Kerberos Issue: "KDC_ERR_BADOPTION" Windows 2003 Server

Posted on 2007-07-26
Last Modified: 2012-06-27
I'm getting the following error on my SharePoint 2007 server, and I suspect that I've got a Windows 2003 Kerberos issue in my domain.  

What do I need to do to troubleshoot this problem (which is repeated in the logs with all of the DC's and many of the member servers):

A Kerberos Error Message was received:
         on logon session
 Client Time:
 Server Time: 15:0:22.0000 7/25/2007 Z
 Error Code: 0xd KDC_ERR_BADOPTION
 Extended Error: 0xc00000bb KLIN(0)
 Client Realm:
 Client Name:
 Server Realm: CASL.UMD.EDU
 Server Name: host/
 Target Name: host/
 Error Text:
 File: 9
 Line: ae0
 Error Data is in record data.

For more information, see Help and Support Center at

Question by:gerhardub
    LVL 26

    Accepted Solution

    See this,

    Running kerbtray and purging the tickets has worked for me in the past.

    kerbtray is part of these tools:
    LVL 26

    Expert Comment

    LVL 1

    Author Comment


    I took another look at the System logs, and noticed:


    In there a bunch of times for various servers... including all of the DCs.

    It appears that it's not a significant message according to this:

    So I've run the kerbtool, and cleared the tickets.  So now I'm waiting to see if the errors persist that I original posted about.
    LVL 26

    Expert Comment

    I've used the link within the link you posted (to force Kerberos to use TCP) in a few situations.  M$ in there infinite wisdom chose to make the packet size limit 2000 bytes for a UDP kerberos authentication.  The default MTU size is 1500 bytes.  So users with large tokens going across routers or firewalls would have horribly long logon times because the packet would fragment and show up out of order and it would have to retry over and over.

    A few KRB_ERR's is normal, but lots usually means something is wrong.

    Expert Comment

    PBER - can you expand a bit for me with respect to where you say you ran netmon and saw that server 2 was "causing it"....

    If you could expand on what filters you defined in the capture to where it pointed you to the relevant information that would be helpful. I have run a netmon using Microsoft Network Monitor 2 and have run the capture filtering on authentication traffic but am getting so much information I do not know how to find the info...



    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Free Trending Threat Insights Every Day

    Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

    Summary In SharePoint 2010 it is easy to create custom color themes to jazz up a site. Theme colors can also be created in PowerPoint 2010 with a few clicks. But how do the chosen colors actually look in the SharePoint site? The attached PowerPoint…
    Learn about cloud computing and its benefits for small business owners.
    In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
    This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…

    761 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now