| Author | Messages | |
bwatson
Posts:49
 | | 12/02/2008 12:19 PM |
| Hello all,
Over the past couple weeks, I've seen several workstations showing the
same errors in the system event log of the workstation. This is the
error...
Source: Kerberos - EventID: 4
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server
host/printserver.appsig.com. This indicates that the password used to
encrypt the kerberos service ticket is different than that on the target
server. Commonly, this is due to identically named machine accounts in
the target realm (APPSIG.COM), and the client realm. Please contact
your system administrator.
When I check the system event logs on the print server, I only see two
entries in the event logs for a similar Kerberos error pointing back to
two separate workstations. However there are definitely more
workstations than just the two with these errors.
As for the workstations that are experiencing this error, they seem to
generate this error in the event logs somewhere between 1 and 4 times a
day at random time intervals. They all are having an issue with this
particular print server which has been in operation for a little over a
year. They also don't appear to be having any sort of loss of
functionality as a result of these errors.
The print server is a Windows Server 2003 R2 machine and the
workstations are Windows XP.
Any thoughts?
Thanks,
~Ben
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| amulnick
Posts:162
| | 12/02/2008 12:46 PM |
| Have you already seen this:
http://www.eventid.net/display.asp?eventid=4&eventno=1968&source=Kerberos&phase=1
?
On Tue, Dec 2, 2008 at 12:14 PM, WATSON, BEN <bwatson@appsig.com> wrote:
> Hello all,
>
> Over the past couple weeks, I've seen several workstations showing the
> same errors in the system event log of the workstation. This is the
> error...
>
> Source: Kerberos - EventID: 4
> The kerberos client received a KRB_AP_ERR_MODIFIED error from the server
> host/printserver.appsig.com. This indicates that the password used to
> encrypt the kerberos service ticket is different than that on the target
> server. Commonly, this is due to identically named machine accounts in
> the target realm (APPSIG.COM <http://appsig.com/> , and the client realm.
> Please contact
> your system administrator.
>
> When I check the system event logs on the print server, I only see two
> entries in the event logs for a similar Kerberos error pointing back to
> two separate workstations. However there are definitely more
> workstations than just the two with these errors.
>
> As for the workstations that are experiencing this error, they seem to
> generate this error in the event logs somewhere between 1 and 4 times a
> day at random time intervals. They all are having an issue with this
> particular print server which has been in operation for a little over a
> year. They also don't appear to be having any sort of loss of
> functionality as a result of these errors.
>
> The print server is a Windows Server 2003 R2 machine and the
> workstations are Windows XP.
>
> Any thoughts?
>
> Thanks,
> ~Ben
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
| | | |
| bwatson
Posts:49
| | 12/02/2008 12:52 PM |
| Hi Al,
Yes, I should have mentioned that. I did look through the posts there and found none that seemed appropriate. Most of the posts seemed to run along the lines of the target machine being clustered (the print server is not clustered), a HOSTS file issue, or DNS. None of which are an issue with either the workstations or the print server.
Also, I am working in a single domain, single forest environment.
Thanks!
~Ben
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Al Mulnick
Sent: Tuesday, December 02, 2008 9:41 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Kerberos Workstation Errors
Have you already seen this: http://www.eventid.net/display.asp?eventid=4&eventno=1968&source=Kerberos&phase=1
?
On Tue, Dec 2, 2008 at 12:14 PM, WATSON, BEN <bwatson@appsig.com> wrote:
Hello all,
Over the past couple weeks, I've seen several workstations showing the
same errors in the system event log of the workstation. This is the
error...
Source: Kerberos - EventID: 4
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server
host/printserver.appsig.com <http://printserver.appsig.com/> . This indicates that the password used to
encrypt the kerberos service ticket is different than that on the target
server. Commonly, this is due to identically named machine accounts in
the target realm (APPSIG.COM <http://appsig.com/> ), and the client realm. Please contact
your system administrator.
When I check the system event logs on the print server, I only see two
entries in the event logs for a similar Kerberos error pointing back to
two separate workstations. However there are definitely more
workstations than just the two with these errors.
As for the workstations that are experiencing this error, they seem to
generate this error in the event logs somewhere between 1 and 4 times a
day at random time intervals. They all are having an issue with this
particular print server which has been in operation for a little over a
year. They also don't appear to be having any sort of loss of
functionality as a result of these errors.
The print server is a Windows Server 2003 R2 machine and the
workstations are Windows XP.
Any thoughts?
Thanks,
~Ben
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| amulnick
Posts:162
| | 12/02/2008 12:58 PM |
| Did you verify no duplicate SPN's as well as no duplicate name resolution
entries for all types of name resolution?
On Tue, Dec 2, 2008 at 12:47 PM, WATSON, BEN <bwatson@appsig.com> wrote:
> Hi Al,
>
>
>
> Yes, I should have mentioned that. I did look through the posts there and
> found none that seemed appropriate. Most of the posts seemed to run along
> the lines of the target machine being clustered (the print server is not
> clustered), a HOSTS file issue, or DNS. None of which are an issue with
> either the workstations or the print server.
>
>
>
> Also, I am working in a single domain, single forest environment.
>
>
>
> Thanks!
>
> ~Ben
>
>
>
> *From:* ActiveDir-owner@mail.activedir.org [mailto:
> ActiveDir-owner@mail.activedir.org] *On Behalf Of *Al Mulnick
> *Sent:* Tuesday, December 02, 2008 9:41 AM
> *To:* ActiveDir@mail.activedir.org
> *Subject:* Re: [ActiveDir] Kerberos Workstation Errors
>
>
>
> Have you already seen this:
> http://www.eventid.net/display.asp?eventid=4&eventno=1968&source=Kerberos&phase=1
>
>
>
> ?
>
> On Tue, Dec 2, 2008 at 12:14 PM, WATSON, BEN <bwatson@appsig.com> wrote:
>
> Hello all,
>
> Over the past couple weeks, I've seen several workstations showing the
> same errors in the system event log of the workstation. This is the
> error...
>
> Source: Kerberos - EventID: 4
> The kerberos client received a KRB_AP_ERR_MODIFIED error from the server
> host/printserver.appsig.com. This indicates that the password used to
> encrypt the kerberos service ticket is different than that on the target
> server. Commonly, this is due to identically named machine accounts in
> the target realm (APPSIG.COM <http://appsig.com/>, and the client realm.
> Please contact
> your system administrator.
>
> When I check the system event logs on the print server, I only see two
> entries in the event logs for a similar Kerberos error pointing back to
> two separate workstations. However there are definitely more
> workstations than just the two with these errors.
>
> As for the workstations that are experiencing this error, they seem to
> generate this error in the event logs somewhere between 1 and 4 times a
> day at random time intervals. They all are having an issue with this
> particular print server which has been in operation for a little over a
> year. They also don't appear to be having any sort of loss of
> functionality as a result of these errors.
>
> The print server is a Windows Server 2003 R2 machine and the
> workstations are Windows XP.
>
> Any thoughts?
>
> Thanks,
> ~Ben
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
>
>
| | | |
| bwatson
Posts:49
| | 12/02/2008 1:16 PM |
| Yes, there are no duplicate SPNs for the print server and no duplicate name resolution entries in both DNS and WINS.
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Al Mulnick
Sent: Tuesday, December 02, 2008 9:54 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Kerberos Workstation Errors
Did you verify no duplicate SPN's as well as no duplicate name resolution entries for all types of name resolution?
On Tue, Dec 2, 2008 at 12:47 PM, WATSON, BEN <bwatson@appsig.com> wrote:
Hi Al,
Yes, I should have mentioned that. I did look through the posts there and found none that seemed appropriate. Most of the posts seemed to run along the lines of the target machine being clustered (the print server is not clustered), a HOSTS file issue, or DNS. None of which are an issue with either the workstations or the print server.
Also, I am working in a single domain, single forest environment.
Thanks!
~Ben
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Al Mulnick
Sent: Tuesday, December 02, 2008 9:41 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Kerberos Workstation Errors
Have you already seen this: http://www.eventid.net/display.asp?eventid=4&eventno=1968&source=Kerberos&phase=1
?
On Tue, Dec 2, 2008 at 12:14 PM, WATSON, BEN <bwatson@appsig.com> wrote:
Hello all,
Over the past couple weeks, I've seen several workstations showing the
same errors in the system event log of the workstation. This is the
error...
Source: Kerberos - EventID: 4
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server
host/printserver.appsig.com <http://printserver.appsig.com/> . This indicates that the password used to
encrypt the kerberos service ticket is different than that on the target
server. Commonly, this is due to identically named machine accounts in
the target realm (APPSIG.COM <http://appsig.com/> ), and the client realm. Please contact
your system administrator.
When I check the system event logs on the print server, I only see two
entries in the event logs for a similar Kerberos error pointing back to
two separate workstations. However there are definitely more
workstations than just the two with these errors.
As for the workstations that are experiencing this error, they seem to
generate this error in the event logs somewhere between 1 and 4 times a
day at random time intervals. They all are having an issue with this
particular print server which has been in operation for a little over a
year. They also don't appear to be having any sort of loss of
functionality as a result of these errors.
The print server is a Windows Server 2003 R2 machine and the
workstations are Windows XP.
Any thoughts?
Thanks,
~Ben
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| amulnick
Posts:162
| | 12/02/2008 1:28 PM |
| Then I wonder if a trace would be helpful? From the client view point.
Al
On Tue, Dec 2, 2008 at 1:11 PM, WATSON, BEN <bwatson@appsig.com> wrote:
> Yes, there are no duplicate SPNs for the print server and no duplicate
> name resolution entries in both DNS and WINS.
>
>
>
> *From:* ActiveDir-owner@mail.activedir.org [mailto:
> ActiveDir-owner@mail.activedir.org] *On Behalf Of *Al Mulnick
> *Sent:* Tuesday, December 02, 2008 9:54 AM
>
> *To:* ActiveDir@mail.activedir.org
> *Subject:* Re: [ActiveDir] Kerberos Workstation Errors
>
>
>
> Did you verify no duplicate SPN's as well as no duplicate name resolution
> entries for all types of name resolution?
>
> On Tue, Dec 2, 2008 at 12:47 PM, WATSON, BEN <bwatson@appsig.com> wrote:
>
> Hi Al,
>
>
>
> Yes, I should have mentioned that. I did look through the posts there and
> found none that seemed appropriate. Most of the posts seemed to run along
> the lines of the target machine being clustered (the print server is not
> clustered), a HOSTS file issue, or DNS. None of which are an issue with
> either the workstations or the print server.
>
>
>
> Also, I am working in a single domain, single forest environment.
>
>
>
> Thanks!
>
> ~Ben
>
>
>
> *From:* ActiveDir-owner@mail.activedir.org [mailto:
> ActiveDir-owner@mail.activedir.org] *On Behalf Of *Al Mulnick
> *Sent:* Tuesday, December 02, 2008 9:41 AM
> *To:* ActiveDir@mail.activedir.org
> *Subject:* Re: [ActiveDir] Kerberos Workstation Errors
>
>
>
> Have you already seen this:
> http://www.eventid.net/display.asp?eventid=4&eventno=1968&source=Kerberos&phase=1
>
>
>
> ?
>
> On Tue, Dec 2, 2008 at 12:14 PM, WATSON, BEN <bwatson@appsig.com> wrote:
>
> Hello all,
>
> Over the past couple weeks, I've seen several workstations showing the
> same errors in the system event log of the workstation. This is the
> error...
>
> Source: Kerberos - EventID: 4
> The kerberos client received a KRB_AP_ERR_MODIFIED error from the server
> host/printserver.appsig.com. This indicates that the password used to
> encrypt the kerberos service ticket is different than that on the target
> server. Commonly, this is due to identically named machine accounts in
> the target realm (APPSIG.COM <http://appsig.com/>, and the client realm.
> Please contact
> your system administrator.
>
> When I check the system event logs on the print server, I only see two
> entries in the event logs for a similar Kerberos error pointing back to
> two separate workstations. However there are definitely more
> workstations than just the two with these errors.
>
> As for the workstations that are experiencing this error, they seem to
> generate this error in the event logs somewhere between 1 and 4 times a
> day at random time intervals. They all are having an issue with this
> particular print server which has been in operation for a little over a
> year. They also don't appear to be having any sort of loss of
> functionality as a result of these errors.
>
> The print server is a Windows Server 2003 R2 machine and the
> workstations are Windows XP.
>
> Any thoughts?
>
> Thanks,
> ~Ben
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
>
>
>
>
| | | |
| hboogz
Posts:58
| | 12/02/2008 1:32 PM |
| I'm experiencing a similar issue and was curious how can one check ( LDP.exe
?) for duplicate SPN's ?
On Tue, Dec 2, 2008 at 1:24 PM, Al Mulnick <amulnick@gmail.com> wrote:
> Then I wonder if a trace would be helpful? From the client view point.
>
> Al
>
> On Tue, Dec 2, 2008 at 1:11 PM, WATSON, BEN <bwatson@appsig.com> wrote:
>
>> Yes, there are no duplicate SPNs for the print server and no duplicate
>> name resolution entries in both DNS and WINS.
>>
>>
>>
>> *From:* ActiveDir-owner@mail.activedir.org [mailto:
>> ActiveDir-owner@mail.activedir.org] *On Behalf Of *Al Mulnick
>> *Sent:* Tuesday, December 02, 2008 9:54 AM
>>
>> *To:* ActiveDir@mail.activedir.org
>> *Subject:* Re: [ActiveDir] Kerberos Workstation Errors
>>
>>
>>
>> Did you verify no duplicate SPN's as well as no duplicate name resolution
>> entries for all types of name resolution?
>>
>> On Tue, Dec 2, 2008 at 12:47 PM, WATSON, BEN <bwatson@appsig.com> wrote:
>>
>> Hi Al,
>>
>>
>>
>> Yes, I should have mentioned that. I did look through the posts there and
>> found none that seemed appropriate. Most of the posts seemed to run along
>> the lines of the target machine being clustered (the print server is not
>> clustered), a HOSTS file issue, or DNS. None of which are an issue with
>> either the workstations or the print server.
>>
>>
>>
>> Also, I am working in a single domain, single forest environment.
>>
>>
>>
>> Thanks!
>>
>> ~Ben
>>
>>
>>
>> *From:* ActiveDir-owner@mail.activedir.org [mailto:
>> ActiveDir-owner@mail.activedir.org] *On Behalf Of *Al Mulnick
>> *Sent:* Tuesday, December 02, 2008 9:41 AM
>> *To:* ActiveDir@mail.activedir.org
>> *Subject:* Re: [ActiveDir] Kerberos Workstation Errors
>>
>>
>>
>> Have you already seen this:
>> http://www.eventid.net/display.asp?eventid=4&eventno=1968&source=Kerberos&phase=1
>>
>>
>>
>> ?
>>
>> On Tue, Dec 2, 2008 at 12:14 PM, WATSON, BEN <bwatson@appsig.com> wrote:
>>
>> Hello all,
>>
>> Over the past couple weeks, I've seen several workstations showing the
>> same errors in the system event log of the workstation. This is the
>> error...
>>
>> Source: Kerberos - EventID: 4
>> The kerberos client received a KRB_AP_ERR_MODIFIED error from the server
>> host/printserver.appsig.com. This indicates that the password used to
>> encrypt the kerberos service ticket is different than that on the target
>> server. Commonly, this is due to identically named machine accounts in
>> the target realm (APPSIG.COM <http://appsig.com/>, and the client realm.
>> Please contact
>> your system administrator.
>>
>> When I check the system event logs on the print server, I only see two
>> entries in the event logs for a similar Kerberos error pointing back to
>> two separate workstations. However there are definitely more
>> workstations than just the two with these errors.
>>
>> As for the workstations that are experiencing this error, they seem to
>> generate this error in the event logs somewhere between 1 and 4 times a
>> day at random time intervals. They all are having an issue with this
>> particular print server which has been in operation for a little over a
>> year. They also don't appear to be having any sort of loss of
>> functionality as a result of these errors.
>>
>> The print server is a Windows Server 2003 R2 machine and the
>> workstations are Windows XP.
>>
>> Any thoughts?
>>
>> Thanks,
>> ~Ben
>> List info : http://www.activedir.org/List.aspx
>> List FAQ : http://www.activedir.org/ListFAQ.aspx
>> List archive: http://www.activedir.org/ma/default.aspx
>>
>>
>>
>>
>>
>
>
| | | |
| amulnick
Posts:162
| | 12/02/2008 1:38 PM |
| Here's one way:
http://blogs.dirteam.com/blogs/carlos/archive/2006/04/21/812.aspx
On Tue, Dec 2, 2008 at 1:29 PM, Harry Singh <hboogz@gmail.com> wrote:
> I'm experiencing a similar issue and was curious how can one check (
> LDP.exe ?) for duplicate SPN's ?
>
>
> On Tue, Dec 2, 2008 at 1:24 PM, Al Mulnick <amulnick@gmail.com> wrote:
>
>> Then I wonder if a trace would be helpful? From the client view point.
>>
>> Al
>>
>> On Tue, Dec 2, 2008 at 1:11 PM, WATSON, BEN <bwatson@appsig.com> wrote:
>>
>>> Yes, there are no duplicate SPNs for the print server and no duplicate
>>> name resolution entries in both DNS and WINS.
>>>
>>>
>>>
>>> *From:* ActiveDir-owner@mail.activedir.org [mailto:
>>> ActiveDir-owner@mail.activedir.org] *On Behalf Of *Al Mulnick
>>> *Sent:* Tuesday, December 02, 2008 9:54 AM
>>>
>>> *To:* ActiveDir@mail.activedir.org
>>> *Subject:* Re: [ActiveDir] Kerberos Workstation Errors
>>>
>>>
>>>
>>> Did you verify no duplicate SPN's as well as no duplicate name resolution
>>> entries for all types of name resolution?
>>>
>>> On Tue, Dec 2, 2008 at 12:47 PM, WATSON, BEN <bwatson@appsig.com> wrote:
>>>
>>> Hi Al,
>>>
>>>
>>>
>>> Yes, I should have mentioned that. I did look through the posts there
>>> and found none that seemed appropriate. Most of the posts seemed to run
>>> along the lines of the target machine being clustered (the print server is
>>> not clustered), a HOSTS file issue, or DNS. None of which are an issue with
>>> either the workstations or the print server.
>>>
>>>
>>>
>>> Also, I am working in a single domain, single forest environment.
>>>
>>>
>>>
>>> Thanks!
>>>
>>> ~Ben
>>>
>>>
>>>
>>> *From:* ActiveDir-owner@mail.activedir.org [mailto:
>>> ActiveDir-owner@mail.activedir.org] *On Behalf Of *Al Mulnick
>>> *Sent:* Tuesday, December 02, 2008 9:41 AM
>>> *To:* ActiveDir@mail.activedir.org
>>> *Subject:* Re: [ActiveDir] Kerberos Workstation Errors
>>>
>>>
>>>
>>> Have you already seen this:
>>> http://www.eventid.net/display.asp?eventid=4&eventno=1968&source=Kerberos&phase=1
>>>
>>>
>>>
>>> ?
>>>
>>> On Tue, Dec 2, 2008 at 12:14 PM, WATSON, BEN <bwatson@appsig.com> wrote:
>>>
>>> Hello all,
>>>
>>> Over the past couple weeks, I've seen several workstations showing the
>>> same errors in the system event log of the workstation. This is the
>>> error...
>>>
>>> Source: Kerberos - EventID: 4
>>> The kerberos client received a KRB_AP_ERR_MODIFIED error from the server
>>> host/printserver.appsig.com. This indicates that the password used to
>>> encrypt the kerberos service ticket is different than that on the target
>>> server. Commonly, this is due to identically named machine accounts in
>>> the target realm (APPSIG.COM <http://appsig.com/>, and the client
>>> realm. Please contact
>>> your system administrator.
>>>
>>> When I check the system event logs on the print server, I only see two
>>> entries in the event logs for a similar Kerberos error pointing back to
>>> two separate workstations. However there are definitely more
>>> workstations than just the two with these errors.
>>>
>>> As for the workstations that are experiencing this error, they seem to
>>> generate this error in the event logs somewhere between 1 and 4 times a
>>> day at random time intervals. They all are having an issue with this
>>> particular print server which has been in operation for a little over a
>>> year. They also don't appear to be having any sort of loss of
>>> functionality as a result of these errors.
>>>
>>> The print server is a Windows Server 2003 R2 machine and the
>>> workstations are Windows XP.
>>>
>>> Any thoughts?
>>>
>>> Thanks,
>>> ~Ben
>>> List info : http://www.activedir.org/List.aspx
>>> List FAQ : http://www.activedir.org/ListFAQ.aspx
>>> List archive: http://www.activedir.org/ma/default.aspx
>>>
>>>
>>>
>>>
>>>
>>
>>
>
| | | |
| hboogz
Posts:58
| | 12/02/2008 1:49 PM |
| Perfect.
Thanks Al.
On Tue, Dec 2, 2008 at 1:33 PM, Al Mulnick <amulnick@gmail.com> wrote:
> Here's one way:
> http://blogs.dirteam.com/blogs/carlos/archive/2006/04/21/812.aspx
>
> On Tue, Dec 2, 2008 at 1:29 PM, Harry Singh <hboogz@gmail.com> wrote:
>
>> I'm experiencing a similar issue and was curious how can one check (
>> LDP.exe ?) for duplicate SPN's ?
>>
>>
>> On Tue, Dec 2, 2008 at 1:24 PM, Al Mulnick <amulnick@gmail.com> wrote:
>>
>>> Then I wonder if a trace would be helpful? From the client view point.
>>>
>>> Al
>>>
>>> On Tue, Dec 2, 2008 at 1:11 PM, WATSON, BEN <bwatson@appsig.com>wrote:
>>>
>>>> Yes, there are no duplicate SPNs for the print server and no duplicate
>>>> name resolution entries in both DNS and WINS.
>>>>
>>>>
>>>>
>>>> *From:* ActiveDir-owner@mail.activedir.org [mailto:
>>>> ActiveDir-owner@mail.activedir.org] *On Behalf Of *Al Mulnick
>>>> *Sent:* Tuesday, December 02, 2008 9:54 AM
>>>>
>>>> *To:* ActiveDir@mail.activedir.org
>>>> *Subject:* Re: [ActiveDir] Kerberos Workstation Errors
>>>>
>>>>
>>>>
>>>> Did you verify no duplicate SPN's as well as no duplicate name
>>>> resolution entries for all types of name resolution?
>>>>
>>>> On Tue, Dec 2, 2008 at 12:47 PM, WATSON, BEN <bwatson@appsig.com>
>>>> wrote:
>>>>
>>>> Hi Al,
>>>>
>>>>
>>>>
>>>> Yes, I should have mentioned that. I did look through the posts there
>>>> and found none that seemed appropriate. Most of the posts seemed to run
>>>> along the lines of the target machine being clustered (the print server is
>>>> not clustered), a HOSTS file issue, or DNS. None of which are an issue with
>>>> either the workstations or the print server.
>>>>
>>>>
>>>>
>>>> Also, I am working in a single domain, single forest environment.
>>>>
>>>>
>>>>
>>>> Thanks!
>>>>
>>>> ~Ben
>>>>
>>>>
>>>>
>>>> *From:* ActiveDir-owner@mail.activedir.org [mailto:
>>>> ActiveDir-owner@mail.activedir.org] *On Behalf Of *Al Mulnick
>>>> *Sent:* Tuesday, December 02, 2008 9:41 AM
>>>> *To:* ActiveDir@mail.activedir.org
>>>> *Subject:* Re: [ActiveDir] Kerberos Workstation Errors
>>>>
>>>>
>>>>
>>>> Have you already seen this:
>>>> http://www.eventid.net/display.asp?eventid=4&eventno=1968&source=Kerberos&phase=1
>>>>
>>>>
>>>>
>>>> ?
>>>>
>>>> On Tue, Dec 2, 2008 at 12:14 PM, WATSON, BEN <bwatson@appsig.com>
>>>> wrote:
>>>>
>>>> Hello all,
>>>>
>>>> Over the past couple weeks, I've seen several workstations showing the
>>>> same errors in the system event log of the workstation. This is the
>>>> error...
>>>>
>>>> Source: Kerberos - EventID: 4
>>>> The kerberos client received a KRB_AP_ERR_MODIFIED error from the server
>>>> host/printserver.appsig.com. This indicates that the password used to
>>>> encrypt the kerberos service ticket is different than that on the target
>>>> server. Commonly, this is due to identically named machine accounts in
>>>> the target realm (APPSIG.COM <http://appsig.com/>, and the client
>>>> realm. Please contact
>>>> your system administrator.
>>>>
>>>> When I check the system event logs on the print server, I only see two
>>>> entries in the event logs for a similar Kerberos error pointing back to
>>>> two separate workstations. However there are definitely more
>>>> workstations than just the two with these errors.
>>>>
>>>> As for the workstations that are experiencing this error, they seem to
>>>> generate this error in the event logs somewhere between 1 and 4 times a
>>>> day at random time intervals. They all are having an issue with this
>>>> particular print server which has been in operation for a little over a
>>>> year. They also don't appear to be having any sort of loss of
>>>> functionality as a result of these errors.
>>>>
>>>> The print server is a Windows Server 2003 R2 machine and the
>>>> workstations are Windows XP.
>>>>
>>>> Any thoughts?
>>>>
>>>> Thanks,
>>>> ~Ben
>>>> List info : http://www.activedir.org/List.aspx
>>>> List FAQ : http://www.activedir.org/ListFAQ.aspx
>>>> List archive: http://www.activedir.org/ma/default.aspx
>>>>
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>
>
| | | |
| gabriel/tfi
Posts:381
| | 12/02/2008 7:16 PM |
| You may dump all SPN’s from your workstation with
a) "cscript spnquery.vbs * domain.com > C:\spndump.txt"
http://www.microsoft.com/technet/scriptcenter/solutions/spnquery.mspx
b) ldifde –s gcname –f C:\spndump.txt –r "(serviceprincipalname=*)" -l serviceprincipalname
c) adfind -gc -b "" -f "servicePrincipalName=*"
I don’t have an AD in my hands right now, so I might have forgotten something…
Regards – Gabriele.
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Harry Singh
Sent: martedì 2 dicembre 2008 19.29
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Kerberos Workstation Errors
I'm experiencing a similar issue and was curious how can one check ( LDP.exe ?) for duplicate SPN's ?
On Tue, Dec 2, 2008 at 1:24 PM, Al Mulnick <amulnick@gmail.com> wrote:
Then I wonder if a trace would be helpful? From the client view point.
Al
On Tue, Dec 2, 2008 at 1:11 PM, WATSON, BEN <bwatson@appsig.com> wrote:
Yes, there are no duplicate SPNs for the print server and no duplicate name resolution entries in both DNS and WINS.
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Al Mulnick
Sent: Tuesday, December 02, 2008 9:54 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Kerberos Workstation Errors
Did you verify no duplicate SPN's as well as no duplicate name resolution entries for all types of name resolution?
On Tue, Dec 2, 2008 at 12:47 PM, WATSON, BEN <bwatson@appsig.com> wrote:
Hi Al,
Yes, I should have mentioned that. I did look through the posts there and found none that seemed appropriate. Most of the posts seemed to run along the lines of the target machine being clustered (the print server is not clustered), a HOSTS file issue, or DNS. None of which are an issue with either the workstations or the print server.
Also, I am working in a single domain, single forest environment.
Thanks!
~Ben
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Al Mulnick
Sent: Tuesday, December 02, 2008 9:41 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Kerberos Workstation Errors
Have you already seen this: http://www.eventid.net/display.asp?eventid=4 <http://www.eventid.net/display.asp?eventid=4&eventno=1968&source=Kerberos&phase=1> &eventno=1968&source=Kerberos&phase=1
?
On Tue, Dec 2, 2008 at 12:14 PM, WATSON, BEN <bwatson@appsig.com> wrote:
Hello all,
Over the past couple weeks, I've seen several workstations showing the
same errors in the system event log of the workstation. This is the
error...
Source: Kerberos - EventID: 4
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server
host/printserver.appsig.com <http://printserver.appsig.com/> . This indicates that the password used to
encrypt the kerberos service ticket is different than that on the target
server. Commonly, this is due to identically named machine accounts in
the target realm (APPSIG.COM <http://appsig.com/> ), and the client realm. Please contact
your system administrator.
When I check the system event logs on the print server, I only see two
entries in the event logs for a similar Kerberos error pointing back to
two separate workstations. However there are definitely more
workstations than just the two with these errors.
As for the workstations that are experiencing this error, they seem to
generate this error in the event logs somewhere between 1 and 4 times a
day at random time intervals. They all are having an issue with this
particular print server which has been in operation for a little over a
year. They also don't appear to be having any sort of loss of
functionality as a result of these errors.
The print server is a Windows Server 2003 R2 machine and the
workstations are Windows XP.
Any thoughts?
Thanks,
~Ben
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| joe
Posts:104
| | 12/02/2008 10:31 PM |
| This should be easier than that though. It is very likely that there IS a
duplicate SPN here. A simple search forest wide for:
(servicePrincipalName=HOST/printserver.appsig.com) should return more than
one object. Once the objects are identified, the key is to decide which one
is the correct one and remove the SPN from the other account or delete the
object if it is not needed.
It is possible that there is a DNS alias here that might be causing the
problem. Doing an nslookup on printserver.appsig.com might yield something
useful, but I'm guessing that probably isn't it. The other key thing is
that if that DNS name points to an IP address that is load balanced, then
that is likely the source of the problem (doesn't have to be clustering per
say; just more than one service instance behind the same DNS name).
Joe K.
----- Original Message -----
From: Gabriele Scolaro
To: ActiveDir@mail.activedir.org
Sent: Tuesday, December 02, 2008 6:11 PM
Subject: RE: [ActiveDir] Kerberos Workstation Errors
You may dump all SPN’s from your workstation with
a) "cscript spnquery.vbs * domain.com > C:\spndump.txt"
http://www.microsoft.com/technet/scriptcenter/solutions/spnquery.mspx
b) ldifde –s gcname –f C:\spndump.txt –r "(serviceprincipalname=*)" -l
serviceprincipalname
c) adfind -gc -b "" -f "servicePrincipalName=*"
I don’t have an AD in my hands right now, so I might have forgotten
something…
Regards – Gabriele.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Harry Singh
Sent: martedì 2 dicembre 2008 19.29
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Kerberos Workstation Errors
I'm experiencing a similar issue and was curious how can one check ( LDP.exe
?) for duplicate SPN's ?
On Tue, Dec 2, 2008 at 1:24 PM, Al Mulnick <amulnick@gmail.com> wrote:
Then I wonder if a trace would be helpful? From the client view point.
Al
On Tue, Dec 2, 2008 at 1:11 PM, WATSON, BEN <bwatson@appsig.com> wrote:
Yes, there are no duplicate SPNs for the print server and no duplicate name
resolution entries in both DNS and WINS.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Al Mulnick
Sent: Tuesday, December 02, 2008 9:54 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Kerberos Workstation Errors
Did you verify no duplicate SPN's as well as no duplicate name resolution
entries for all types of name resolution?
On Tue, Dec 2, 2008 at 12:47 PM, WATSON, BEN <bwatson@appsig.com> wrote:
Hi Al,
Yes, I should have mentioned that. I did look through the posts there and
found none that seemed appropriate. Most of the posts seemed to run along
the lines of the target machine being clustered (the print server is not
clustered), a HOSTS file issue, or DNS. None of which are an issue with
either the workstations or the print server.
Also, I am working in a single domain, single forest environment.
Thanks!
~Ben
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Al Mulnick
Sent: Tuesday, December 02, 2008 9:41 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Kerberos Workstation Errors
Have you already seen this:
http://www.eventid.net/display.asp?eventid=4&eventno=1968&source=Kerberos&phase=1
?
On Tue, Dec 2, 2008 at 12:14 PM, WATSON, BEN <bwatson@appsig.com> wrote:
Hello all,
Over the past couple weeks, I've seen several workstations showing the
same errors in the system event log of the workstation. This is the
error...
Source: Kerberos - EventID: 4
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server
host/printserver.appsig.com. This indicates that the password used to
encrypt the kerberos service ticket is different than that on the target
server. Commonly, this is due to identically named machine accounts in
the target realm (APPSIG.COM), and the client realm. Please contact
your system administrator.
When I check the system event logs on the print server, I only see two
entries in the event logs for a similar Kerberos error pointing back to
two separate workstations. However there are definitely more
workstations than just the two with these errors.
As for the workstations that are experiencing this error, they seem to
generate this error in the event logs somewhere between 1 and 4 times a
day at random time intervals. They all are having an issue with this
particular print server which has been in operation for a little over a
year. They also don't appear to be having any sort of loss of
functionality as a result of these errors.
The print server is a Windows Server 2003 R2 machine and the
workstations are Windows XP.
Any thoughts?
Thanks,
~Ben
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
|
|