Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


A request failed from client realm %1 for a ticket in realm %2

Posted on 2008-11-19
Medium Priority
Last Modified: 2012-05-05
Hi there,

We have 1 forest, with 2 domains.  A primary and a subdomain.  abc.com and xyz.abc.com.  I've started getting errors in the event log saying "A request failed from client realm XYZ.ABC.COM for a ticket in realm XYZ$. This failed because a trust link between the realms is non transitive."

The trusts between the 2 domains validate fine using AD Domains and Trusts.  We're not having any serious issues that I know about at this time.  There is an article from MS at http://technet.microsoft.com/en-us/library/cc733958.aspx saying I need to delete the trust and recreate a realm trust.  I'm not super keen to delete the current trusts, because my understanding is that a parent child domain trust is different from a Kerberos realm trust.  Also, the error isn't making any mention of the parent domain.  Just the child domain and a realm which is the child domain's name with a $.  Anybody know more about this, and if I should address it.  

Thanks in advance,

Question by:Dunny21
  • 3
  • 2

Expert Comment

ID: 22992867
Firstly all domains within a single Forest should have transitive trusts, given the trust  validates fine using AD Domains and Trusts it is probably some other cause. You don't say if it is always the same client and whether it is intermittent. Can you force the error to happen?

A couple of things I would try to do, in order to collect more data. One, run kebtray (2003 resource Kit tool) , an easy way to see kerberos tickets on client machines - if you have an idea which machine it is causing the event this might narrow things down is there a machine that cannot get a ticket?.
Failing that I would run NetMon and

Also grab the latest parsers from http://www.codeplex.com/nmparsers to ensure you can decode the MS Protocols. You could use Wireshark as an alternative but Netmon has better parsers for Microsoft issues.

With Netmon, if you can reproduce the error then you could get a capture of the network transaction which would gratly narrow down the cause.

Author Comment

ID: 22992899
Thanks for the reply.

I am getting this error on the domain controllers in the parent domain.  Haven't seen it on the child domain DCs, but haven't looked extensively.  Not sure if that helps.

Accepted Solution

neiljava earned 300 total points
ID: 22993012
Not a lot, it might be worth switching on kerberos debugging, see

The other thing that is worth saying, is that often Kerberos errors relate to time synchronization. All the machine need to be synch'd to a single time source.

This technet article is worth a read.

Right now though I would just try and get some more specific information about the problem.
What account (computer/user/etc) is causing the problem, Netmon is the best bet for that


Author Comment

ID: 23120242
Thanks for the help.  We logged a call with MS for another issue that may or may not have been related to this, and it got sorted out.  The MS Support engineer said that we didn't need to worry too much about this issue.

Author Closing Comment

ID: 31523756
Thanks for the help.

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

578 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question