Tools).
Expand Local Policies>Security Options.
Find this: Domain Member: Digitally Encrypt or Sign secure channel data (always) and disable it.
If you want to know more about what that setting does, right-click it and select Help.
Hope this helps too!
Open the Local Security Settings on the 2003 server (from Administrative Tools).
Expand Local Policies>Security Options.
Find this: Domain Member: Digitally Encrypt or Sign secure channel data (always) and disable it.
If you want to know more about what that setting does, right-click it and select Help.
Hope this helps too!
ASKER
I opened a ticket with Microsoft on the issue, and the problem turns out to be an issue between 2000 DC's and 2003 member servers. Here is an exceprt from the Microsoft email:
As I mentioned in my previous email, Windows 2003 introduces support for constrained delegation which by leveraging the S4U2Proxy extension to Kerberos. The Kerberos client on a Windows 2003 server will regularly (every 15 minutes by default) check the KDC to see if it supports S4U. Windows 2000 does not support S4U and will instead log a Security Audit event. I discussed the event with the development team and confirmed that it will NOT impact the upgrade to Exchange 2003
The end result was that they sent me a hotfix to install on the DC to stop the errors from being recorded in the security log every couple of minutes.
Chris
As I mentioned in my previous email, Windows 2003 introduces support for constrained delegation which by leveraging the S4U2Proxy extension to Kerberos. The Kerberos client on a Windows 2003 server will regularly (every 15 minutes by default) check the KDC to see if it supports S4U. Windows 2000 does not support S4U and will instead log a Security Audit event. I discussed the event with the development team and confirmed that it will NOT impact the upgrade to Exchange 2003
The end result was that they sent me a hotfix to install on the DC to stop the errors from being recorded in the security log every couple of minutes.
Chris
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Microsoft will not provide the hotfix without a KB# and claim they don't have a hotfix. They want me to open an incident. Does anybody have the KB#?
Thanks,
Mike
Thanks,
Mike
ASKER
The number I was given was Q824905, but I can't pull that up on Microsoft's support site.
Thank you for the info...it helped MS find the info....They said there will be a page on the MS website soon regarding this issue.
0xE (KDC_ERR_ETYPE_NOTSUPP) "KDC has no support for the encryption type"
The client tried to use an encryption type that the KDC does not support, for any of the following reasons:
The client's account does not have a key of the appropriate encryption type.
The KDC (cross-realm trust) account does not have a key of the appropriate encryption type.
The requested server account does not have a key of the appropriate encryption type.
The type may not be recognized at all, for example, if a new type is introduced. This happens most frequently with MIT compatibility, where an account may not yet have an MIT compatible key. Generally, a password change must occur for the MIT-compatible key to be available.
Try right-clicking the computer account in AD for the suspect server and selecting Reset Account.
If that doesn't work, use NETDOM to reset account.
http://support.microsoft.com/default.aspx?scid=kb;[LN];325850
These may also help:
http://support.microsoft.com/default.aspx?scid=kb;[LN];232179
Now, with respect to Exchange 2003 - doesn't it require Active Directory? Which likely means that it needs to run on a DC.
Advise.