?
Solved

Kerberos authentication problem involving outlook2k3 & exchange2k3

Posted on 2005-02-25
21
Medium Priority
?
4,714 Views
Last Modified: 2008-01-09
Here is my situation:
We have a win2ksp4 DC, a win2ksp4 exchange2k3sp1 server, and win2ksp4 workstations with office2k3.

After I depromoted a DC (last month) many users began to complain about outlook being “offline”.  The new DC security template was set to only accept NTLMv2 so I went about switching all of the outlook settings to use Kerberos to authenticate.

Things seemed to work fine, though I turned the DC security setting back down to “use LM, NTLM, and NTLMv2 if negotiated” to troubleshoot a RAS\VPN authentication issue (still set this way).

Then I stumbled upon an outlook issue while trying to make an outlook rule/alert.  Outlook said I couldn’t do this while “offline” though the outlook connection icon confirmed that I was online.  No other outlook features seem to be compromised.  I experimented with the outlook authentication settings and found that when outlook was set to use NTLM the rule/alert feature worked, but with Kerberos it wouldn’t.

I noticed the outlook connection status was different depending on the outlook authentication setting.

using kerb:
server name                                   type                        status
exchangeserver                          directory                   disconnected
exchangeserver                          directory                   disconnected
exchangeserver.domain.local           mail                       established
exchangeserver.domain.local           mail                       established
exchangeserver.domain.local           mail                       established
--------
With ntlm and kerb (or just ntlm):
server name                                   type                        status
dcserver.domain.local                    directory                  established
dcserver.domain.local                    directory                  established
exchangeserver.domain.local           mail                       established
exchangeserver.domain.local           mail                       established
exchangeserver.domain.local           mail                       established
-------

I turned on kerberos logging on the client and observed that when I log on I get a single:
Event ID:          594 KDC_ERR_PREAUTH_FAILED 0x18

Followed by many of the following that appear each time outlook tries to authenticate:
Event ID: KDC_ERR_S_PRINCIPAL_UNKNOWN 0x7
Server Realm: DOMAIN.LOCAL
Server Name: krbtgt/DOMAIN.LOCAL
Target Name: exchangeAB/dcserver.domain.local@DOMAIN.LOCAL

These errors appear in sets of 3 that alternate target names exchangeAB/dcserver.domain.local@DOMAIN.LOCAL, exchangeAB/exchangeserver.domain.local@DOMAIN.LOCAL, and exchangeAB/EXCHANGESERVER@DOMAIN.LOCAL

(I can't find anything on this exchangeAB service!  setspn -L doesn't list it on the dc or the exchange)

last there is a reoccuring event on the exchange server that may be related:
Event Source: MSExchangeSA
Event ID: 9188
Microsoft Exchange System Attendant failed to read the membership of group 'cn=Exchange Domain Servers,cn=Users,dc=domain,dc=local'. Error code 'c0072030'.  “Please check whether the local computer is a member of the group. If it is not, stop all the Microsoft Exchange services, add the local computer into the group manually and restart all the services.”

I checked the "Exchange Domain Servers" group and the exchange server is definatly in there.

thanks in advance to anyone that can help me troubleshoot this kerberos curiosity,
0
Comment
Question by:jwf1776
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 11
  • 5
  • 2
  • +1
21 Comments
 
LVL 26

Expert Comment

by:Vahik
ID: 13408875
run exchange setup  /forestprep and setup /domainprep and see if ur problem is solved....as far as the last error is concerned....
0
 

Author Comment

by:jwf1776
ID: 13410366
Troubleshooting done on the exchange server:

I think that the exchange event 9188 has gone away for now.  I found the exchange Recipient Update Service was pointing to the old DC.  But nothing has changed the Kerberos error I'm getting on the client.

Last night I noticed that the exchange server failed the netdiag "Kerberos test".  Kerbtray revealed that it didn't have a ticket for it's own computer account.  After I rebooted this seemed to go away to.

I also read in a MS knowledgebase article that in some instances exchange needed WINS.  I installed the WINS service on the DC and changed the exchange adapter settings accordingly, but it didn't change anything with the client kerberos error.

Client kerberos problems with outlook remain unchanged.
0
 

Author Comment

by:jwf1776
ID: 13410391
I also changed a registry setting on the client to force kerberos to use TCP.  As I understand it, this eliminates the possibility that "UDP fragmentation" may be the culprit.

It didn't help the kerberos errors.

Should I change this registry setting on the exchange server too?

P.S.  Vahik, I will run forestprep and domainprep if the exchange error comes back (didn't want you to think your advice was disregarded)
0
Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

 
LVL 26

Expert Comment

by:Vahik
ID: 13412271
0
 
LVL 26

Expert Comment

by:Vahik
ID: 13412287
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerberr.mspx

i am sure u have seen these two articles.....read it and see if u can understand it...
if u have forced ur clients to use tcp then servers should also be forced to use tcp....

also no need to run forest and domain prep if ur problem is solved....
0
 

Author Comment

by:jwf1776
ID: 13412549
yes i have seen the 2 articles, I used the first one to set the client to tcp already,

the second article probably contains my answer but I haven't been able to find it ;)

...for example, kerbtray lists a lot of tickets, including ones for the dc and exchange comps but I'm not completly sure what exactly I'm looking for... the troubleshooting actions I've already listed are the fruits of reading the "troubleshooting kerberos" article

I'm thinking of reposting this issue in a different forum if no one here can help.  does anyone have any recommendations of a better EE forum for this kerberos issue?
0
 
LVL 26

Expert Comment

by:Vahik
ID: 13413012
one more place to look for will be in the services section on a domain controller to see if
is started at all...also check to see if its dependencies are also started....kerberos seems
rely on rpc and since ur users got offline error that meant they could not get an rpc connection to exchange server....
well i am just talking too much and confusing u more....i am no expert in this kerberos section
so i leave it to experts(try windows 2000 or 2003 section)....take care and good luck...
PS:kerberos is very sensitive about clock sync....so make sure clocks on both servers and clients are synced...while in kerberos policy section take a  closer look to see if u find anything unusuall....
0
 

Author Comment

by:jwf1776
ID: 13419271
on both dc and exchange servers the rpc and rpclocator service started.

on the dc the kerberos distributiion center service is started
0
 

Author Comment

by:jwf1776
ID: 13419306
vahik, do you have any objection to closing this question?

I would like to move it to a win2000 forum.
0
 
LVL 26

Expert Comment

by:Vahik
ID: 13420887
absloutlely not...ask the admin to movet it for u....
0
 

Author Comment

by:jwf1776
ID: 13423164
this question is alive and well, please answer me
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 13423825
0x7     KDC_ERR_S_PRINCIPAL_UNKNOWN     Server not found in Kerberos database.

Problem
If an SPN is not set for a service, then clients will have no way of locating that service. Thus, common results of not setting an SPN are KDC_ERR_C_PRINCIPAL_UNKNOWN or KDC_ERR_S_PRINCIPAL_UNKNOWN errors. These two errors usually indicate that an SPN has not been set correctly. Furthermore, there are many other errors for which the cause might be a missing or incorrectly set SPN. Kerberos authentication is not possible without properly set SPNs.
Resolution
Because multiple services can run simultaneously under the same account, setting an SPN requires four pieces of information that will make the SPN unique:
The service class. This allows you to differentiate between multiple services running under the same account.
The account under which the service is running.
The computer on which the service is running, including any aliases that point to that computer.
The port on which the service is running.
These four pieces of information uniquely identify any service running on a network and can be used to mutually authenticate to any service.
An SPN itself consists of ServiceClass/Host:Port, where:
ServiceClass is the service class of the SPN.
Host is the name of the computer to which the SPN belongs.
Port is the port on which the service that the SPN is registered to run.

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerberr.mspx
maybe that?

-rich
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 13423831
oops- looks like that's been sent already... sorry for the duplicate.
-rich
0
 

Author Comment

by:jwf1776
ID: 13424228
My appologies for any confusion about this question being closed/refunded.  Its fine for the time being.

This question was originally in a different forum and I was going to close it before I realized it could be moved.

my bad!
0
 

Author Comment

by:jwf1776
ID: 13424265
Rich, thanks for comment,

I realize that there isn't an SPN for the "exchangeAB" service.

Got any idea what this service is or what class, account, computer, port it should be running on?
0
 
LVL 34

Accepted Solution

by:
Dave_Dietz earned 2000 total points
ID: 13426949
Try the following at the DC in a command prompt:

setspn -a exchangeAB/dcserver.domain.local dcserver
setspn -a exchangeAB/dcserver dcserver

This will set the exchangeAB service SPNs for the DC.

Let us know if this has any effect.

Dave Dietz
0
 

Author Comment

by:jwf1776
ID: 13429150
Dave, do you know what this exchangeAB service is?  I haven't been able to find any reference material on it.

If there is any risk from this change I will probably have to wait until this this evening to try it as this is the only DC in a production environment.  

Can setting a SPN have adverse effects?
0
 
LVL 34

Expert Comment

by:Dave_Dietz
ID: 13435224
I believe exchangAB is a service SPN that has to do with how Exchange makes LDAP calls to AD to look up users' mailbox information - not 100% sure but it makes sense.

Changing a good SPN can cause problems, but I am not aware of any problems that can arise from setting an additional invalid SPN.  If it isn't any good there won't be anyone who uses it - basically a null operation.

Dave Dietz
0
 

Author Comment

by:jwf1776
ID: 13435380
i ran those commands through a terminal session this evening and they both completed ok.

setspn -l now lists an exchangeAB service.

I'll have to wait until tomarrow to see if the client kerberos errors went away.

I've been googling exchange, exchangeAB, and spn for nearly a week and simply cannot find anything on exchangeAB.  It seems like AB stands for address book?  if so that would explain why the directory services connections in outlook are listed as disconnected.

I'll update 1st thing tomarrow.

0
 

Author Comment

by:jwf1776
ID: 13440112
I don't understand much more about the error than when I began but setting the SPN for the exchangeAB service on the DC made the client kerberos errors go away.

the outlook connection status with kerberos shows:
server name                                   type                        status
dcserver.domain.local                    directory                  established
dcserver.domain.local                    directory                  established
exchangeserver.domain.local           mail                       established
exchangeserver.domain.local           mail                       established
exchangeserver.domain.local           mail                       established
exchangeserver.domain.local           mail                       established

and the out of office assistant and rules/alerts work again.

many thanks,

0

Featured Post

Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Learn how to use the free Acronis True Image app to easily transfer data between iPhones and Android phones.
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
Have you created a query with information for a calendar? ... and then, abra-cadabra, the calendar is done?! I am going to show you how to make that happen. Visualize your data!  ... really see it To use the code to create a calendar from a q…
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question