troubleshooting Question

ldap binding + Kerberos + SPN problem

Avatar of Khaled Azzaz
Khaled AzzazFlag for United States of America asked on
Windows Server 2003
8 Comments1 Solution2384 ViewsLast Modified:
Hi I have 3 DC 2003 in one domain, they are all GC, DNS servers. I have an
exchange server as a member server. Everything working fine except of some
errors in the event viewers that i was not minding because they are the usual
warning, erros. I can ping any one of them, resolved FQDN. I introduced a new
member server to install additional exchange server. on that member server i
got an event id of 8026 Ldap Binding error to one of the dc. Also i got a
kerberos error too event id 4 KB_AP_MODIFED error:

Event Type:      Error
Event Source:      Kerberos
Event Category:      None
Event ID:      4
Date:            2/16/2007
Time:            11:32:01 AM
User:            N/A
Computer:      EXCHANGE-1
Description:
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server
host/dc2.mydomain.local.  The target name used was ldap/dc3.mydomain.local.
This indicates that the password used to encrypt the kerberos service ticket
is different than that on the target server. Commonly, this is due to
identically named  machine accounts in the target realm (MYDOMAIN.LOCAL), and
the client realm.   Please contact your system administrator.

Here some additional information :

Event Type:      Error
Event Source:      MSExchangeAL
Event Category:      Service Control
Event ID:      8260
Date:            2/16/2007
Time:            1:58:46 PM
User:            N/A
Computer:      EXCHANGE-1
Description:
Could not open LDAP session to directory 'dc3.mydomain.local' using local
service credentials. Cannot access Address List configuration information.  
Make sure the server 'dc3.mydomain.local' is running.

I research the internet and somebody suggests to me to do this :

"Search the GC for any objects matching
(servicePrincipalName=ldap/dc3.mydomain.local).  If there are two or more,
that is bad.  Also, if that SPN is associated with an account that isn't
that particular DC, that is also bad."

I got adfing utility and run the query against that and that is what i got:
Using server: dc2.mydomain.local:389
Directory: Windows Server 2003

dn:CN=DC3,OU=Domain Controllers,DC=mydomain,DC=local
>objectClass: top
>objectClass: person
>objectClass: organizationalPerson
>objectClass: user
>objectClass: computer
>cn: DC3
>userCertificate: 3082 05E5 3082 04CD A003 0201 0202 0A11 0715 2B00 0000 0000 0230 0D06 092A 8648 86F7 0D01 0105 0500 304D 3115 3013 060A 0992 2689 93F2 2C64 0119 1605 6C6F 6361 6C31 1830 1606 0A09 9226 8993 F22C 6401 1916 0861 6972 6D61 7469 6331 1A30 1806 0355 0403 1311 6D61 696C 2E61 6972 6D61 7469 632E 636F 6D30 1E17 0D30 3631 3130 3730 3534 3034 365A 170D 3037 3131 3037 3035 3430 3436 5A30 1D31 1B30 1906 0355 0403 1312 6463 332E 6169 726D 6174 6963 2E6C 6F63 616C 3081 9F30 0D06 092A 8648 86F7 0D01 0101 0500 0381 8D00 3081 8902 8181 00A5 C487 B93F 107B 6402 EA84 742A 81E4 D389 12C7 4785 0BD5 C125 6862 8E0E AD11 6E57 A83B F362 0293 A376 8AEA CBF2 2B9F C49D 4CD3 D2F9 F2D4 7A1D D5FF 94DB B455 2137 7622 9123 065E A181 1C70 45F1 BC3A 32CA A603 661C FE77 39A7 3543 5B74 466D E622 1327 DF78 381F A46F ED44 A6F9 9CAC EF7B 0B77 BF5C 4A1A 6095 8BDB FAF5 FF0E 0F02 0301 0001 A382 0379 3082 0375 300B 0603 551D 0F04 0403 0205 A030 4406 092A 8648 86F7 0D01 090F 0437 3035 300E 0608 2A86 4886
F70D 0302 0202 0080 300E 0608 2A86 4886 F70D 0304 0202 0080 3007 0605 2B0E 0302 0730 0A06 082A 8648 86F7 0D03 0730 1D06 0355 1D0E 0416 0414 51A6 EC7D 913D B3FC 06C9 3476 C6EF E2A2 8727 6426 302F 0609 2B06 0104 0182 3714 0204 221E 2000 4400 6F00 6D00 6100 6900 6E00 4300 6F00 6E00 7400 7200 6F00 6C00 6C00 6500 7230 1F06 0355 1D23 0418 3016 8014 4834 34E5 C693 F877 3903 D789 55DB 615A 8FD9 517D 3082 011B 0603 551D 1F04 8201 1230 8201 0E30 8201 0AA0 8201 06A0 8201 0286 81BD 6C64 6170 3A2F 2F2F 434E 3D6D 6169 6C2E 6169 726D 6174 6963 2E63 6F6D 2C43 4E3D 6578 6368 616E 6765 322C 434E 3D43 4450 2C43 4E3D 5075 626C 6963 2532 304B 6579 2532 3053 6572 7669 6365 732C 434E 3D53 6572 7669 6365 732C 434E 3D43 6F6E 6669 6775 7261 7469 6F6E 2C44 433D 6169 726D 6174 6963 2C44 433D 6C6F 6361 6C3F 6365 7274 6966 6963 6174 6552 6576 6F63 6174 696F 6E4C 6973 743F 6261 7365 3F6F 626A 6563 7443 6C61 7373 3D63 524C 4469 7374 7269 6275 7469 6F6E 506F 696E 7486 4068 7474 703A 2F2F 6578 6368 616E 6765 322E
6169 726D 6174 6963 2E6C 6F63 616C 2F43 6572 7445 6E72 6F6C 6C2F 6D61 696C 2E61 6972 6D61 7469 632E 636F 6D2E 6372 6C30 8201 2F06 082B 0601 0505 0701 0104 8201 2130 8201 1D30 81B3 0608 2B06 0105 0507 3002 8681 A66C 6461 703A 2F2F 2F43 4E3D 6D61 696C 2E61 6972 6D61 7469 632E 636F 6D2C 434E 3D41 4941 2C43 4E3D 5075 626C 6963 2532 304B 6579 2532 3053 6572 7669 6365 732C 434E 3D53 6572 7669 6365 732C 434E 3D43 6F6E 6669 6775 7261 7469 6F6E 2C44 433D 6169 726D 6174 6963 2C44 433D 6C6F 6361 6C3F 6341 4365 7274 6966 6963 6174 653F 6261 7365 3F6F 626A 6563 7443 6C61 7373 3D63 6572 7469 6669 6361 7469 6F6E 4175 7468 6F72 6974 7930 6506 082B 0601 0505 0730 0286 5968 7474 703A 2F2F 6578 6368 616E 6765 322E 6169 726D 6174 6963 2E6C 6F63 616C 2F43 6572 7445 6E72 6F6C 6C2F 6578 6368 616E 6765 322E 6169 726D 6174 6963 2E6C 6F63 616C 5F6D 6169 6C2E 6169 726D 6174 6963 2E63 6F6D 2E63 7274 301D 0603 551D 2504 1630 1406 082B 0601 0505 0703 0206 082B 0601 0505 0703 0130 3E06 0355 1D11 0437 3035 A01F
0609 2B06 0104 0182 3719 01A0 1204 1044 7BDF E0EC 048C 49B7 0310 EA95 9FC7 EF82 1264 6333 2E61 6972 6D61 7469 632E 6C6F 6361 6C30 0D06 092A 8648 86F7 0D01 0105 0500 0382 0101 007D 103E FE95 833A 33C3 319E 9804 4BB7 2212 8F9C C85D 93F6 BD92 341C F811 3F86 9CAA 13C0 0434 CDE6 4B63 21A5 8BFD E733 A506 F157 644D C6BF 289C 74CD A7F1 3176 C373 4B2F AE0F B5AB B220 1E12 F3F9 A316 F7D7 C09C 09F6 0E58 89D4 B29F 486B E6CD 3227 6C06 58BD 2240 7D45 CDF3 C789 3732 99BB B5F1 2AE2 E87C 5F93 96DB F7DC DA8B F359 1081 366A 7178 0334 999A 4A9E 97A4 F889 9C88 3189 568C B5FC FE38 3D33 FA0E 9CBF BEBC 1A58 4391 1BA0 0501 5224 7B36 586C 228E 2A6B 5E61 77F0 D4B1 E856 78F0 F29C 8DEA 0852 49AD C370 531D 7D9D 6F3D 41F1 9A0D 0494 8CDC 6534 701E 5306 B0BF B4D2 CEEA 9CFD 88B7 BAA7 AF83 72D8 C9B3 BF98 63AC 2E8F 2D53 4605 F24C 66D7 53F1 68
distinguishedName: CN=DC3,OU=Domain Controllers,DC=mydomain,DC=local
instanceType: 4
whenCreated: 20060511211811.0Z
whenChanged: 20070221044343.0Z
displayName: DC3$
uSNCreated: 98210
memberOf: CN=RAS and IAS Servers,CN=Users,DC=mydomain,DC=local
uSNChanged: 1053697
name: DC3
objectGUID: {E0DF7B44-04EC-498C-B703-10EA959FC7EF}
userAccountControl: 532480
codePage: 0
countryCode: 0
lastLogon: 128155224629674236
localPolicyFlags: 0
pwdLastSet: 128165066544601760
primaryGroupID: 516
userParameters: m:                    d                        
objectSid: S-1-5-21-3138097216-3278207943-1044752451-1228
accountExpires: 9223372036854775807
logonCount: 36
sAMAccountName: DC3$
sAMAccountType: 805306369
operatingSystem: Windows Server 2003
operatingSystemVersion: 5.2 (3790)
operatingSystemServicePack: Service Pack 1
serverReferenceBL: CN=DC3,CN=Servers,CN=Default-First-Site,CN=Sites,CN=Configuration,DC=mydomain,DC=local
dNSHostName: dc3.mydomain.local
rIDSetReferences: CN=RID Set,CN=DC3,OU=Domain Controllers,DC=mydomain,DC=local
servicePrincipalName: exchangeAB/dc3.mydomain.local
servicePrincipalName: exchangeAB/DC3
servicePrincipalName: MSSQLSvc/dc3.mydomain.local:1536
servicePrincipalName: MSSQLSvc/dc3.mydomain.local:3988
servicePrincipalName: V2i Protector Agent 2.0/dc3.mydomain.local
servicePrincipalName: SMTPSVC/dc3.mydomain.local
servicePrincipalName: SMTPSVC/DC3
servicePrincipalName: DNS/dc3.mydomain.local
servicePrincipalName: ldap/dc3.mydomain.local/ForestDnsZones.mydomain.local
servicePrincipalName: ldap/dc3.mydomain.local/DomainDnsZones.mydomain.local
servicePrincipalName: HOST/dc3.mydomain.local/mydomain
servicePrincipalName: ldap/39f033d7-6219-45ea-ac84-2049a0f477b2._msdcs.mydomain.local
servicePrincipalName: ldap/dc3.mydomain.local/mydomain
servicePrincipalName: ldap/DC3
servicePrincipalName: ldap/dc3.mydomain.local
servicePrincipalName: ldap/dc3.mydomain.local/mydomain.local
servicePrincipalName: HOST/dc3.mydomain.local/mydomain.local
servicePrincipalName: GC/dc3.mydomain.local/mydomain.local
servicePrincipalName: NtFrs-88f5d2bd-b646-11d2-a6d3-00c04fc9b232/dc3.mydomain.local
servicePrincipalName: E3514235-4B06-11D1-AB04-00C04FC2DCD2/39f033d7-6219-45ea-ac84-2049a0f477b2/mydomain.local
servicePrincipalName: HOST/DC3
servicePrincipalName: HOST/dc3.mydomain.local
objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=mydomain,DC=local
isCriticalSystemObject: TRUE
frsComputerReferenceBL: CN=DC3,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=mydomain,DC=local
msNPAllowDialin: FALSE
dSCorePropagationData: 20060511212123.0Z
dSCorePropagationData: 20060511212123.0Z
dSCorePropagationData: 20060511212123.0Z
dSCorePropagationData: 16010108151513.0Z


1 Objects returned

The question is; do i have multiple SPN for DC3, is this my problem with the LDAP binding, and Kerberso error.
I never did Adfind anchecked SPN problems


Ani idea please.
Thanks
Join the community to see this answer!
Join our exclusive community to see this answer & millions of others.
Unlock 1 Answer and 8 Comments.
Join the Community
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 8 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros