Solved

Problem with Kerberos not working until Domain Controller is rebooted

Posted on 2008-06-25
7
276 Views
Last Modified: 2008-07-17
We have set up Kerberos so that we can hop between SharePoint 2007, ProClarity and a SQL server without forcing users to re-authenticate. Most of the time this works fine. However we are seeing an issue where Kerberos stops working and the application passes along anonymous login - and of course we don't allow anonymous access to our databases so this fails. We have found that rebooting one of our domain controllers (Windows Server 2003) (that also happens to be our global catalog server) we can make this issue disappear - for a limited amount of time. I dont' see anything obvious in the logs. I have run a dcdiag on the domain controller - everything passes. I have suspected for some time that we were having issues with this server but have nothing solid to point at. Can anyone give me some ideas of what to look for? Are there any additional tests I can run on this server?

Thanks in advance,
Michelle
0
Comment
Question by:mrbarr87
  • 4
  • 3
7 Comments
 
LVL 23

Expert Comment

by:TheCleaner
ID: 21879147
No Kerberos errors in the system log on the DC?  Is that the only DC?  Can you shut it down for a day or two and see if everything works without that DC online?
0
 

Author Comment

by:mrbarr87
ID: 21879344
No kerberos errors in the logs. No we have another DC. I can't shut it down because it's our global catalog - exchange would be very unhappy without it. We are considering throwing up a third dc and making it a GC to see if things get happier - any reason not to do this?
0
 
LVL 23

Expert Comment

by:TheCleaner
ID: 21879397
Just make your other DC a GC as well...why would you need a 3rd one?
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 

Author Comment

by:mrbarr87
ID: 21908761
If we are going to shut down the 2nd domain controller, we would want to have another one up in its place. Since the problems are intermittent, we don't know how long it will be before we see the issue again.

Is there anything else to look for in troubleshooting kerberos issues? Any tests?
0
 
LVL 23

Expert Comment

by:TheCleaner
ID: 21908810
There are command line tests to see what tickets are open, etc.

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerberr.mspx

It talks about where to get klist and kerbtray and others to do troubleshooting.  Problem is, based on what your original description was, I'm not sure how good the tools will do you.

If nothing else, it may point out whether it really is a kerberos issue or not.
0
 

Author Comment

by:mrbarr87
ID: 21908842
Hmm good point. I guess my question then should be, other than taking the GC down - is there a way to test that DC? I did run the dcdiag - but everything came up clean - of course at that time we weren't experiencing the problem. Are there specific tests for gc? Or just wait until the error happens again then run the dcdiag?

Thanks for your time!
0
 
LVL 23

Accepted Solution

by:
TheCleaner earned 500 total points
ID: 21908919
To enable Kerberos logging navigate to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters. Then set the DWORD value for LogLevel to one. Making this change logs the events to the System event log.

^^ try that on the DC(s) and set your system event log to have a big enough size to handle the events.  Then watch for times when the errors occur and see if they correspond to events in the log.  This should log all the kerberos events, even successful ones, so it should be apparent if there really is an issue or not at that point.

If you could always reproduce the issue, I'd say a network trace during the issue would be the way to go, but if it's sporadic it's going to be hard to go that route.
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
Resolve DNS query failed errors for Exchange
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

912 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now