Kerberos Problems on Win 2003 Member Servers
Posted on 2003-10-22
We have a Windows 2000 AD domain, and have started to upgrade some of the member servers to Windows Server 2003. We currently have 4 member servers running Win Server 2003 standard.
On one of those, I am preparing to install Exchange Server 2003, and one of the prerequisites is to run netdiag to verify everything is working ok on the network. When I ran the netdiag tool, it reported a FATAL Kerberos error:
[FATAL] Kerberos does not have a ticket for "host/memberserver.domain"
I did some looking around, and found all of the Windows 2003 member servers are experiencing the same problem. Our Windows 2000 member servers seem fine. When I look in the security log on the domain controller , there are all kinds of errors being logged as follows:
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 677
Time: 12:02:04 PM
User: NT AUTHORITY\SYSTEM
Computer: "DOMAIN CONTROLLER NAME"
Service Ticket Request Failed:
Ticket Options: 0x40830000
Failure Code: 0xE
Client Address: "MEMBER SERVER IP ADDRESS"
I enabled kerberos logging on a couple of the member servers, and they are recording system events that look as follows:
Event Type: Error
Event Source: Kerberos
Event Category: None
Event ID: 3
Time: 12:12:55 PM
Computer: "MEMBER SERVER NAME"
A Kerberos Error Message was received:
on logon session
Server Time: 16:12:55.0000 10/20/2003 Z
Error Code: 0xe KDC_ERR_ETYPE_NOTSUPP
Server Realm: DOMAIN NAME
Server Name: krbtgt/"DOMAIN NAME"
Target Name: host/MEMBER SERVER.DOMAIN@DOMAIN
Error Data is in record data.
0xE is an error code for "kerberos encryption type not supported". I have looked high and low on the net, and found other reports of similar problems, but no solution for the problem. It appears to be some kind of glitch between Windows 2003 member servers, and Windows 2000 Domain controllers. Everything seems to be working OK, but I am hesitant to proceed with the Exchange 2003 setup until this is resolved.