Solved

Join Index Server and Kerberos Error

Posted on 2008-06-20
6
895 Views
Last Modified: 2013-12-04
I am working on a simple server farm which has one front end and one back end. Both servers are using Kerberos authentication and it  works fine.

So, when I tried to have another srver to join this server farm as Index server. What I did include:

1. Create a SPN using -A HTTP/indexserver.FQDN (fully qualified domain name).
2. On the index server, change the accounts used by the following services to use the same domain user accounts used by the central admin hosting server:
   Office SharePoint Server Search
   Windows SharePoint Services Search
   Windows SharePoint Service Timer
3. All three services mentioned above were changed to start either manually or automatically.

When I opened Centeral Administration site and chosse the index server to start the Office SharePoint Server Search, I received this error message:

An unhandled exception occurred in the user interface.Exception Information: The request failed with HTTP status 401: Unauthorized.

On the front end which is hosting CA and content web application, in the event viewer, unde Application category there is an exception like this:

EventType ulsexception12, P1 w3wp.exe, P2 6.0.3790.1830, P3 ........

Under System category, there is an Kerberos errors, the Event ID is 4 and following is the error message:

The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/indexserver.domianname.com.  The target name used was HTTP/indexserver.DOMAINNAME.COM. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named  machine accounts in the target realm (DOMAINNAME.COM), and the client realm.   Please contact your system administrator.

We checked the AD and pretty sure there was no duplicated names registered with the same server name under HTTP. One of the difference is:
In the host/indexserver..... , everything showed in lower case.
In HTTP/indexserver ....., the domain name showed in upper case.

Although Windows system does not care about cases, I did find a blog said he registered with different case and it worked.

My question is: other than change the case, anything else I missed could cause this problem?

Thank you very much.


0
Comment
Question by:cobrachen
  • 3
  • 2
6 Comments
 
LVL 38

Expert Comment

by:ChiefIT
ID: 21917226
Are you using a cloned machine? You might have to get a new SID.

If not have you reset the computer password?
http://support.microsoft.com/kb/325850

Then again you might have something wrong with the CA records. Use the PKI enterprise tool to look at those records for errors.
http://technet2.microsoft.com/windowsserver2008/en/library/bf9c7dca-26d7-4de5-890d-47e30308690e1033.mspx?mfr=true

I hope this helps.
0
 
LVL 16

Author Comment

by:cobrachen
ID: 21928922
When you mentioned a clone machine, you mean the image of the OS came from another machine or the entire server is cloned from another one?

Thanks.
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 21933529
Full blown machine

An imaged machine might have this problem as well. I am thinking the SID might be the same as another computer.
0
 
LVL 16

Author Comment

by:cobrachen
ID: 22078006
OK, let me back off a little bit.

Do I need or have to use Kerberos in order to expand a MOSS server farm? Recently I was told NTLM is able to handle and I am puzzled.

Thanks.
0
 
LVL 38

Accepted Solution

by:
ChiefIT earned 500 total points
ID: 22080732
There is a big difference when trying to authenticate using kerberos and NTLM. 2003 server defaults to kerberos. Older machines, (NT4, Windows ME, 98) use NTLM. 2003 server has been backwards compatible to kerberos, but sometimes in a native mode you might see problems authenticating.

An explanation of some problems you may see is explained in this article. Using this article you can define your cluster to use kerberos and not use NTLM. If the incompatibility is your error, you should be able to determine if it is your problem when looking at this article.

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_2003_Active_Directory/Q_23132123.html

I hope this helps.
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Backup of Sharepoint Online 3 100
Can’t delete a file 14 163
HTML File in SharePoint 2013 Library 4 56
DHCP scope restore question Server 2003 to 2012R2 6 59
No security measures warrant 100% as a "silver bullet". The truth is we also cannot assume anything but a defensive and vigilance posture. Adopt no trust by default and reveal in assumption. Only assume anonymity or invisibility in the reverse. Safe…
Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
This Micro Tutorial will teach you how to censor certain areas of your screen. The example in this video will show a little boy's face being blurred. This will be demonstrated using Adobe Premiere Pro CS6.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question