troubleshooting Question

Kerberos Failing on Workstations on Domain

Avatar of cwalter77
cwalter77Flag for United States of America asked on
Microsoft Legacy OSWindows XPActive Directory
8 Comments1 Solution929 ViewsLast Modified:
Hello, and thanks in advance for any help you can provide me.

We have a Domain with Active Directory.  There are about 3,000 client PC's using Windows XP Pro and about 5-7 Domain Controllers Using Windows Server 2003 .  We are encountering the following problem with only a handful of computers right now, but the issue seems to be growing slowly.  Some users in our field offices connect to a Sharepoint website to view reports that are specific to their area.  Sharepoint decides what view they see by their logon credentials.  When accessing this site on PC #1 - User #1 is unable to view the report - it is basically not giving them any options to select for specific weeks, etc.  The page itself does come up, but the options to make selections on that page do not.  
Now if this same user #1 goes to PC #2 - they can get to the page and view the report without any issue.  So this tells me the issue could be with the PC itself.  
User #2 logs into PC#1 - goes to the site, and has no issues...

We ran NetDiag on the PC while it was logged in under these two different user ID's.  The resulting log files were identical except for the following two tests:
We then ran a NetDiag on PC #1 while logged in under User #1 ID and get the following:
Trust relationship test. . . . . . : Passed
    Secure channel for domain '(DOMAIN NAME)' is to '(DOMAIN CONTROLLER #1.DOMAIN.COM)'.
Kerberos test. . . . . . . . . . . : Failed
    [FATAL] Cannot get ticket cache from Kerberos.
    The error occurred was: (null)

We then log into same PC #1 with user #2 and run NetDiag on the PC:

Trust relationship test. . . . . . : Passed
    Secure channel for domain '(DOMAIN NAME)' is to '(DOMAIN CONTROLLER #2.DOMAIN.COM)'.
Kerberos test. . . . . . . . . . . : Passed

So they are authenticating the trust relationship with two different Controllers (domain controller #1 and #2), and User #1 is getting Kerberos Failures.

Most of the time re-adding the PC to the Domain fixes the issue - but now I am getting more calls with this issue and even have a PC that has repeat behaivior after re-adding to the domain about a month ago.  To make things even more interesting, it is only associated with this particular web site in our Sharepoint Environment...  all other internal websites and/or applications are working fine when the user needs to authenticate  (at least as far as I can tell)

A few questions:  
1.  What is causing this kerberos failure for one user, but not another on the same PC?
2.  Why is it only linked to that specific site?
3.  Is there any other test that I can do to help troubleshoot this issue?

so far we tried installing the Windows Resource Tools(kerbtray) to see if kerberos is running but no luck, it doesnt list any tickets. in some PCs kerberos works with one user but not on another one. when rejoining the PC to the domain, it fixes the problem.
but we found other PCs that when kerberos doesnt work on anybody... rejoining to the domain does not fix the issue.
how do we fix the kerberos issue? what causes kerberos to stop working on some users?
Thanks again for any information!  we appreciate your help

Our community of experts have been thoroughly vetted for their expertise and industry experience.

Join our community to see this answer!
Unlock 1 Answer and 8 Comments.
Start Free Trial
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 8 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros