We help IT Professionals succeed at work.

Check out our new AWS podcast with Certified Expert, Phil Phillips! Listen to "How to Execute a Seamless AWS Migration" on EE or on your favorite podcast platform. Listen Now

x

Kerberos Errors in Windows 2003 Server Domain

Medium Priority
1,668 Views
Last Modified: 2012-08-13
I'm getting a whole bunch of Kerberos errors in the last four days in our Event Viewer (System folder).

We have a single DC running Windows Server 2003 Standard and it is acting as a file server and running Exchange 2003 and AD. We

have about 50 workstations. Our server is running DNS, but our firewall is doing the DHCP.

We also have RealVNC running on all the workstations so that I can remotely log into them from the server. To log into one of the

workstations, I open the IE browser on the server and type http://computername:5800 into the address field and then I log in via a Java

page. A problem has arisen lately with the RealVNC log in process on some computers which I believe is directly related to the

kerberos errors.

For example, if I try to log into one of our workstations named AICH019 (http://aich019:5800) I get redirected to AICH021. If I ping both

computernames via CMD on the server (ping aich019 & ping aich021), I get the same IP address results for both. But, if I go on each

workstation and do ipconfig /all from the command prompt, I get seperate IP addresses. The kerberos error below indicates that the

two workstations in question are potentially "identically named machine accounts in the target realm."
_________________________________________________________
Event Type:      Error
Event Source:      Kerberos
Event Category:      None
Event ID:      4
Date:            4/2/2004
Time:            10:36:40 AM
User:            N/A
Computer:      TMIC
Description:
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server AICH021$.  The target name used was

cifs/AICH019.aich.local. This indicates that the password used to encrypt the kerberos service ticket is different than that on the

target server. Commonly, this is due to identically named  machine accounts in the target realm (AICH.LOCAL), and the client realm.  

Please contact your system administrator.
_________________________________________________________

I also have additional kerberos errors coming up with other workstations "in conflict".

Here is another error related to the workstation named AICH019.
_________________________________________________________
Event Type:      Error
Event Source:      NETLOGON
Event Category:      None
Event ID:      5722
Date:            4/2/2004
Time:            1:51:30 AM
User:            N/A
Computer:      TMIC
Description:
The session setup from the computer AICH019 failed to authenticate. The name(s) of the account(s) referenced in the security

database is AICH019$.  The following error occurred:
Access is denied.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 22 00 00 c0               "..À    
_________________________________________________________



I would very much appreciate any insight into what is the cause and solution of this issue.

Thanks,

Clark



Comment
Watch Question

Top Expert 2004
Commented:
Unlock this solution with a free trial preview.
(No credit card required)
Get Preview
Solution Architect
CERTIFIED EXPERT
Most Valuable Expert 2014
Top Expert 2014
Commented:
Unlock this solution with a free trial preview.
(No credit card required)
Get Preview

Author

Commented:
Thanks Deb and Diggisaur!

I checked the host records in the DNS (on the sever) and I found that the computers in question both have the same IP address.

Now, remember what I said before?

"if I try to log into one of our workstations named AICH019 (http://aich019:5800) I get redirected to AICH021."

Well, in the Host record properties for AICH019 under the Security Tab I found a ghost user in there (it had a whole bunch of numbers and letters, but no coherent name). So, I deleted the record and after a little bit, the AICH019 computer obtained a seperate IP address and I could log into the AICH019 computer without being redirected to AICH022.

But, I just found another kerberos error this morning between two different computers. I did the same check as I mention before, and found the ghost user in the "target" computer's host record.

At this point, I think I'll just do as Diggisaur suggested and move the DHCP role over to the server. But, before doing that I just wanted to try your suggestion about checking that the DNS server is configured for dynamic updates and see if that solves the problem. How do I go about doing that(step by step)?

Thanks!

Clark
Top Expert 2004

Commented:
Hi there

Ok - I think that the dhcp option on the server is probably a better course of action, but we can talk you through that too if necessary. However you WILL need to configure dynamic updates regardless of the course of action you take regarding dhcp. Open up dns on the server. Under the server object is the forward look-up zones list. Expand this first, then right-click on the forward lookup zone entitled "yourdomain.com" where this is the same as your ad domain name. Click properties and select the general tab - select yes in  the dynamic updates box, then click ok.

Note you can't select secure updates unless it's ad integrated zone, for now just select yes.

Let us know if you need to change the dhcp server (I expect that you probably will),

Deb :))

Top Expert 2004

Commented:
Hi there

Ok - I think that the dhcp option on the server is probably a better course of action, but we can talk you through that too if necessary. However you WILL need to configure dynamic updates regardless of the course of action you take regarding dhcp. Open up dns on the server. Under the server object is the forward look-up zones list. Expand this first, then right-click on the forward lookup zone entitled "yourdomain.com" where this is the same as your ad domain name. Click properties and select the general tab - select yes in  the dynamic updates box, then click ok.

Note you can't select secure updates unless it's ad integrated zone, for now just select yes.

Let us know if you need to change the dhcp server (I expect that you probably will),

Deb :))

Top Expert 2004

Commented:
lol sorry, browser error in the clicking department ;-))

Author

Commented:
Deb,

I decided this afternoon to just go ahead and activate the DHCP Server on the Domain Controller and disable it on the firewall.

I ended up having to call Dell Server Support for help in figuring out why none of the workstations were getting IP addresses from the DHCP on the server after I set it up. Apparently, I forgot to "authorize" the DHCP Server in the properties box.

Everything seems to be working fine right now. I'll have to wait a few days and see if I get any more Kerberos errors, but the person I spoke with at Dell also believes that moving the role of DHCP to the server will resolve the problem because in 2000 & 2003 the DNS, AD and DHCP are so tightly intergrated.

I checked the properties for our domain in the DNS Forward Look Up Zone and didn't see a check box for dynamic updates. Instead there was an option for Dynamic Updates with a drop down box next to it. The option that was already chosen was "Secure". The other two options were "Nonsecure and secure" or "None." Could the configuration layout be different in 2003?

Clark

Top Expert 2004

Commented:
Hi
Yes sorry I was speaking from windows 2000 server experience, but the principal is the same, just windows 2003 server is slightly different. If the zone is active-directory integrated then it defaults to the use of secure updates apparently which is what it would appear is already set in yours so it should be fine. There's a really good description of it all here:

Dynamic update in Windows 2003 Server
http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/sag_DNS_und_DynamicUpdates.asp

Hope this helps, but I think that you may have sorted this out now.

Deb :))
Gareth GudgerSolution Architect
CERTIFIED EXPERT
Most Valuable Expert 2014
Top Expert 2014

Commented:
Glad to hear ya moved over.....

Also have you told DHCP to automatically update DNS with client/host records?

Author

Commented:
Deb & diggisaur,

Thanks for all of your help. Things seem to be working fairly well, although I did notice one Kerberos error from this morning (April 5) in the Event Viewer log. It is the only one to appear since the role of DHCP was set up on the server on April 3rd. Vast improvement as we were getting numerous errors each day all last week.

I have the DNS options set up in the DHCP properties box using the default settings (see below).

SELECTED - Enable DNS Dynamic updates according to the settings below:

SELECTED - Dynamically update DNS A and PTR records only if requested by the DHCP clients

NOT SELECTED - Always dynamically update DNS A and PTR records

SELECTED - Discard A and PTR records when lease is deleted

If you have any other comments, I'd appreciate it. Otherwise I'll just take this last opportunity to thank you both! Thanks!

Clark
Gareth GudgerSolution Architect
CERTIFIED EXPERT
Most Valuable Expert 2014
Top Expert 2014

Commented:
No that looks good.
Top Expert 2004

Commented:
What you have set up should be fine - is the kerberos error any different from your previous ones?

Author

Commented:
Hi Deb!

The error appears to be the same as the previous ones(see further below), but I haven't seen another since April 5th(morning).

We were having all kinds of problems with our firewall all last week (locking up) so after moving the DHCP role over to the server over the weekend, on Monday (April 5) in the afternoon I wiped out the firmware on the firewall and installed the latest fresh new version. The firewall seems to be fine now and maybe these kerberos errors were somehow related to the firewall being on the fritz.

Event Type:      Error
Event Source:      Kerberos
Event Category:      None
Event ID:      4
Date:            4/5/2004
Time:            10:18:53 AM
User:            N/A
Computer:      TMIC
Description:
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server AICH023$.  The target name used was cifs/AICH015.aich.local. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named  machine accounts in the target realm (AICH.LOCAL), and the client realm.   Please contact your system administrator.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Top Expert 2004

Commented:
Hi there,

It's the same error as you'd been getting, so I'd leave it for a while and see if you get any more, if not all should be well - keep us posted. You could always check on the host records for AICH015 and ensure that there's no duplication anymore,

Deb :))
Gareth GudgerSolution Architect
CERTIFIED EXPERT
Most Valuable Expert 2014
Top Expert 2014

Commented:
Yes I would agree with Debsy....leave DHCP on the server as it is for a while to see if the errors come back. (Personally I would leave DHCP there permanently). :)

Author

Commented:
Thanks guys(figuratively speaking of course) :-)

No sign of any kerberos errors today.

Now onto other issues... Will it ever end? (it's a rhetorical question, of course)

Clark
Gareth GudgerSolution Architect
CERTIFIED EXPERT
Most Valuable Expert 2014
Top Expert 2014

Commented:
Ah....no points for moi...maybe I didnt help any.

Author

Commented:
Diggisaur,

I wanted to give you points, but I didn't see any options to split them between you and Deb.  :-(

Is there a way?

Clark
Gareth GudgerSolution Architect
CERTIFIED EXPERT
Most Valuable Expert 2014
Top Expert 2014

Commented:
You will need a moderator to unaccept the answer....post in the community to do this. The "Split" option is right above where you would have posted a comment before you accepted an answer.
Top Expert 2004

Commented:
I could always post some for you diggisaur? If not whatever you guys wanna do is fine by me :))

Glad we helped ;-)

Author

Commented:
All done! Thanks Deb and Diggisaur!
Gareth GudgerSolution Architect
CERTIFIED EXPERT
Most Valuable Expert 2014
Top Expert 2014

Commented:
no problem :)
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a free trial preview!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.