Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Join Index Server and Kerberos Error

Posted on 2008-06-20
6
Medium Priority
?
908 Views
Last Modified: 2013-12-04
I am working on a simple server farm which has one front end and one back end. Both servers are using Kerberos authentication and it  works fine.

So, when I tried to have another srver to join this server farm as Index server. What I did include:

1. Create a SPN using -A HTTP/indexserver.FQDN (fully qualified domain name).
2. On the index server, change the accounts used by the following services to use the same domain user accounts used by the central admin hosting server:
   Office SharePoint Server Search
   Windows SharePoint Services Search
   Windows SharePoint Service Timer
3. All three services mentioned above were changed to start either manually or automatically.

When I opened Centeral Administration site and chosse the index server to start the Office SharePoint Server Search, I received this error message:

An unhandled exception occurred in the user interface.Exception Information: The request failed with HTTP status 401: Unauthorized.

On the front end which is hosting CA and content web application, in the event viewer, unde Application category there is an exception like this:

EventType ulsexception12, P1 w3wp.exe, P2 6.0.3790.1830, P3 ........

Under System category, there is an Kerberos errors, the Event ID is 4 and following is the error message:

The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/indexserver.domianname.com.  The target name used was HTTP/indexserver.DOMAINNAME.COM. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named  machine accounts in the target realm (DOMAINNAME.COM), and the client realm.   Please contact your system administrator.

We checked the AD and pretty sure there was no duplicated names registered with the same server name under HTTP. One of the difference is:
In the host/indexserver..... , everything showed in lower case.
In HTTP/indexserver ....., the domain name showed in upper case.

Although Windows system does not care about cases, I did find a blog said he registered with different case and it worked.

My question is: other than change the case, anything else I missed could cause this problem?

Thank you very much.


0
Comment
Question by:cobrachen
  • 3
  • 2
5 Comments
 
LVL 39

Expert Comment

by:ChiefIT
ID: 21917226
Are you using a cloned machine? You might have to get a new SID.

If not have you reset the computer password?
http://support.microsoft.com/kb/325850

Then again you might have something wrong with the CA records. Use the PKI enterprise tool to look at those records for errors.
http://technet2.microsoft.com/windowsserver2008/en/library/bf9c7dca-26d7-4de5-890d-47e30308690e1033.mspx?mfr=true

I hope this helps.
0
 
LVL 16

Author Comment

by:cobrachen
ID: 21928922
When you mentioned a clone machine, you mean the image of the OS came from another machine or the entire server is cloned from another one?

Thanks.
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 21933529
Full blown machine

An imaged machine might have this problem as well. I am thinking the SID might be the same as another computer.
0
 
LVL 16

Author Comment

by:cobrachen
ID: 22078006
OK, let me back off a little bit.

Do I need or have to use Kerberos in order to expand a MOSS server farm? Recently I was told NTLM is able to handle and I am puzzled.

Thanks.
0
 
LVL 39

Accepted Solution

by:
ChiefIT earned 1500 total points
ID: 22080732
There is a big difference when trying to authenticate using kerberos and NTLM. 2003 server defaults to kerberos. Older machines, (NT4, Windows ME, 98) use NTLM. 2003 server has been backwards compatible to kerberos, but sometimes in a native mode you might see problems authenticating.

An explanation of some problems you may see is explained in this article. Using this article you can define your cluster to use kerberos and not use NTLM. If the incompatibility is your error, you should be able to determine if it is your problem when looking at this article.

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_2003_Active_Directory/Q_23132123.html

I hope this helps.
0

Featured Post

Lessons on Wi-Fi & Recommendations on KRACK

Simplicity and security can be a difficult  balance for any business to tackle. Join us on December 6th for a look at your company's biggest security gap. We will also address the most recent attack, "KRACK" and provide recommendations on how to secure your Wi-Fi network today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Security measures require Windows be logged in using Standard User login (not Administrator).  Yet, sometimes an application has to be run “As Administrator” from a Standard User login.  This paper describes how to create a shortcut icon to launch a…
While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
In response to a need for security and privacy, and to continue fostering an environment members can turn to for support, solutions, and education, Experts Exchange has created anonymous question capabilities. This new feature is available to our Pr…
Despite its rising prevalence in the business world, "the cloud" is still misunderstood. Some companies still believe common misconceptions about lack of security in cloud solutions and many misuses of cloud storage options still occur every day. …

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question