Solved

kerberos error message

Posted on 2014-01-21
5
336 Views
Last Modified: 2014-01-22
One of my SQL servers pops a Error Code: 0x7  KDC_ERR_S_PRINCIPAL_UNKNOWN error every 15 minutes.  Text of the error is

A Kerberos Error Message was received:
 on logon session
 Client Time:
 Server Time: 0:0:1.0000 1/22/2014 Z
 Error Code: 0x7  KDC_ERR_S_PRINCIPAL_UNKNOWN
 Extended Error: 0xc0000035 KLIN(0)
 Client Realm:
 Client Name:
 Server Realm: XXXX.LOC
 Server Name: MSSQLSvc/annie.XXXX.loc:1433
 Target Name: MSSQLSvc/annie.XXXX.loc:1433@XXXX.LOC
 Error Text:
 File: 9
 Line: e2d
 Error Data is in record data.

Annie is another SQL server which this server  sends log shipping to, and the errors occur at the interval of the LSbackups.

The quick link takes me to a MSFT page telling me how to reset stored passwords. Completed this on both servers involved with no improvement.

Went a step further and ran setspn.exe to verify no duplicate records.

I have rebooted Annie with no improvement, but do not want to reboot the production server unless it is sure to fix it.  Nothing I read indicates it should be necessary.

Anybody more familiar with this?
0
Comment
Question by:billherde
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 25

Accepted Solution

by:
Lionel MM earned 167 total points
ID: 39799799
I'm not much help but Kerboros messages are usually about permissions, user logons and passwords--anything change lately with regard to maybe changing passwords, removing users, or restoring database?
0
 
LVL 57

Assisted Solution

by:giltjr
giltjr earned 167 total points
ID: 39799895
How did you check for duplicate SPN's?

ldifde -f C:\SPNs.txt -t 3268 -d dc=domain,dc=com -l serviceprincipalname -r (serviceprincipalname=*) -p subtree

In the above command, replace DC=domain,DC=com with the DN of the domain. To check if duplicate SPN is present

Ref:

http://social.technet.microsoft.com/Forums/systemcenter/en-US/be6fcac4-7310-42d1-980e-e1725b464756/kerberos-spns?forum=systemcenter
0
 
LVL 29

Assisted Solution

by:Michael Pfister
Michael Pfister earned 166 total points
ID: 39800042
0
 
LVL 3

Author Comment

by:billherde
ID: 39800749
There have been no user updates that should be involved in the SQL servers.

I used setspn -X to check for duplicate SPNs.

'setspn -L administrator'  shows two registered SPN for Annie for the system administrator. The target names matche the servername in the error.

I note there is a -R option which says
To reset the default SPN registrations for the host names for an account  
•Type the following at a command prompt:

setspn -R  AccountName

Does anybody know what they mean by reset?  I do not want to clear all SPNs for the administrator account.
0
 
LVL 3

Author Closing Comment

by:billherde
ID: 39801029
The -R switch was the answer.  Since the SPN was there, and was correct, It was just a matter of the first SQL server forgot about it.  The -r switch says it means Reset, but a more accurate description shows when you run it.  It RE-REGISTERS the SPN.  So running 'setspn -R Annie' re-registered the SPNs set for Annie and the error went away.

Thanks for the pointers guys!
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This is a little timesaver I have been using for setting up Microsoft Small Business Server (SBS) in the simplest possible way. It may not be appropriate for every customer. However, when you get a situation where the person who owns the server is i…
It’s been over a month into 2017, and there is already a sophisticated Gmail phishing email making it rounds. New techniques and tactics, have given hackers a way to authentically impersonate your contacts.How it Works The attack works by targeti…
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question