mrbarr87
asked on
Problem with Kerberos not working until Domain Controller is rebooted
We have set up Kerberos so that we can hop between SharePoint 2007, ProClarity and a SQL server without forcing users to re-authenticate. Most of the time this works fine. However we are seeing an issue where Kerberos stops working and the application passes along anonymous login - and of course we don't allow anonymous access to our databases so this fails. We have found that rebooting one of our domain controllers (Windows Server 2003) (that also happens to be our global catalog server) we can make this issue disappear - for a limited amount of time. I dont' see anything obvious in the logs. I have run a dcdiag on the domain controller - everything passes. I have suspected for some time that we were having issues with this server but have nothing solid to point at. Can anyone give me some ideas of what to look for? Are there any additional tests I can run on this server?
Thanks in advance,
Michelle
Thanks in advance,
Michelle
No Kerberos errors in the system log on the DC? Is that the only DC? Can you shut it down for a day or two and see if everything works without that DC online?
ASKER
No kerberos errors in the logs. No we have another DC. I can't shut it down because it's our global catalog - exchange would be very unhappy without it. We are considering throwing up a third dc and making it a GC to see if things get happier - any reason not to do this?
Just make your other DC a GC as well...why would you need a 3rd one?
ASKER
If we are going to shut down the 2nd domain controller, we would want to have another one up in its place. Since the problems are intermittent, we don't know how long it will be before we see the issue again.
Is there anything else to look for in troubleshooting kerberos issues? Any tests?
Is there anything else to look for in troubleshooting kerberos issues? Any tests?
There are command line tests to see what tickets are open, etc.
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerberr.mspx
It talks about where to get klist and kerbtray and others to do troubleshooting. Problem is, based on what your original description was, I'm not sure how good the tools will do you.
If nothing else, it may point out whether it really is a kerberos issue or not.
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerberr.mspx
It talks about where to get klist and kerbtray and others to do troubleshooting. Problem is, based on what your original description was, I'm not sure how good the tools will do you.
If nothing else, it may point out whether it really is a kerberos issue or not.
ASKER
Hmm good point. I guess my question then should be, other than taking the GC down - is there a way to test that DC? I did run the dcdiag - but everything came up clean - of course at that time we weren't experiencing the problem. Are there specific tests for gc? Or just wait until the error happens again then run the dcdiag?
Thanks for your time!
Thanks for your time!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.