Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Join Index Server and Kerberos Error

Posted on 2008-06-20
6
Medium Priority
?
906 Views
Last Modified: 2013-12-04
I am working on a simple server farm which has one front end and one back end. Both servers are using Kerberos authentication and it  works fine.

So, when I tried to have another srver to join this server farm as Index server. What I did include:

1. Create a SPN using -A HTTP/indexserver.FQDN (fully qualified domain name).
2. On the index server, change the accounts used by the following services to use the same domain user accounts used by the central admin hosting server:
   Office SharePoint Server Search
   Windows SharePoint Services Search
   Windows SharePoint Service Timer
3. All three services mentioned above were changed to start either manually or automatically.

When I opened Centeral Administration site and chosse the index server to start the Office SharePoint Server Search, I received this error message:

An unhandled exception occurred in the user interface.Exception Information: The request failed with HTTP status 401: Unauthorized.

On the front end which is hosting CA and content web application, in the event viewer, unde Application category there is an exception like this:

EventType ulsexception12, P1 w3wp.exe, P2 6.0.3790.1830, P3 ........

Under System category, there is an Kerberos errors, the Event ID is 4 and following is the error message:

The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/indexserver.domianname.com.  The target name used was HTTP/indexserver.DOMAINNAME.COM. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named  machine accounts in the target realm (DOMAINNAME.COM), and the client realm.   Please contact your system administrator.

We checked the AD and pretty sure there was no duplicated names registered with the same server name under HTTP. One of the difference is:
In the host/indexserver..... , everything showed in lower case.
In HTTP/indexserver ....., the domain name showed in upper case.

Although Windows system does not care about cases, I did find a blog said he registered with different case and it worked.

My question is: other than change the case, anything else I missed could cause this problem?

Thank you very much.


0
Comment
Question by:cobrachen
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 39

Expert Comment

by:ChiefIT
ID: 21917226
Are you using a cloned machine? You might have to get a new SID.

If not have you reset the computer password?
http://support.microsoft.com/kb/325850

Then again you might have something wrong with the CA records. Use the PKI enterprise tool to look at those records for errors.
http://technet2.microsoft.com/windowsserver2008/en/library/bf9c7dca-26d7-4de5-890d-47e30308690e1033.mspx?mfr=true

I hope this helps.
0
 
LVL 16

Author Comment

by:cobrachen
ID: 21928922
When you mentioned a clone machine, you mean the image of the OS came from another machine or the entire server is cloned from another one?

Thanks.
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 21933529
Full blown machine

An imaged machine might have this problem as well. I am thinking the SID might be the same as another computer.
0
 
LVL 16

Author Comment

by:cobrachen
ID: 22078006
OK, let me back off a little bit.

Do I need or have to use Kerberos in order to expand a MOSS server farm? Recently I was told NTLM is able to handle and I am puzzled.

Thanks.
0
 
LVL 39

Accepted Solution

by:
ChiefIT earned 1500 total points
ID: 22080732
There is a big difference when trying to authenticate using kerberos and NTLM. 2003 server defaults to kerberos. Older machines, (NT4, Windows ME, 98) use NTLM. 2003 server has been backwards compatible to kerberos, but sometimes in a native mode you might see problems authenticating.

An explanation of some problems you may see is explained in this article. Using this article you can define your cluster to use kerberos and not use NTLM. If the incompatibility is your error, you should be able to determine if it is your problem when looking at this article.

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_2003_Active_Directory/Q_23132123.html

I hope this helps.
0

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.
In this video, Percona Director of Solution Engineering Jon Tobin discusses the function and features of Percona Server for MongoDB. How Percona can help Percona can help you determine if Percona Server for MongoDB is the right solution for …
Suggested Courses

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question