Solved

Kerberos Errors in Windows 2003 Server Domain

Posted on 2004-04-02
23
1,614 Views
Last Modified: 2012-08-13
I'm getting a whole bunch of Kerberos errors in the last four days in our Event Viewer (System folder).

We have a single DC running Windows Server 2003 Standard and it is acting as a file server and running Exchange 2003 and AD. We

have about 50 workstations. Our server is running DNS, but our firewall is doing the DHCP.

We also have RealVNC running on all the workstations so that I can remotely log into them from the server. To log into one of the

workstations, I open the IE browser on the server and type http://computername:5800 into the address field and then I log in via a Java

page. A problem has arisen lately with the RealVNC log in process on some computers which I believe is directly related to the

kerberos errors.

For example, if I try to log into one of our workstations named AICH019 (http://aich019:5800) I get redirected to AICH021. If I ping both

computernames via CMD on the server (ping aich019 & ping aich021), I get the same IP address results for both. But, if I go on each

workstation and do ipconfig /all from the command prompt, I get seperate IP addresses. The kerberos error below indicates that the

two workstations in question are potentially "identically named machine accounts in the target realm."
_________________________________________________________
Event Type:      Error
Event Source:      Kerberos
Event Category:      None
Event ID:      4
Date:            4/2/2004
Time:            10:36:40 AM
User:            N/A
Computer:      TMIC
Description:
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server AICH021$.  The target name used was

cifs/AICH019.aich.local. This indicates that the password used to encrypt the kerberos service ticket is different than that on the

target server. Commonly, this is due to identically named  machine accounts in the target realm (AICH.LOCAL), and the client realm.  

Please contact your system administrator.
_________________________________________________________

I also have additional kerberos errors coming up with other workstations "in conflict".

Here is another error related to the workstation named AICH019.
_________________________________________________________
Event Type:      Error
Event Source:      NETLOGON
Event Category:      None
Event ID:      5722
Date:            4/2/2004
Time:            1:51:30 AM
User:            N/A
Computer:      TMIC
Description:
The session setup from the computer AICH019 failed to authenticate. The name(s) of the account(s) referenced in the security

database is AICH019$.  The following error occurred:
Access is denied.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 22 00 00 c0               "..À    
_________________________________________________________



I would very much appreciate any insight into what is the cause and solution of this issue.

Thanks,

Clark



0
Comment
Question by:killyman
  • 8
  • 7
  • 7
23 Comments
 
LVL 20

Assisted Solution

by:Debsyl99
Debsyl99 earned 250 total points
Comment Utility
Hi

I'd check the host records for these clients in dns on the server. Sounds like it's a problem between the dhcp allocating ip addresses and the server registering the correct addresses in dns which is then not updated when a new ip is allocated. Check the records in dns for all the clients correspond to their actual IP addresses from IPconfig, and also check that the dns server is configured for dynamic updates, for a start. Let us know how you go

Deb :))
0
 
LVL 30

Accepted Solution

by:
Gareth Gudger earned 250 total points
Comment Utility
Maybe you should switch DHCP over to the server as well and let it do dynamic DNS updating for you.

As Debsy suggested...sounds like old hosts records.
0
 

Author Comment

by:killyman
Comment Utility
Thanks Deb and Diggisaur!

I checked the host records in the DNS (on the sever) and I found that the computers in question both have the same IP address.

Now, remember what I said before?

"if I try to log into one of our workstations named AICH019 (http://aich019:5800) I get redirected to AICH021."

Well, in the Host record properties for AICH019 under the Security Tab I found a ghost user in there (it had a whole bunch of numbers and letters, but no coherent name). So, I deleted the record and after a little bit, the AICH019 computer obtained a seperate IP address and I could log into the AICH019 computer without being redirected to AICH022.

But, I just found another kerberos error this morning between two different computers. I did the same check as I mention before, and found the ghost user in the "target" computer's host record.

At this point, I think I'll just do as Diggisaur suggested and move the DHCP role over to the server. But, before doing that I just wanted to try your suggestion about checking that the DNS server is configured for dynamic updates and see if that solves the problem. How do I go about doing that(step by step)?

Thanks!

Clark
0
 
LVL 20

Expert Comment

by:Debsyl99
Comment Utility
Hi there

Ok - I think that the dhcp option on the server is probably a better course of action, but we can talk you through that too if necessary. However you WILL need to configure dynamic updates regardless of the course of action you take regarding dhcp. Open up dns on the server. Under the server object is the forward look-up zones list. Expand this first, then right-click on the forward lookup zone entitled "yourdomain.com" where this is the same as your ad domain name. Click properties and select the general tab - select yes in  the dynamic updates box, then click ok.

Note you can't select secure updates unless it's ad integrated zone, for now just select yes.

Let us know if you need to change the dhcp server (I expect that you probably will),

Deb :))

0
 
LVL 20

Expert Comment

by:Debsyl99
Comment Utility
Hi there

Ok - I think that the dhcp option on the server is probably a better course of action, but we can talk you through that too if necessary. However you WILL need to configure dynamic updates regardless of the course of action you take regarding dhcp. Open up dns on the server. Under the server object is the forward look-up zones list. Expand this first, then right-click on the forward lookup zone entitled "yourdomain.com" where this is the same as your ad domain name. Click properties and select the general tab - select yes in  the dynamic updates box, then click ok.

Note you can't select secure updates unless it's ad integrated zone, for now just select yes.

Let us know if you need to change the dhcp server (I expect that you probably will),

Deb :))

0
 
LVL 20

Expert Comment

by:Debsyl99
Comment Utility
lol sorry, browser error in the clicking department ;-))
0
 

Author Comment

by:killyman
Comment Utility
Deb,

I decided this afternoon to just go ahead and activate the DHCP Server on the Domain Controller and disable it on the firewall.

I ended up having to call Dell Server Support for help in figuring out why none of the workstations were getting IP addresses from the DHCP on the server after I set it up. Apparently, I forgot to "authorize" the DHCP Server in the properties box.

Everything seems to be working fine right now. I'll have to wait a few days and see if I get any more Kerberos errors, but the person I spoke with at Dell also believes that moving the role of DHCP to the server will resolve the problem because in 2000 & 2003 the DNS, AD and DHCP are so tightly intergrated.

I checked the properties for our domain in the DNS Forward Look Up Zone and didn't see a check box for dynamic updates. Instead there was an option for Dynamic Updates with a drop down box next to it. The option that was already chosen was "Secure". The other two options were "Nonsecure and secure" or "None." Could the configuration layout be different in 2003?

Clark

0
 
LVL 20

Expert Comment

by:Debsyl99
Comment Utility
Hi
Yes sorry I was speaking from windows 2000 server experience, but the principal is the same, just windows 2003 server is slightly different. If the zone is active-directory integrated then it defaults to the use of secure updates apparently which is what it would appear is already set in yours so it should be fine. There's a really good description of it all here:

Dynamic update in Windows 2003 Server
http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/sag_DNS_und_DynamicUpdates.asp

Hope this helps, but I think that you may have sorted this out now.

Deb :))
0
 
LVL 30

Expert Comment

by:Gareth Gudger
Comment Utility
Glad to hear ya moved over.....

Also have you told DHCP to automatically update DNS with client/host records?
0
 

Author Comment

by:killyman
Comment Utility
Deb & diggisaur,

Thanks for all of your help. Things seem to be working fairly well, although I did notice one Kerberos error from this morning (April 5) in the Event Viewer log. It is the only one to appear since the role of DHCP was set up on the server on April 3rd. Vast improvement as we were getting numerous errors each day all last week.

I have the DNS options set up in the DHCP properties box using the default settings (see below).

SELECTED - Enable DNS Dynamic updates according to the settings below:

SELECTED - Dynamically update DNS A and PTR records only if requested by the DHCP clients

NOT SELECTED - Always dynamically update DNS A and PTR records

SELECTED - Discard A and PTR records when lease is deleted

If you have any other comments, I'd appreciate it. Otherwise I'll just take this last opportunity to thank you both! Thanks!

Clark
0
 
LVL 30

Expert Comment

by:Gareth Gudger
Comment Utility
No that looks good.
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 20

Expert Comment

by:Debsyl99
Comment Utility
What you have set up should be fine - is the kerberos error any different from your previous ones?
0
 

Author Comment

by:killyman
Comment Utility
Hi Deb!

The error appears to be the same as the previous ones(see further below), but I haven't seen another since April 5th(morning).

We were having all kinds of problems with our firewall all last week (locking up) so after moving the DHCP role over to the server over the weekend, on Monday (April 5) in the afternoon I wiped out the firmware on the firewall and installed the latest fresh new version. The firewall seems to be fine now and maybe these kerberos errors were somehow related to the firewall being on the fritz.

Event Type:      Error
Event Source:      Kerberos
Event Category:      None
Event ID:      4
Date:            4/5/2004
Time:            10:18:53 AM
User:            N/A
Computer:      TMIC
Description:
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server AICH023$.  The target name used was cifs/AICH015.aich.local. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named  machine accounts in the target realm (AICH.LOCAL), and the client realm.   Please contact your system administrator.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
0
 
LVL 20

Expert Comment

by:Debsyl99
Comment Utility
Hi there,

It's the same error as you'd been getting, so I'd leave it for a while and see if you get any more, if not all should be well - keep us posted. You could always check on the host records for AICH015 and ensure that there's no duplication anymore,

Deb :))
0
 
LVL 30

Expert Comment

by:Gareth Gudger
Comment Utility
Yes I would agree with Debsy....leave DHCP on the server as it is for a while to see if the errors come back. (Personally I would leave DHCP there permanently). :)
0
 

Author Comment

by:killyman
Comment Utility
Thanks guys(figuratively speaking of course) :-)

No sign of any kerberos errors today.

Now onto other issues... Will it ever end? (it's a rhetorical question, of course)

Clark
0
 
LVL 30

Expert Comment

by:Gareth Gudger
Comment Utility
Ah....no points for moi...maybe I didnt help any.
0
 

Author Comment

by:killyman
Comment Utility
Diggisaur,

I wanted to give you points, but I didn't see any options to split them between you and Deb.  :-(

Is there a way?

Clark
0
 
LVL 30

Expert Comment

by:Gareth Gudger
Comment Utility
You will need a moderator to unaccept the answer....post in the community to do this. The "Split" option is right above where you would have posted a comment before you accepted an answer.
0
 
LVL 20

Expert Comment

by:Debsyl99
Comment Utility
I could always post some for you diggisaur? If not whatever you guys wanna do is fine by me :))

Glad we helped ;-)
0
 

Author Comment

by:killyman
Comment Utility
All done! Thanks Deb and Diggisaur!
0
 
LVL 30

Expert Comment

by:Gareth Gudger
Comment Utility
no problem :)
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Nslookup is a command line driven utility supplied as part of most Windows operating systems that can reveal information related to domain names and the Internet Protocol (IP) addresses associated with them. In simple terms, it is a tool that can …
Resolve DNS query failed errors for Exchange
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now