• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 13058
  • Last Modified:

Kerberos Issue: "KDC_ERR_BADOPTION" Windows 2003 Server

I'm getting the following error on my SharePoint 2007 server, and I suspect that I've got a Windows 2003 Kerberos issue in my domain.  

What do I need to do to troubleshoot this problem (which is repeated in the logs with all of the DC's and many of the member servers):

A Kerberos Error Message was received:
         on logon session
 Client Time:
 Server Time: 15:0:22.0000 7/25/2007 Z
 Error Code: 0xd KDC_ERR_BADOPTION
 Extended Error: 0xc00000bb KLIN(0)
 Client Realm:
 Client Name:
 Server Realm: CASL.UMD.EDU
 Server Name: host/intranet.casl.umd.edu
 Target Name: host/intranet.casl.umd.edu@CASL.UMD.EDU
 Error Text:
 File: 9
 Line: ae0
 Error Data is in record data.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

  • 3
1 Solution
PberSolutions ArchitectCommented:
See this,

Running kerbtray and purging the tickets has worked for me in the past.

kerbtray is part of these tools:
gerhardubAuthor Commented:

I took another look at the System logs, and noticed:


In there a bunch of times for various servers... including all of the DCs.

It appears that it's not a significant message according to this:


So I've run the kerbtool, and cleared the tickets.  So now I'm waiting to see if the errors persist that I original posted about.
PberSolutions ArchitectCommented:
I've used the link within the link you posted (to force Kerberos to use TCP) in a few situations.  M$ in there infinite wisdom chose to make the packet size limit 2000 bytes for a UDP kerberos authentication.  The default MTU size is 1500 bytes.  So users with large tokens going across routers or firewalls would have horribly long logon times because the packet would fragment and show up out of order and it would have to retry over and over.

A few KRB_ERR's is normal, but lots usually means something is wrong.
PBER - can you expand a bit for me with respect to where you say you ran netmon and saw that server 2 was "causing it"....

If you could expand on what filters you defined in the capture to where it pointed you to the relevant information that would be helpful. I have run a netmon using Microsoft Network Monitor 2 and have run the capture filtering on authentication traffic but am getting so much information I do not know how to find the info...


Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: Microsoft Office 2010

This course will introduce you to the interfaces and features of Microsoft Office 2010 Word, Excel, PowerPoint, Outlook, and Access. You will learn about the features that are shared between all products in the Office suite, as well as the new features that are product specific.

  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now