Solved

Kerberos Error

Posted on 2013-06-07
7
8,584 Views
Last Modified: 2013-07-13
Hello Experts,

Let me first explain about the environment:

SERVER 1
OS: Windows Server 2008 R2 Standard (SP1) - 64Bit
Roles - Domain Controller, DNS Server
Hostname: MEDC2

SERVER 2
OS: Windows Server 2003 R2 Standard (SP2) - 64Bit
Roles - Additional Domain Controller, DNS Server
Hostname: MEDC

SERVER 3
OS: Windows Server 2008 R2 Standard (SP1) - 64Bit
Roles - Database Server (MS SQL)
Hostname: MESQL1

\==============================================================/

Let me explain the issue:

We have allowed all our user to access the SQL server via RDP. However, since last year or so, we have been experiencing an issue with our SQL server. it suddenly stops working and don't get connected via RDP, and even if gets connected the authentication stops.

Further looking at Event Log, we have observed that We are getting Event ID 3 (Source: Security-Kerberos) every 2-5 minutes on Application Log. Here is the event:

Log Name:      System
Source:        Microsoft-Windows-Security-Kerberos
Date:          6/7/2013 4:12:53 PM
Event ID:      3
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      MESQL1.me.com
Description:
A Kerberos Error Message was received:
 on logon session ME.COM\first.last
 Client Time:
 Server Time: 20:12:52.0000 6/7/2013 Z
 Error Code: 0x19 KDC_ERR_PREAUTH_REQUIRED
 Extended Error:
 Client Realm:
 Client Name:
 Server Realm: ME
 Server Name: krbtgt/ME
 Target Name: krbtgt/ME@ME
 Error Text:
 File: e
 Line: 9fe
 Error Data is in record data.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Kerberos" Guid="{98E6CFCB-EE0A-41E0-A57B-622D4E1B30B1}" EventSourceName="Kerberos" />
    <EventID Qualifiers="32768">3</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2013-06-07T20:12:53.000000000Z" />
    <EventRecordID>94826</EventRecordID>
    <Correlation />
    <Execution ProcessID="0" ThreadID="0" />
    <Channel>System</Channel>
    <Computer>MESQL1.me.com</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="LogonSession">ME.COM\first.last</Data>
    <Data Name="ClientTime">
    </Data>
    <Data Name="ServerTime">20:12:52.0000 6/7/2013 Z</Data>
    <Data Name="ErrorCode">0x19</Data>
    <Data Name="ErrorMessage">KDC_ERR_PREAUTH_REQUIRED</Data>
    <Data Name="ExtendedError">
    </Data>
    <Data Name="ClientRealm">
    </Data>
    <Data Name="ClientName">
    </Data>
    <Data Name="ServerRealm">ME</Data>
    <Data Name="ServerName">krbtgt/ME</Data>
    <Data Name="TargetName">krbtgt/ME@ME</Data>
    <Data Name="ErrorText">
    </Data>
    <Data Name="File">e</Data>
    <Data Name="Line">9fe</Data>
    <Binary>30583035A103020113A22E042C302A3005A0030201173021A003020103A11A1B185649414D4552494341532E434F4D56696B61732E536861683009A103020102A20204003009A103020110A20204003009A10302010FA2020400</Binary>
  </EventData>
</Event>

However the highest number of events are being generated with error "KDC_ERR_BADOPTION". Here is the error event:

Log Name:      System
Source:        Microsoft-Windows-Security-Kerberos
Date:          6/8/2013 12:41:13 AM
Event ID:      3
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      MESQL1.ME.com
Description:
A Kerberos Error Message was received:
 on logon session
 Client Time:
 Server Time: 4:41:12.0000 6/8/2013 Z
 Error Code: 0xd KDC_ERR_BADOPTION
 Extended Error: 0xc00000bb KLIN(0)
 Client Realm:
 Client Name:
 Server Realm: ME.COM
 Server Name: MESQL1$@ME.COM
 Target Name: MESQL1$@ME.COM@ME.COM
 Error Text:
 File: 9
 Line: f09
 Error Data is in record data.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Kerberos" Guid="{98E6CFCB-EE0A-41E0-A57B-622D4E1B30B1}" EventSourceName="Kerberos" />
    <EventID Qualifiers="32768">3</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2013-06-08T04:41:13.000000000Z" />
    <EventRecordID>94890</EventRecordID>
    <Correlation />
    <Execution ProcessID="0" ThreadID="0" />
    <Channel>System</Channel>
    <Computer>MESQL1.ME.com</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="LogonSession">
    </Data>
    <Data Name="ClientTime">
    </Data>
    <Data Name="ServerTime">4:41:12.0000 6/8/2013 Z</Data>
    <Data Name="ErrorCode">0xd</Data>
    <Data Name="ErrorMessage">KDC_ERR_BADOPTION</Data>
    <Data Name="ExtendedError">0xc00000bb KLIN(0)</Data>
    <Data Name="ClientRealm">
    </Data>
    <Data Name="ClientName">
    </Data>
    <Data Name="ServerRealm">ME.COM</Data>
    <Data Name="ServerName">MESQL1$@ME.COM</Data>
    <Data Name="TargetName">MESQL1$@ME.COM@ME.COM</Data>
    <Data Name="ErrorText">
    </Data>
    <Data Name="File">9</Data>
    <Data Name="Line">f09</Data>
    <Binary>3015A103020103A20E040CBB0000C00000000003000000</Binary>
  </EventData>
</Event>

Apart from this there is another event ID 5719 (Source:NETLOGON) is being generated. Here is the entry:
Log Name:      System
Source:        NETLOGON
Date:          6/7/2013 7:25:37 PM
Event ID:      5719
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      MESQL1.ME.com
Description:
This computer was not able to set up a secure session with a domain controller in domain ME due to the following:
The RPC server is unavailable.
This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator.  

ADDITIONAL INFO
If this computer is a domain controller for the specified domain, it sets up the secure session to the primary domain controller emulator in the specified domain. Otherwise, this computer sets up the secure session to any domain controller in the specified domain.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="NETLOGON" />
    <EventID Qualifiers="0">5719</EventID>
    <Level>2</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2013-06-07T23:25:37.000000000Z" />
    <EventRecordID>94853</EventRecordID>
    <Channel>System</Channel>
    <Computer>MESQL1.ME.com</Computer>
    <Security />
  </System>
  <EventData>
    <Data>ME</Data>
    <Data>%%1722</Data>
    <Binary>170002C0</Binary>
  </EventData>
</Event>

\==============================================================/

Let me explain the issue:

With event ID 3 for kerberos being generated in every 2-5 minutes, server is still running. However, suddenly (one or twice in a week), server get Event id 5719 and stop authenticating any users. NO RDP, NO Authentication works.

I tried google, and tried most of the steps, but didn't get success.

Awaiting Reply with exact solution.
0
Comment
Question by:Vikas Shah
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 18

Assisted Solution

by:Sarang Tinguria
Sarang Tinguria earned 100 total points
ID: 39231129
Have you checked after disjoin/rejoin ....are the DC and problem server on the same network
0
 
LVL 9

Assisted Solution

by:Zenvenky
Zenvenky earned 100 total points
ID: 39231281
Agree with Sarang. How these machines are installed or deployed? is it from VM images ?

If all are physical machine then I would suggest you to run DCDiag in verbose mode on both the DC and try to know if any replication or Netlogon failures there. Also try to access both the DCs from MESQL1 using unc path (\\), I want you to access DCs with name and IP addresses if any of the option fails, it means the secure channel is broken between DC and SQL server.
0
 
LVL 24

Accepted Solution

by:
Sandeshdubey earned 100 total points
ID: 39231617
As other suggested it seems that secure channel between the DC and MESQL1 is broken and hence the event id 5719 occured.You are also getting RPC service is unavaialble in the event log.

"The RPC server is unavailable" relates to port being blocked or network connectivity issue or due to dns misconfig.I would suggest contact network/security team to verify whether all the related AD ports being configured and allowed on the firewall for communication. Portquery is free tool from the MS which can be downloaded and installed to verify the necessary ports are opened or not.

Also, disable local windows firewall service, by default it is enabled in vista/windows 2008 and above. Check the network connectivity and latency.
Disable Windows Firewall: http://technet.microsoft.com/en-us/library/cc766337(WS.10).aspx

It can also be caused by antivirus software with many of them sporting a new feature called "network traffic protection," which can efffectively block necessary AD traffic

Troubleshooting “The RPC server is unavailable”
http://premglitz.wordpress.com/2012/05/16/troubleshooting-the-rpc-server-is-unavailable/

This could be also due to dns misconfig issue.ensure correct dns setting on DC and member server as this:http://abhijitw.wordpress.com/2012/03/03/best-practices-for-dns-client-settings-on-domain-controller/

Once done log on locally on MESQL1 disjoin server from domain and join it domain again this should fix the issue.
0
The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

 
LVL 9

Assisted Solution

by:VirastaR
VirastaR earned 100 total points
ID: 39233255
Hi,

You can safely ignore the below events:

Event ID:      3
Error Code: 0x19 KDC_ERR_PREAUTH_REQUIRED

Event ID:      3
Error Code: 0xd KDC_ERR_BADOPTION

According to this:

http://social.technet.microsoft.com/Forums/en-US/windowsserver2008r2general/thread/dd01902e-630a-4999-8611-cf4d108f42cf

Event ID:      5719

is where we need to focus on and I hope

this will give you some directions

http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/87982335-b32c-4f5f-9c95-e9b6582d1bb6

Hope that helps :)
0
 
LVL 13

Assisted Solution

by:Jaihunt
Jaihunt earned 100 total points
ID: 39234281
Hi

For Kerberos errors check SPN which you registered for SQL. Is it configured properly. check the computer object and delegation tab for SPN.

Netlog error occurs when you restart the machine or Network disconnects and reconnects ?

Check any network delay between DC and SQL servers also update the NIC drivers of the SQL server

If you want you can configure the delay time in the registry to wait for DC. But you must rule out there is no prob in the network for SQL to contact DC

http://technet.microsoft.com/en-us/library/cc758105.aspx

Thanks
Jai
0
 
LVL 6

Author Closing Comment

by:Vikas Shah
ID: 39322321
Hi,

Issue still exists, and even MS is not able to resolve it.
As of now we are ignoring it, and looking for some resolution.
0
 
LVL 9

Expert Comment

by:VirastaR
ID: 39322856
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A company’s centralized system that manages user data, security, and distributed resources is often a focus of criminal attention. Active Directory (AD) is no exception. In truth, it’s even more likely to be targeted due to the number of companies …
This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question