Solved

Kerberos Error

Posted on 2013-06-07
7
8,030 Views
Last Modified: 2013-07-13
Hello Experts,

Let me first explain about the environment:

SERVER 1
OS: Windows Server 2008 R2 Standard (SP1) - 64Bit
Roles - Domain Controller, DNS Server
Hostname: MEDC2

SERVER 2
OS: Windows Server 2003 R2 Standard (SP2) - 64Bit
Roles - Additional Domain Controller, DNS Server
Hostname: MEDC

SERVER 3
OS: Windows Server 2008 R2 Standard (SP1) - 64Bit
Roles - Database Server (MS SQL)
Hostname: MESQL1

\==============================================================/

Let me explain the issue:

We have allowed all our user to access the SQL server via RDP. However, since last year or so, we have been experiencing an issue with our SQL server. it suddenly stops working and don't get connected via RDP, and even if gets connected the authentication stops.

Further looking at Event Log, we have observed that We are getting Event ID 3 (Source: Security-Kerberos) every 2-5 minutes on Application Log. Here is the event:

Log Name:      System
Source:        Microsoft-Windows-Security-Kerberos
Date:          6/7/2013 4:12:53 PM
Event ID:      3
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      MESQL1.me.com
Description:
A Kerberos Error Message was received:
 on logon session ME.COM\first.last
 Client Time:
 Server Time: 20:12:52.0000 6/7/2013 Z
 Error Code: 0x19 KDC_ERR_PREAUTH_REQUIRED
 Extended Error:
 Client Realm:
 Client Name:
 Server Realm: ME
 Server Name: krbtgt/ME
 Target Name: krbtgt/ME@ME
 Error Text:
 File: e
 Line: 9fe
 Error Data is in record data.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Kerberos" Guid="{98E6CFCB-EE0A-41E0-A57B-622D4E1B30B1}" EventSourceName="Kerberos" />
    <EventID Qualifiers="32768">3</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2013-06-07T20:12:53.000000000Z" />
    <EventRecordID>94826</EventRecordID>
    <Correlation />
    <Execution ProcessID="0" ThreadID="0" />
    <Channel>System</Channel>
    <Computer>MESQL1.me.com</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="LogonSession">ME.COM\first.last</Data>
    <Data Name="ClientTime">
    </Data>
    <Data Name="ServerTime">20:12:52.0000 6/7/2013 Z</Data>
    <Data Name="ErrorCode">0x19</Data>
    <Data Name="ErrorMessage">KDC_ERR_PREAUTH_REQUIRED</Data>
    <Data Name="ExtendedError">
    </Data>
    <Data Name="ClientRealm">
    </Data>
    <Data Name="ClientName">
    </Data>
    <Data Name="ServerRealm">ME</Data>
    <Data Name="ServerName">krbtgt/ME</Data>
    <Data Name="TargetName">krbtgt/ME@ME</Data>
    <Data Name="ErrorText">
    </Data>
    <Data Name="File">e</Data>
    <Data Name="Line">9fe</Data>
    <Binary>30583035A103020113A22E042C302A3005A0030201173021A003020103A11A1B185649414D4552494341532E434F4D56696B61732E536861683009A103020102A20204003009A103020110A20204003009A10302010FA2020400</Binary>
  </EventData>
</Event>

However the highest number of events are being generated with error "KDC_ERR_BADOPTION". Here is the error event:

Log Name:      System
Source:        Microsoft-Windows-Security-Kerberos
Date:          6/8/2013 12:41:13 AM
Event ID:      3
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      MESQL1.ME.com
Description:
A Kerberos Error Message was received:
 on logon session
 Client Time:
 Server Time: 4:41:12.0000 6/8/2013 Z
 Error Code: 0xd KDC_ERR_BADOPTION
 Extended Error: 0xc00000bb KLIN(0)
 Client Realm:
 Client Name:
 Server Realm: ME.COM
 Server Name: MESQL1$@ME.COM
 Target Name: MESQL1$@ME.COM@ME.COM
 Error Text:
 File: 9
 Line: f09
 Error Data is in record data.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Kerberos" Guid="{98E6CFCB-EE0A-41E0-A57B-622D4E1B30B1}" EventSourceName="Kerberos" />
    <EventID Qualifiers="32768">3</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2013-06-08T04:41:13.000000000Z" />
    <EventRecordID>94890</EventRecordID>
    <Correlation />
    <Execution ProcessID="0" ThreadID="0" />
    <Channel>System</Channel>
    <Computer>MESQL1.ME.com</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="LogonSession">
    </Data>
    <Data Name="ClientTime">
    </Data>
    <Data Name="ServerTime">4:41:12.0000 6/8/2013 Z</Data>
    <Data Name="ErrorCode">0xd</Data>
    <Data Name="ErrorMessage">KDC_ERR_BADOPTION</Data>
    <Data Name="ExtendedError">0xc00000bb KLIN(0)</Data>
    <Data Name="ClientRealm">
    </Data>
    <Data Name="ClientName">
    </Data>
    <Data Name="ServerRealm">ME.COM</Data>
    <Data Name="ServerName">MESQL1$@ME.COM</Data>
    <Data Name="TargetName">MESQL1$@ME.COM@ME.COM</Data>
    <Data Name="ErrorText">
    </Data>
    <Data Name="File">9</Data>
    <Data Name="Line">f09</Data>
    <Binary>3015A103020103A20E040CBB0000C00000000003000000</Binary>
  </EventData>
</Event>

Apart from this there is another event ID 5719 (Source:NETLOGON) is being generated. Here is the entry:
Log Name:      System
Source:        NETLOGON
Date:          6/7/2013 7:25:37 PM
Event ID:      5719
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      MESQL1.ME.com
Description:
This computer was not able to set up a secure session with a domain controller in domain ME due to the following:
The RPC server is unavailable.
This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator.  

ADDITIONAL INFO
If this computer is a domain controller for the specified domain, it sets up the secure session to the primary domain controller emulator in the specified domain. Otherwise, this computer sets up the secure session to any domain controller in the specified domain.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="NETLOGON" />
    <EventID Qualifiers="0">5719</EventID>
    <Level>2</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2013-06-07T23:25:37.000000000Z" />
    <EventRecordID>94853</EventRecordID>
    <Channel>System</Channel>
    <Computer>MESQL1.ME.com</Computer>
    <Security />
  </System>
  <EventData>
    <Data>ME</Data>
    <Data>%%1722</Data>
    <Binary>170002C0</Binary>
  </EventData>
</Event>

\==============================================================/

Let me explain the issue:

With event ID 3 for kerberos being generated in every 2-5 minutes, server is still running. However, suddenly (one or twice in a week), server get Event id 5719 and stop authenticating any users. NO RDP, NO Authentication works.

I tried google, and tried most of the steps, but didn't get success.

Awaiting Reply with exact solution.
0
Comment
Question by:Vikas Shah
7 Comments
 
LVL 18

Assisted Solution

by:sarang_tinguria
sarang_tinguria earned 100 total points
Comment Utility
Have you checked after disjoin/rejoin ....are the DC and problem server on the same network
0
 
LVL 9

Assisted Solution

by:Zenvenky
Zenvenky earned 100 total points
Comment Utility
Agree with Sarang. How these machines are installed or deployed? is it from VM images ?

If all are physical machine then I would suggest you to run DCDiag in verbose mode on both the DC and try to know if any replication or Netlogon failures there. Also try to access both the DCs from MESQL1 using unc path (\\), I want you to access DCs with name and IP addresses if any of the option fails, it means the secure channel is broken between DC and SQL server.
0
 
LVL 24

Accepted Solution

by:
Sandeshdubey earned 100 total points
Comment Utility
As other suggested it seems that secure channel between the DC and MESQL1 is broken and hence the event id 5719 occured.You are also getting RPC service is unavaialble in the event log.

"The RPC server is unavailable" relates to port being blocked or network connectivity issue or due to dns misconfig.I would suggest contact network/security team to verify whether all the related AD ports being configured and allowed on the firewall for communication. Portquery is free tool from the MS which can be downloaded and installed to verify the necessary ports are opened or not.

Also, disable local windows firewall service, by default it is enabled in vista/windows 2008 and above. Check the network connectivity and latency.
Disable Windows Firewall: http://technet.microsoft.com/en-us/library/cc766337(WS.10).aspx

It can also be caused by antivirus software with many of them sporting a new feature called "network traffic protection," which can efffectively block necessary AD traffic

Troubleshooting “The RPC server is unavailable”
http://premglitz.wordpress.com/2012/05/16/troubleshooting-the-rpc-server-is-unavailable/

This could be also due to dns misconfig issue.ensure correct dns setting on DC and member server as this:http://abhijitw.wordpress.com/2012/03/03/best-practices-for-dns-client-settings-on-domain-controller/

Once done log on locally on MESQL1 disjoin server from domain and join it domain again this should fix the issue.
0
Don't lose your head updating email signatures!

Do your end users still have the wrong email signature? Do email signature updates bore you or fill you with a sense of dread? You can make this a whole lot easier on yourself by trusting an Exclaimer email signature management solution. Over 50 million users do...so should you!

 
LVL 9

Assisted Solution

by:VirastaR
VirastaR earned 100 total points
Comment Utility
Hi,

You can safely ignore the below events:

Event ID:      3
Error Code: 0x19 KDC_ERR_PREAUTH_REQUIRED

Event ID:      3
Error Code: 0xd KDC_ERR_BADOPTION

According to this:

http://social.technet.microsoft.com/Forums/en-US/windowsserver2008r2general/thread/dd01902e-630a-4999-8611-cf4d108f42cf

Event ID:      5719

is where we need to focus on and I hope

this will give you some directions

http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/87982335-b32c-4f5f-9c95-e9b6582d1bb6

Hope that helps :)
0
 
LVL 13

Assisted Solution

by:Jaihunt
Jaihunt earned 100 total points
Comment Utility
Hi

For Kerberos errors check SPN which you registered for SQL. Is it configured properly. check the computer object and delegation tab for SPN.

Netlog error occurs when you restart the machine or Network disconnects and reconnects ?

Check any network delay between DC and SQL servers also update the NIC drivers of the SQL server

If you want you can configure the delay time in the registry to wait for DC. But you must rule out there is no prob in the network for SQL to contact DC

http://technet.microsoft.com/en-us/library/cc758105.aspx

Thanks
Jai
0
 
LVL 6

Author Closing Comment

by:Vikas Shah
Comment Utility
Hi,

Issue still exists, and even MS is not able to resolve it.
As of now we are ignoring it, and looking for some resolution.
0
 
LVL 9

Expert Comment

by:VirastaR
Comment Utility
0

Featured Post

Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Join & Write a Comment

Suggested Solutions

A quick step-by-step overview of installing and configuring Carbonite Server Backup.
Resolve DNS query failed errors for Exchange
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now