Solved

Join Index Server and Kerberos Error

Posted on 2008-06-20
6
893 Views
Last Modified: 2013-12-04
I am working on a simple server farm which has one front end and one back end. Both servers are using Kerberos authentication and it  works fine.

So, when I tried to have another srver to join this server farm as Index server. What I did include:

1. Create a SPN using -A HTTP/indexserver.FQDN (fully qualified domain name).
2. On the index server, change the accounts used by the following services to use the same domain user accounts used by the central admin hosting server:
   Office SharePoint Server Search
   Windows SharePoint Services Search
   Windows SharePoint Service Timer
3. All three services mentioned above were changed to start either manually or automatically.

When I opened Centeral Administration site and chosse the index server to start the Office SharePoint Server Search, I received this error message:

An unhandled exception occurred in the user interface.Exception Information: The request failed with HTTP status 401: Unauthorized.

On the front end which is hosting CA and content web application, in the event viewer, unde Application category there is an exception like this:

EventType ulsexception12, P1 w3wp.exe, P2 6.0.3790.1830, P3 ........

Under System category, there is an Kerberos errors, the Event ID is 4 and following is the error message:

The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/indexserver.domianname.com.  The target name used was HTTP/indexserver.DOMAINNAME.COM. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named  machine accounts in the target realm (DOMAINNAME.COM), and the client realm.   Please contact your system administrator.

We checked the AD and pretty sure there was no duplicated names registered with the same server name under HTTP. One of the difference is:
In the host/indexserver..... , everything showed in lower case.
In HTTP/indexserver ....., the domain name showed in upper case.

Although Windows system does not care about cases, I did find a blog said he registered with different case and it worked.

My question is: other than change the case, anything else I missed could cause this problem?

Thank you very much.


0
Comment
Question by:cobrachen
  • 3
  • 2
6 Comments
 
LVL 38

Expert Comment

by:ChiefIT
ID: 21917226
Are you using a cloned machine? You might have to get a new SID.

If not have you reset the computer password?
http://support.microsoft.com/kb/325850

Then again you might have something wrong with the CA records. Use the PKI enterprise tool to look at those records for errors.
http://technet2.microsoft.com/windowsserver2008/en/library/bf9c7dca-26d7-4de5-890d-47e30308690e1033.mspx?mfr=true

I hope this helps.
0
 
LVL 16

Author Comment

by:cobrachen
ID: 21928922
When you mentioned a clone machine, you mean the image of the OS came from another machine or the entire server is cloned from another one?

Thanks.
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 21933529
Full blown machine

An imaged machine might have this problem as well. I am thinking the SID might be the same as another computer.
0
 
LVL 16

Author Comment

by:cobrachen
ID: 22078006
OK, let me back off a little bit.

Do I need or have to use Kerberos in order to expand a MOSS server farm? Recently I was told NTLM is able to handle and I am puzzled.

Thanks.
0
 
LVL 38

Accepted Solution

by:
ChiefIT earned 500 total points
ID: 22080732
There is a big difference when trying to authenticate using kerberos and NTLM. 2003 server defaults to kerberos. Older machines, (NT4, Windows ME, 98) use NTLM. 2003 server has been backwards compatible to kerberos, but sometimes in a native mode you might see problems authenticating.

An explanation of some problems you may see is explained in this article. Using this article you can define your cluster to use kerberos and not use NTLM. If the incompatibility is your error, you should be able to determine if it is your problem when looking at this article.

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_2003_Active_Directory/Q_23132123.html

I hope this helps.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
SharePoint integration. 1 37
Backup of Sharepoint Online 3 35
Changing the domain admin password 9 40
What is this Task? 4 42
OfficeMate Freezes on login or does not load after login credentials are input.
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now