Solved

kerberos error message

Posted on 2014-01-21
5
325 Views
Last Modified: 2014-01-22
One of my SQL servers pops a Error Code: 0x7  KDC_ERR_S_PRINCIPAL_UNKNOWN error every 15 minutes.  Text of the error is

A Kerberos Error Message was received:
 on logon session
 Client Time:
 Server Time: 0:0:1.0000 1/22/2014 Z
 Error Code: 0x7  KDC_ERR_S_PRINCIPAL_UNKNOWN
 Extended Error: 0xc0000035 KLIN(0)
 Client Realm:
 Client Name:
 Server Realm: XXXX.LOC
 Server Name: MSSQLSvc/annie.XXXX.loc:1433
 Target Name: MSSQLSvc/annie.XXXX.loc:1433@XXXX.LOC
 Error Text:
 File: 9
 Line: e2d
 Error Data is in record data.

Annie is another SQL server which this server  sends log shipping to, and the errors occur at the interval of the LSbackups.

The quick link takes me to a MSFT page telling me how to reset stored passwords. Completed this on both servers involved with no improvement.

Went a step further and ran setspn.exe to verify no duplicate records.

I have rebooted Annie with no improvement, but do not want to reboot the production server unless it is sure to fix it.  Nothing I read indicates it should be necessary.

Anybody more familiar with this?
0
Comment
Question by:billherde
5 Comments
 
LVL 24

Accepted Solution

by:
lionelmm earned 167 total points
ID: 39799799
I'm not much help but Kerboros messages are usually about permissions, user logons and passwords--anything change lately with regard to maybe changing passwords, removing users, or restoring database?
0
 
LVL 57

Assisted Solution

by:giltjr
giltjr earned 167 total points
ID: 39799895
How did you check for duplicate SPN's?

ldifde -f C:\SPNs.txt -t 3268 -d dc=domain,dc=com -l serviceprincipalname -r (serviceprincipalname=*) -p subtree

In the above command, replace DC=domain,DC=com with the DN of the domain. To check if duplicate SPN is present

Ref:

http://social.technet.microsoft.com/Forums/systemcenter/en-US/be6fcac4-7310-42d1-980e-e1725b464756/kerberos-spns?forum=systemcenter
0
 
LVL 28

Assisted Solution

by:Michael Pfister
Michael Pfister earned 166 total points
ID: 39800042
0
 
LVL 3

Author Comment

by:billherde
ID: 39800749
There have been no user updates that should be involved in the SQL servers.

I used setspn -X to check for duplicate SPNs.

'setspn -L administrator'  shows two registered SPN for Annie for the system administrator. The target names matche the servername in the error.

I note there is a -R option which says
To reset the default SPN registrations for the host names for an account  
•Type the following at a command prompt:

setspn -R  AccountName

Does anybody know what they mean by reset?  I do not want to clear all SPNs for the administrator account.
0
 
LVL 3

Author Closing Comment

by:billherde
ID: 39801029
The -R switch was the answer.  Since the SPN was there, and was correct, It was just a matter of the first SQL server forgot about it.  The -r switch says it means Reset, but a more accurate description shows when you run it.  It RE-REGISTERS the SPN.  So running 'setspn -R Annie' re-registered the SPNs set for Annie and the error went away.

Thanks for the pointers guys!
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article describes how to set permissions to allow a limited-permissions user to start and stop a particular System Service.   It is always best to give users only the permissions that they need to perform their job, so tweaking particular permi…
INTRODUCTION The purpose of this document is to demonstrate the Installation and configuration of the Data Protection Manager product. Note that this demonstration was prepared on the basis of Windows OS is 2008 R2 and DPM 2010. DATA PROTECTI…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now