jwf1776
asked on
Kerberos authentication problem involving outlook2k3 & exchange2k3
Here is my situation:
We have a win2ksp4 DC, a win2ksp4 exchange2k3sp1 server, and win2ksp4 workstations with office2k3.
After I depromoted a DC (last month) many users began to complain about outlook being “offline”. The new DC security template was set to only accept NTLMv2 so I went about switching all of the outlook settings to use Kerberos to authenticate.
Things seemed to work fine, though I turned the DC security setting back down to “use LM, NTLM, and NTLMv2 if negotiated” to troubleshoot a RAS\VPN authentication issue (still set this way).
Then I stumbled upon an outlook issue while trying to make an outlook rule/alert. Outlook said I couldn’t do this while “offline” though the outlook connection icon confirmed that I was online. No other outlook features seem to be compromised. I experimented with the outlook authentication settings and found that when outlook was set to use NTLM the rule/alert feature worked, but with Kerberos it wouldn’t.
I noticed the outlook connection status was different depending on the outlook authentication setting.
using kerb:
server name type status
exchangeserver directory disconnected
exchangeserver directory disconnected
exchangeserver.domain.loca
exchangeserver.domain.loca
exchangeserver.domain.loca
--------
With ntlm and kerb (or just ntlm):
server name type status
dcserver.domain.local directory established
dcserver.domain.local directory established
exchangeserver.domain.loca
exchangeserver.domain.loca
exchangeserver.domain.loca
-------
I turned on kerberos logging on the client and observed that when I log on I get a single:
Event ID: 594 KDC_ERR_PREAUTH_FAILED 0x18
Followed by many of the following that appear each time outlook tries to authenticate:
Event ID: KDC_ERR_S_PRINCIPAL_UNKNOW
Server Realm: DOMAIN.LOCAL
Server Name: krbtgt/DOMAIN.LOCAL
Target Name: exchangeAB/dcserver.domain
These errors appear in sets of 3 that alternate target names exchangeAB/dcserver.domain
(I can't find anything on this exchangeAB service! setspn -L doesn't list it on the dc or the exchange)
last there is a reoccuring event on the exchange server that may be related:
Event Source: MSExchangeSA
Event ID: 9188
Microsoft Exchange System Attendant failed to read the membership of group 'cn=Exchange Domain Servers,cn=Users,dc=domain
I checked the "Exchange Domain Servers" group and the exchange server is definatly in there.
thanks in advance to anyone that can help me troubleshoot this kerberos curiosity,
We have a win2ksp4 DC, a win2ksp4 exchange2k3sp1 server, and win2ksp4 workstations with office2k3.
After I depromoted a DC (last month) many users began to complain about outlook being “offline”. The new DC security template was set to only accept NTLMv2 so I went about switching all of the outlook settings to use Kerberos to authenticate.
Things seemed to work fine, though I turned the DC security setting back down to “use LM, NTLM, and NTLMv2 if negotiated” to troubleshoot a RAS\VPN authentication issue (still set this way).
Then I stumbled upon an outlook issue while trying to make an outlook rule/alert. Outlook said I couldn’t do this while “offline” though the outlook connection icon confirmed that I was online. No other outlook features seem to be compromised. I experimented with the outlook authentication settings and found that when outlook was set to use NTLM the rule/alert feature worked, but with Kerberos it wouldn’t.
I noticed the outlook connection status was different depending on the outlook authentication setting.
using kerb:
server name type status
exchangeserver directory disconnected
exchangeserver directory disconnected
exchangeserver.domain.loca
exchangeserver.domain.loca
exchangeserver.domain.loca
--------
With ntlm and kerb (or just ntlm):
server name type status
dcserver.domain.local directory established
dcserver.domain.local directory established
exchangeserver.domain.loca
exchangeserver.domain.loca
exchangeserver.domain.loca
-------
I turned on kerberos logging on the client and observed that when I log on I get a single:
Event ID: 594 KDC_ERR_PREAUTH_FAILED 0x18
Followed by many of the following that appear each time outlook tries to authenticate:
Event ID: KDC_ERR_S_PRINCIPAL_UNKNOW
Server Realm: DOMAIN.LOCAL
Server Name: krbtgt/DOMAIN.LOCAL
Target Name: exchangeAB/dcserver.domain
These errors appear in sets of 3 that alternate target names exchangeAB/dcserver.domain
(I can't find anything on this exchangeAB service! setspn -L doesn't list it on the dc or the exchange)
last there is a reoccuring event on the exchange server that may be related:
Event Source: MSExchangeSA
Event ID: 9188
Microsoft Exchange System Attendant failed to read the membership of group 'cn=Exchange Domain Servers,cn=Users,dc=domain
I checked the "Exchange Domain Servers" group and the exchange server is definatly in there.
thanks in advance to anyone that can help me troubleshoot this kerberos curiosity,
run exchange setup /forestprep and setup /domainprep and see if ur problem is solved....as far as the last error is concerned....
ASKER
Troubleshooting done on the exchange server:
I think that the exchange event 9188 has gone away for now. I found the exchange Recipient Update Service was pointing to the old DC. But nothing has changed the Kerberos error I'm getting on the client.
Last night I noticed that the exchange server failed the netdiag "Kerberos test". Kerbtray revealed that it didn't have a ticket for it's own computer account. After I rebooted this seemed to go away to.
I also read in a MS knowledgebase article that in some instances exchange needed WINS. I installed the WINS service on the DC and changed the exchange adapter settings accordingly, but it didn't change anything with the client kerberos error.
Client kerberos problems with outlook remain unchanged.
I think that the exchange event 9188 has gone away for now. I found the exchange Recipient Update Service was pointing to the old DC. But nothing has changed the Kerberos error I'm getting on the client.
Last night I noticed that the exchange server failed the netdiag "Kerberos test". Kerbtray revealed that it didn't have a ticket for it's own computer account. After I rebooted this seemed to go away to.
I also read in a MS knowledgebase article that in some instances exchange needed WINS. I installed the WINS service on the DC and changed the exchange adapter settings accordingly, but it didn't change anything with the client kerberos error.
Client kerberos problems with outlook remain unchanged.
ASKER
I also changed a registry setting on the client to force kerberos to use TCP. As I understand it, this eliminates the possibility that "UDP fragmentation" may be the culprit.
It didn't help the kerberos errors.
Should I change this registry setting on the exchange server too?
P.S. Vahik, I will run forestprep and domainprep if the exchange error comes back (didn't want you to think your advice was disregarded)
It didn't help the kerberos errors.
Should I change this registry setting on the exchange server too?
P.S. Vahik, I will run forestprep and domainprep if the exchange error comes back (didn't want you to think your advice was disregarded)
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerberr.mspx
i am sure u have seen these two articles.....read it and see if u can understand it...
if u have forced ur clients to use tcp then servers should also be forced to use tcp....
also no need to run forest and domain prep if ur problem is solved....
i am sure u have seen these two articles.....read it and see if u can understand it...
if u have forced ur clients to use tcp then servers should also be forced to use tcp....
also no need to run forest and domain prep if ur problem is solved....
ASKER
yes i have seen the 2 articles, I used the first one to set the client to tcp already,
the second article probably contains my answer but I haven't been able to find it ;)
...for example, kerbtray lists a lot of tickets, including ones for the dc and exchange comps but I'm not completly sure what exactly I'm looking for... the troubleshooting actions I've already listed are the fruits of reading the "troubleshooting kerberos" article
I'm thinking of reposting this issue in a different forum if no one here can help. does anyone have any recommendations of a better EE forum for this kerberos issue?
the second article probably contains my answer but I haven't been able to find it ;)
...for example, kerbtray lists a lot of tickets, including ones for the dc and exchange comps but I'm not completly sure what exactly I'm looking for... the troubleshooting actions I've already listed are the fruits of reading the "troubleshooting kerberos" article
I'm thinking of reposting this issue in a different forum if no one here can help. does anyone have any recommendations of a better EE forum for this kerberos issue?
one more place to look for will be in the services section on a domain controller to see if
is started at all...also check to see if its dependencies are also started....kerberos seems
rely on rpc and since ur users got offline error that meant they could not get an rpc connection to exchange server....
well i am just talking too much and confusing u more....i am no expert in this kerberos section
so i leave it to experts(try windows 2000 or 2003 section)....take care and good luck...
PS:kerberos is very sensitive about clock sync....so make sure clocks on both servers and clients are synced...while in kerberos policy section take a closer look to see if u find anything unusuall....
is started at all...also check to see if its dependencies are also started....kerberos seems
rely on rpc and since ur users got offline error that meant they could not get an rpc connection to exchange server....
well i am just talking too much and confusing u more....i am no expert in this kerberos section
so i leave it to experts(try windows 2000 or 2003 section)....take care and good luck...
PS:kerberos is very sensitive about clock sync....so make sure clocks on both servers and clients are synced...while in kerberos policy section take a closer look to see if u find anything unusuall....
ASKER
on both dc and exchange servers the rpc and rpclocator service started.
on the dc the kerberos distributiion center service is started
on the dc the kerberos distributiion center service is started
ASKER
vahik, do you have any objection to closing this question?
I would like to move it to a win2000 forum.
I would like to move it to a win2000 forum.
absloutlely not...ask the admin to movet it for u....
ASKER
this question is alive and well, please answer me
0x7 KDC_ERR_S_PRINCIPAL_UNKNOW
Problem
If an SPN is not set for a service, then clients will have no way of locating that service. Thus, common results of not setting an SPN are KDC_ERR_C_PRINCIPAL_UNKNOW
Resolution
Because multiple services can run simultaneously under the same account, setting an SPN requires four pieces of information that will make the SPN unique:
The service class. This allows you to differentiate between multiple services running under the same account.
The account under which the service is running.
The computer on which the service is running, including any aliases that point to that computer.
The port on which the service is running.
These four pieces of information uniquely identify any service running on a network and can be used to mutually authenticate to any service.
An SPN itself consists of ServiceClass/Host:Port, where:
ServiceClass is the service class of the SPN.
Host is the name of the computer to which the SPN belongs.
Port is the port on which the service that the SPN is registered to run.
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerberr.mspx
maybe that?
-rich
Problem
If an SPN is not set for a service, then clients will have no way of locating that service. Thus, common results of not setting an SPN are KDC_ERR_C_PRINCIPAL_UNKNOW
Resolution
Because multiple services can run simultaneously under the same account, setting an SPN requires four pieces of information that will make the SPN unique:
The service class. This allows you to differentiate between multiple services running under the same account.
The account under which the service is running.
The computer on which the service is running, including any aliases that point to that computer.
The port on which the service is running.
These four pieces of information uniquely identify any service running on a network and can be used to mutually authenticate to any service.
An SPN itself consists of ServiceClass/Host:Port, where:
ServiceClass is the service class of the SPN.
Host is the name of the computer to which the SPN belongs.
Port is the port on which the service that the SPN is registered to run.
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerberr.mspx
maybe that?
-rich
oops- looks like that's been sent already... sorry for the duplicate.
-rich
-rich
ASKER
My appologies for any confusion about this question being closed/refunded. Its fine for the time being.
This question was originally in a different forum and I was going to close it before I realized it could be moved.
my bad!
This question was originally in a different forum and I was going to close it before I realized it could be moved.
my bad!
ASKER
Rich, thanks for comment,
I realize that there isn't an SPN for the "exchangeAB" service.
Got any idea what this service is or what class, account, computer, port it should be running on?
I realize that there isn't an SPN for the "exchangeAB" service.
Got any idea what this service is or what class, account, computer, port it should be running on?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Dave, do you know what this exchangeAB service is? I haven't been able to find any reference material on it.
If there is any risk from this change I will probably have to wait until this this evening to try it as this is the only DC in a production environment.
Can setting a SPN have adverse effects?
If there is any risk from this change I will probably have to wait until this this evening to try it as this is the only DC in a production environment.
Can setting a SPN have adverse effects?
I believe exchangAB is a service SPN that has to do with how Exchange makes LDAP calls to AD to look up users' mailbox information - not 100% sure but it makes sense.
Changing a good SPN can cause problems, but I am not aware of any problems that can arise from setting an additional invalid SPN. If it isn't any good there won't be anyone who uses it - basically a null operation.
Dave Dietz
Changing a good SPN can cause problems, but I am not aware of any problems that can arise from setting an additional invalid SPN. If it isn't any good there won't be anyone who uses it - basically a null operation.
Dave Dietz
ASKER
i ran those commands through a terminal session this evening and they both completed ok.
setspn -l now lists an exchangeAB service.
I'll have to wait until tomarrow to see if the client kerberos errors went away.
I've been googling exchange, exchangeAB, and spn for nearly a week and simply cannot find anything on exchangeAB. It seems like AB stands for address book? if so that would explain why the directory services connections in outlook are listed as disconnected.
I'll update 1st thing tomarrow.
setspn -l now lists an exchangeAB service.
I'll have to wait until tomarrow to see if the client kerberos errors went away.
I've been googling exchange, exchangeAB, and spn for nearly a week and simply cannot find anything on exchangeAB. It seems like AB stands for address book? if so that would explain why the directory services connections in outlook are listed as disconnected.
I'll update 1st thing tomarrow.
ASKER
I don't understand much more about the error than when I began but setting the SPN for the exchangeAB service on the DC made the client kerberos errors go away.
the outlook connection status with kerberos shows:
server name type status
dcserver.domain.local directory established
dcserver.domain.local directory established
exchangeserver.domain.loca
exchangeserver.domain.loca
exchangeserver.domain.loca
exchangeserver.domain.loca
and the out of office assistant and rules/alerts work again.
many thanks,
the outlook connection status with kerberos shows:
server name type status
dcserver.domain.local directory established
dcserver.domain.local directory established
exchangeserver.domain.loca
exchangeserver.domain.loca
exchangeserver.domain.loca
exchangeserver.domain.loca
and the out of office assistant and rules/alerts work again.
many thanks,