• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 16378
  • Last Modified:

Getting a lot of Kerberos error messages from the same client every day!!!

Hi, heres the log files from the security-log.

Event Type:      Failure Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      537
Date:            26-04-2004
Time:            09:45:22
User:            NT AUTHORITY\SYSTEM
Computer:      STOHNSERVER
Description:
Logon Failure:
       Reason:            An error occurred during logon
       User Name:      
       Domain:            
       Logon Type:      3
       Logon Process:      Kerberos
       Authentication Package:      Kerberos
       Workstation Name:      -
       Status code:      0xC000006D
       Substatus code:      0xC0000133
       Caller User Name:      -
       Caller Domain:      -
       Caller Logon ID:      -
       Caller Process ID:      -
       Transited Services:      -
       Source Network Address:      192.168.0.21
       Source Port:      0


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

----------------------------------------------------------------------

Event Type:      Failure Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      537
Date:            26-04-2004
Time:            09:45:21
User:            NT AUTHORITY\SYSTEM
Computer:      STOHNSERVER
Description:
Logon Failure:
       Reason:            An error occurred during logon
       User Name:      
       Domain:            
       Logon Type:      3
       Logon Process:      Kerberos
       Authentication Package:      Kerberos
       Workstation Name:      -
       Status code:      0xC000006D
       Substatus code:      0xC0000133
       Caller User Name:      -
       Caller Domain:      -
       Caller Logon ID:      -
       Caller Process ID:      -
       Transited Services:      -
       Source Network Address:      192.168.0.21
       Source Port:      1212


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

------------------------------------------------------------

Event Type:      Failure Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      537
Date:            26-04-2004
Time:            09:45:21
User:            NT AUTHORITY\SYSTEM
Computer:      STOHNSERVER
Description:
Logon Failure:
       Reason:            An error occurred during logon
       User Name:      
       Domain:            
       Logon Type:      3
       Logon Process:      Kerberos
       Authentication Package:      Kerberos
       Workstation Name:      -
       Status code:      0xC000006D
       Substatus code:      0xC0000133
       Caller User Name:      -
       Caller Domain:      -
       Caller Logon ID:      -
       Caller Process ID:      -
       Transited Services:      -
       Source Network Address:      192.168.0.21
       Source Port:      1208


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

--------------------------------------------------------

Event Type:      Failure Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      537
Date:            26-04-2004
Time:            09:21:41
User:            NT AUTHORITY\SYSTEM
Computer:      STOHNSERVER
Description:
Logon Failure:
       Reason:            An error occurred during logon
       User Name:      
       Domain:            
       Logon Type:      3
       Logon Process:      Kerberos
       Authentication Package:      Kerberos
       Workstation Name:      -
       Status code:      0xC000006D
       Substatus code:      0xC0000133
       Caller User Name:      -
       Caller Domain:      -
       Caller Logon ID:      -
       Caller Process ID:      -
       Transited Services:      -
       Source Network Address:      192.168.0.21
       Source Port:      1099


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

-------------------------------------------

Event Type:      Failure Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      537
Date:            26-04-2004
Time:            09:21:20
User:            NT AUTHORITY\SYSTEM
Computer:      STOHNSERVER
Description:
Logon Failure:
       Reason:            An error occurred during logon
       User Name:      
       Domain:            
       Logon Type:      3
       Logon Process:      Kerberos
       Authentication Package:      Kerberos
       Workstation Name:      -
       Status code:      0xC000006D
       Substatus code:      0xC0000133
       Caller User Name:      -
       Caller Domain:      -
       Caller Logon ID:      -
       Caller Process ID:      -
       Transited Services:      -
       Source Network Address:      192.168.0.21
       Source Port:      1093


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

----------------------------

Event Type:      Failure Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      537
Date:            26-04-2004
Time:            09:21:19
User:            NT AUTHORITY\SYSTEM
Computer:      STOHNSERVER
Description:
Logon Failure:
       Reason:            An error occurred during logon
       User Name:      
       Domain:            
       Logon Type:      3
       Logon Process:      Kerberos
       Authentication Package:      Kerberos
       Workstation Name:      -
       Status code:      0xC000006D
       Substatus code:      0xC0000133
       Caller User Name:      -
       Caller Domain:      -
       Caller Logon ID:      -
       Caller Process ID:      -
       Transited Services:      -
       Source Network Address:      192.168.0.21
       Source Port:      1090


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


------------------------------------------

Event Type:      Failure Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      537
Date:            26-04-2004
Time:            09:20:46
User:            NT AUTHORITY\SYSTEM
Computer:      STOHNSERVER
Description:
Logon Failure:
       Reason:            An error occurred during logon
       User Name:      
       Domain:            
       Logon Type:      3
       Logon Process:      Kerberos
       Authentication Package:      Kerberos
       Workstation Name:      -
       Status code:      0xC000006D
       Substatus code:      0xC0000133
       Caller User Name:      -
       Caller Domain:      -
       Caller Logon ID:      -
       Caller Process ID:      -
       Transited Services:      -
       Source Network Address:      192.168.0.21
       Source Port:      0


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


----------------------------------------------------

And there are many more....

Its only from this one computer with the ip 192.168.0.21. What's the problem. Does anybody know ? How can I find out. Is these logfiles helpfull at all ?


Best regards,

Zoodiaq
0
Zoodiaq
Asked:
Zoodiaq
  • 2
  • 2
1 Solution
 
JamesDSCommented:
Zoodiaq
Kerberos has minimum requirements for timesync, make sure the clock on the problem PC is timesync'd to within 4 seconds.

From the problem machine run:

NET TIME /SET /YES
and it will sync straight to a domain controller.

Cheers

JamesDS
0
 
ZoodiaqAuthor Commented:
Yes, that seems to be the problem.

I looked on the client computer which is running windows XP, and there is two events showing up all the time.

Event Type:      Error
Event Source:      W32Time
Event Category:      None
Event ID:      29
Date:            26-04-2004
Time:            14:05:56
User:            N/A
Computer:      Computername
Description:
Tidsprovideren NtpClient er konfigureret til at hente tid fra en eller flere tidskilder, men ingen af kilderne er tilgængelige i øjeblikket.  Der forsøges ikke at oprette forbindelse til en kilde i 239 minutter. NtpClient har ingen kilde til korrekt tid.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

--------------

The description is in danish, but is says that the timeprovider NtpClient is configuret to get the time from one or more timesources, but none of the sources are available at the moment. The system will not try to make a connection too a source for 239 minuttes. The NtpClient doesn't have a source for correct time. (This is just my poor translation)

The other event is the following:

Event Type:      Warning
Event Source:      W32Time
Event Category:      None
Event ID:      14
Date:            26-04-2004
Time:            14:05:56
User:            N/A
Computer:      TOMMY01
Description:
Tidsprovideren NtpClient kunne ikke finde en domænecontroller, der kan bruges som  tidskilde. Der forsøges igen om 240 minutter.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

-----------------

The description says: The timeprovider NtpClient could not fin any domaincontroller, which can be used as a timesource. The system will try again in 240 minuttes.
------------------

The strange thing is, that this is the only client, that has this problem. All clientmachines are running a script when the users log in, which includes the command you wrote JamesDS: NET TIME /SET /YES. I allready had this in the log on script.

Why is only this computer behaving wierd ?

Regards,

Zoodiaq
0
 
JamesDSCommented:
Zoodiaq
Sometimes the timserver gets confused - here's how to fix it:

Fixing timesync is different according to the machine type...

Members of the Active Directory sync with their local DC (local as in local AD site). The DCs then sync with the PDCEmulator, so the PDCE is the root of all time - as it were!

Diagnosis of timesync errors is difficult, but do not be tempted to use NET TIME /SETSNTP: on all machines in the domain (as suggested to many questions like this one, unless it's a PDCE), as it specifically overrides the natural internal operation of the time service within Active Directory.

These commands are written for Windows 2003 and Windows XP. There are some equivalents for windows 2000, use W32tm /? or W32Time /? from the command line to look for alternatives on older OSs.

Use NET TIME /SETSNTP:
to clear any entry and return to the default settings

Use NET TIME /SET /YES
to synch NOW with your authenticating DC and begin the diagnosis:

Start by verifying your domain is synching AD by using REPLMON.EXE in the support tools pack on the Windows installation CD.


If this is OK then run this from the command line:
W32TM /monitor

to ensure that each member server/workstation is actually pointing to a DC.

If this is OK then run this from the command line:
W32TM /resync /rediscover

followed by:
W32TM /resync /nowait

and check the system eventlog for W32TIME errors. This process does a full reset and recheck of the time system as it relates to one member machine on your AD.

Post any errors here

Explantion of why it doesn't alway instantly set the right time:
Timesync works as follows:

If the local clock time of the time client is behind the current time received from the time server, W32Time will change the local clock time immediately.
If the local clock time of the time client is more than three minutes ahead of the time on the time server, W32Time will change the local clock time immediately.
If the local clock time of the time client is less than three minutes ahead of the time on the server, W32Time will quarter or halve the clock frequency for long enough to bring the clocks into sync. If the client is less that 15 seconds ahead, it will halve the frequency; otherwise, it will quarter the frequency. The amount of time the clock spends running at an unusual frequency depends on the size of the offset that is being corrected.

W32Time will periodically check its local time with the current time by connecting to the time source. This process starts as soon as the service turns on during system start-up. W32Time attempts synchronization every 45 minutes until the clocks have successfully synchronized three times. When the clocks are correctly synchronized, W32Time then synchronizes at eight-hour intervals, unless there is a failure to obtain a timestamp, or a validation failure. If there is a failure, the process starts over from the beginning.

Set it by hand as close as you can and then simply leave it to sort itself out.


Cheers

JamesDS
0
 
ZoodiaqAuthor Commented:
Thx JamesDS for the answer. I think I've solved the problem.
0

Featured Post

Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now