[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 12907
  • Last Modified:

Kerberos Issue: "KDC_ERR_BADOPTION" Windows 2003 Server

I'm getting the following error on my SharePoint 2007 server, and I suspect that I've got a Windows 2003 Kerberos issue in my domain.  

What do I need to do to troubleshoot this problem (which is repeated in the logs with all of the DC's and many of the member servers):

A Kerberos Error Message was received:
         on logon session
 Client Time:
 Server Time: 15:0:22.0000 7/25/2007 Z
 Error Code: 0xd KDC_ERR_BADOPTION
 Extended Error: 0xc00000bb KLIN(0)
 Client Realm:
 Client Name:
 Server Realm: CASL.UMD.EDU
 Server Name: host/intranet.casl.umd.edu
 Target Name: host/intranet.casl.umd.edu@CASL.UMD.EDU
 Error Text:
 File: 9
 Line: ae0
 Error Data is in record data.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Anyone?
0
gerhardub
Asked:
gerhardub
  • 3
1 Solution
 
PberSolutions ArchitectCommented:
See this,
http://mailman.mit.edu/pipermail/kerberos/2005-February/007231.html

Running kerbtray and purging the tickets has worked for me in the past.

kerbtray is part of these tools:
http://www.microsoft.com/downloads/details.aspx?FamilyID=9D467A69-57FF-4AE7-96EE-B18C4790CFFD&displaylang=en
0
 
gerhardubAuthor Commented:
Humph.

I took another look at the System logs, and noticed:

KRB_ERR_RESPONSE_TOO_BIG

In there a bunch of times for various servers... including all of the DCs.

It appears that it's not a significant message according to this:

http://technet2.microsoft.com/windowsserver/en/library/6832d19b-0263-4f28-9123-dccea0a6ee5f1033.mspx?mfr=true

So I've run the kerbtool, and cleared the tickets.  So now I'm waiting to see if the errors persist that I original posted about.
0
 
PberSolutions ArchitectCommented:
I've used the link within the link you posted (to force Kerberos to use TCP) in a few situations.  M$ in there infinite wisdom chose to make the packet size limit 2000 bytes for a UDP kerberos authentication.  The default MTU size is 1500 bytes.  So users with large tokens going across routers or firewalls would have horribly long logon times because the packet would fragment and show up out of order and it would have to retry over and over.

A few KRB_ERR's is normal, but lots usually means something is wrong.
0
 
jkingsol1Commented:
PBER - can you expand a bit for me with respect to where you say you ran netmon and saw that server 2 was "causing it"....

If you could expand on what filters you defined in the capture to where it pointed you to the relevant information that would be helpful. I have run a netmon using Microsoft Network Monitor 2 and have run the capture filtering on authentication traffic but am getting so much information I do not know how to find the info...

Thanks

John
0

Featured Post

Restore individual SQL databases with ease

Veeam Explorer for Microsoft SQL Server delivers an easy-to-use, wizard-driven interface for restoring your databases from a backup. No expert SQL background required. Web interface provides a complete view of all available SQL databases to simplify the recovery of lost database

  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now