| Author | Messages | |
coolandynet
Posts:20
 | | 03/11/2010 9:23 AM |
| >From last 3 days I am getting Kerberos Event ID:3 with below details in my
Windows 2003 Ent Edi.+SP2 DC
Event Type: Error
Event Source: Kerberos
Event Category: None
Event ID: 3
Date: 3/11/2010
Time: * 2:13:31 PM*
User: N/A
Computer: DC1
Description:
A Kerberos Error Message was received:
on logon session
Client Time:
Server Time: *8:43:31.0000 *3/11/2010 Z
Error Code: 0x7 KDC_ERR_S_PRINCIPAL_UNKNOWN
Extended Error:
Client Realm:
Client Name:
Server Realm: Domain.COM
Server Name: dc1.domain.COM
Target Name: dc1.domain.COM@domain.COM
Error Text:
File: 9
Line: b22
Error Data is in record data.
Strange thing is that, the server evetn time is now 2:13 PM but the in the
event it is showing 8:43:31
I run W32time on the same DC and the result is
C:\>w32tm /tz
Time zone: Current:TIME_ZONE_ID_UNKNOWN Bias: *-330min* (UTC=LocalTime+Bias)
[Standard Name:"India Standard Time" Bias:0min Date unspecified)]
[Daylight Name:"India Standard Time" Bias:0min Dateunspecified)]
Please guide me what need to be done to make time in sinc for KDC..
Cheers,
Andy
Success is always Demanding.
| | | |
| tonyszko
Posts:121
| | 03/11/2010 9:27 AM |
| On 3/11/2010 10:22 AM, Andy wrote:
> Error Code: 0x7 KDC_ERR_S_PRINCIPAL_UNKNOWN
But this error indicates that you have a problem with configuration of
service account or SPNs rather than time issue
--
Tomasz Onyszko
http://www.w2k.pl/ - (PL)
http://blogs.dirteam.com/blogs/tomek/ - (EN)
| | | |
| coolandynet
Posts:20
| | 03/11/2010 9:36 AM |
| On internet I am getting same result that it is related with service account
or SPN, But when I see the time details I though it might be related with
time.
any thought on this why it is showing different time??
Also I am not clear about how SA or SPN need to configure.
Cheers,
Andy
Success is always Demanding.
On Thu, Mar 11, 2010 at 2:56 PM, Tomasz Onyszko <t.onyszko@w2k.pl> wrote:
> On 3/11/2010 10:22 AM, Andy wrote:
>
>> Error Code: 0x7 KDC_ERR_S_PRINCIPAL_UNKNOWN
>>
> But this error indicates that you have a problem with configuration of
> service account or SPNs rather than time issue
>
> --
> Tomasz Onyszko
> http://www.w2k.pl/ - (PL)
> http://blogs.dirteam.com/blogs/tomek/ - (EN)
>
| | | |
| kbatkbslpcom
Posts:144
| | 03/11/2010 1:47 PM |
| If you want to quickly/easily verify the time across the DC's in your
domain, try the following w32tm command on any (2003) domain controller
Below is just a subset from the DC's of one of the domains I manage (if
you want all the details, just enter w32tm /monitor)
All those offsets on your DC's (comparing to the PDC emulator) should be
small -- under 1-2 seconds (all those listed below are off much less
than 1 second).
C:\>w32tm /monitor | find /i "NTP:"
NTP: +0.0501636s offset from PDC-NAME.domain.local
NTP: +0.0217002s offset from PDC-NAME.domain.local
NTP: +0.0050036s offset from PDC-NAME.domain.local
NTP: +0.0134611s offset from PDC-NAME.domain.local
NTP: +0.0163209s offset from PDC-NAME.domain.local
NTP: +0.0036561s offset from PDC-NAME.domain.local
NTP: +0.0057342s offset from PDC-NAME.domain.local
NTP: +0.0127954s offset from PDC-NAME.domain.local
NTP: +0.0018019s offset from PDC-NAME.domain.local
NTP: +0.0001502s offset from PDC-NAME.domain.local
NTP: +0.0000218s offset from PDC-NAME.domain.local
NTP: +0.0063428s offset from PDC-NAME.domain.local
NTP: -0.0269724s offset from PDC-NAME.domain.local
Unless you have hardware issues on your DC's, the time on all of them
should be no more than a few seconds off (I think Microsoft indicates no
more than 5 seconds, assuming the DC's are able to communicate with each
other).
I do have some virtual DC's that the time does vary by a large amount -
I've seen as much as 12 seconds off - but usually it is no more than 3-4
seconds - and that time variance is dependent up on the load of the
virtual host itself, which I have no particular control over.
-----Original Message-----
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of Andy
Sent: Thursday, March 11, 2010 4:36 AM
To: t.onyszko@w2k.pl
Cc: activedir@mail.activedir.org
Subject: Re: [ActiveDir] Kerberos, KDC time issue.
On internet I am getting same result that it is related with
service account or SPN, But when I see the time details I though it
might be related with time.
any thought on this why it is showing different time??
Also I am not clear about how SA or SPN need to configure.
Cheers,
Andy
Success is always Demanding.
On Thu, Mar 11, 2010 at 2:56 PM, Tomasz Onyszko
<t.onyszko@w2k.pl> wrote:
On 3/11/2010 10:22 AM, Andy wrote:
Error Code: 0x7 KDC_ERR_S_PRINCIPAL_UNKNOWN
But this error indicates that you have a problem with
configuration of service account or SPNs rather than time issue
--
Tomasz Onyszko
http://www.w2k.pl/ - (PL)
http://blogs.dirteam.com/blogs/tomek/ - (EN)
| | | |
| nbahta1
Posts:5
| | 03/12/2010 5:14 AM |
| It looks as though your server time is being shown in ZULU time or GMT
(UTC). The event time is therefore your local time which is 2:13 and the
GMT (UTC) is 8:43. It looks like your timezone puts you 6hrs and 30 minutes
ahead of GMT. So your time looks correct.
Nathaniel V Bahta
MCS
On Thu, Mar 11, 2010 at 4:35 AM, Andy <coolandy.net@gmail.com> wrote:
> On internet I am getting same result that it is related with service
> account or SPN, But when I see the time details I though it might be related
> with time.
> any thought on this why it is showing different time??
>
> Also I am not clear about how SA or SPN need to configure.
>
>
>
> Cheers,
>
> Andy
> Success is always Demanding.
>
>
> On Thu, Mar 11, 2010 at 2:56 PM, Tomasz Onyszko <t.onyszko@w2k.pl>wrote:
>
>> On 3/11/2010 10:22 AM, Andy wrote:
>>
>>> Error Code: 0x7 KDC_ERR_S_PRINCIPAL_UNKNOWN
>>>
>> But this error indicates that you have a problem with configuration of
>> service account or SPNs rather than time issue
>>
>> --
>> Tomasz Onyszko
>> http://www.w2k.pl/ - (PL)
>> http://blogs.dirteam.com/blogs/tomek/ - (EN)
>>
>
>
| | | |
| coolandynet
Posts:20
| | 03/13/2010 9:21 AM |
| Thanks Brown and Nathaniel for clarifying me about the DC time.
But the question/error remains same. I am not clear what steps I have to
take to resolve this error.
I have run below command on the problematic DC but no luck.
setspn -A DCname
I have gone through below thread but it is telling to just bypass this, I
guess that is not an solution...
http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/78f1026a-7531-4228-b00a-4a334810b539
I have also noticed that in my domain randomly DOMAIN users who are having
administrator rights getting pop-up for username and password while opening
event viewer or any other management MSC file.
Some users are getting Access Denied error while saving files from
internet\intranet to local drive/My Documents where they have full rights.
I am guessing that this error on DC is might be related with access issue
faced by users.
please help me to clear and resolve this. for more info I am pasting error
logs here again.
Event Type: Error
Event Source: Kerberos
Event Category: None
Event ID: 3
Date: 3/13/2010
Time: 2:33:09 PM
User: N/A
Computer: DCMUM1
Description:
A Kerberos Error Message was received:
on logon session
Client Time:
Server Time: 9:3:9.0000 3/13/2010 Z
Error Code: 0x7 KDC_ERR_S_PRINCIPAL_UNKNOWN
Extended Error:
Client Realm:
Client Name:
Server Realm: Domain.COM
Server Name: cifs/172.100.1.11
Target Name: cifs/172.100.1.11@Domain.COM
Error Text:
File: 9
Line: b22
Error Data is in record data.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Event Type: Error
Event Source: Kerberos
Event Category: None
Event ID: 3
Date: 3/13/2010
Time: 2:33:05 PM
User: N/A
Computer: DCMUM1
Description:
A Kerberos Error Message was received:
on logon session
Client Time:
Server Time: 9:3:5.0000 3/13/2010 Z
Error Code: 0x7 KDC_ERR_S_PRINCIPAL_UNKNOWN
Extended Error:
Client Realm:
Client Name:
Server Realm: Domain.COM
Server Name: dcmum1.Domain.COM
Target Name: dcmum1.Domain.COM@Domain.COM
Error Text:
File: 9
Line: b22
Error Data is in record data.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Event Type: Error
Event Source: Kerberos
Event Category: None
Event ID: 3
Date: 3/13/2010
Time: 1:32:40 PM
User: N/A
Computer: DCMUM1
Description:
A Kerberos Error Message was received:
on logon session
Client Time:
Server Time: 8:2:40.0000 3/13/2010 Z
Error Code: 0xd KDC_ERR_BADOPTION
Extended Error: 0xc00000bb KLIN(0)
Client Realm:
Client Name:
Server Realm: Domain.COM
Server Name: host/dcmum1.Domain.com
Target Name: host/dcmum1.Domain.com@Domain.COM
Error Text:
File: 9
Line: b22
Error Data is in record data.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 30 15 a1 03 02 01 03 a2 0.¡....¢
0008: 0e 04 0c bb 00 00 c0 00 ...»..À.
0010: 00 00 00 03 00 00 00 .......
Cheers,
Andy
Success is always Demanding.
Cheers,
On Fri, Mar 12, 2010 at 10:43 AM, Nathaniel V Bahta <
nathaniel.v.bahta@gmail.com> wrote:
>
> It looks as though your server time is being shown in ZULU time or GMT
> (UTC). The event time is therefore your local time which is 2:13 and the
> GMT (UTC) is 8:43. It looks like your timezone puts you 6hrs and 30
> minutes
> ahead of GMT. So your time looks correct.
>
>
> Nathaniel V Bahta
> MCS
>
> On Thu, Mar 11, 2010 at 4:35 AM, Andy <coolandy.net@gmail.com> wrote:
>
>> On internet I am getting same result that it is related with service
>> account or SPN, But when I see the time details I though it might be related
>> with time.
>> any thought on this why it is showing different time??
>>
>> Also I am not clear about how SA or SPN need to configure.
>>
>>
>>
>> Cheers,
>>
>> Andy
>> Success is always Demanding.
>>
>>
>> On Thu, Mar 11, 2010 at 2:56 PM, Tomasz Onyszko <t.onyszko@w2k.pl>wrote:
>>
>>> On 3/11/2010 10:22 AM, Andy wrote:
>>>
>>>> Error Code: 0x7 KDC_ERR_S_PRINCIPAL_UNKNOWN
>>>>
>>> But this error indicates that you have a problem with configuration of
>>> service account or SPNs rather than time issue
>>>
>>> --
>>> Tomasz Onyszko
>>> http://www.w2k.pl/ - (PL)
>>> http://blogs.dirteam.com/blogs/tomek/ - (EN)
>>>
>>
>>
>
| | | |
| skradel
Posts:54
| | 03/13/2010 6:08 PM |
| One more thought - check your DNS PTRs. I see bare IP addresses in
the logs below, and certainly you have (I hope) not registered any
SPNs for IP addresses.
When establishing a session to a service, it is up to the client to
decide what the name of that service is when talking to the KDC. I
suspect a CIFS client will reverse-resolve an IP address first, so it
can ask the KDC for a ticket to CIFS/somehost.somerealm.net or
HOST/somehost.somerealm.net rather than CIFS/192.168.5.5. The latter
would simply not be present in the security database.
Re. being prompted for credentials unexpectedly, it could be a variety
of things. Missing UPNs / SPNs, bad time, bad DNS, most anything that
could upset Kerberos. See if w32tm /monitor produces anything of
interest. Don't worry about the timezone - worry about the time skew.
--Steve
On Sat, Mar 13, 2010 at 4:20 AM, Andy <coolandy.net@gmail.com> wrote:
> Thanks Brown and Nathaniel for clarifying me about the DC time.
> But the question/error remains same. I am not clear what steps I have to
> take to resolve this error.
>
> I have run below command on the problematic DC but no luck.
> setspn -A DCname
>
> I have gone through below thread but it is telling to just bypass this, I
> guess that is not an solution...
> http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/78f1026a-7531-4228-b00a-4a334810b539
>
> I have also noticed that in my domain randomly DOMAIN users who are having
> administrator rights getting pop-up for username and password while opening
> event viewer or any other management MSC file.
> Some users are getting Access Denied error while saving files from
> internet\intranet to local drive/My Documents where they have full rights.
>
> I am guessing that this error on DC is might be related with access issue
> faced by users.
> please help me to clear and resolve this. for more info I am pasting error
> logs here again.
>
> Event Type: Error
> Event Source: Kerberos
> Event Category: None
> Event ID: 3
> Date: 3/13/2010
> Time: 2:33:09 PM
> User: N/A
> Computer: DCMUM1
> Description:
> A Kerberos Error Message was received:
> on logon session
> Client Time:
> Server Time: 9:3:9.0000 3/13/2010 Z
> Error Code: 0x7 KDC_ERR_S_PRINCIPAL_UNKNOWN
> Extended Error:
> Client Realm:
> Client Name:
> Server Realm: Domain.COM
> Server Name: cifs/172.100.1.11
> Target Name: cifs/172.100.1.11@Domain.COM
> Error Text:
> File: 9
> Line: b22
> Error Data is in record data.
>
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
>
> Event Type: Error
> Event Source: Kerberos
> Event Category: None
> Event ID: 3
> Date: 3/13/2010
> Time: 2:33:05 PM
> User: N/A
> Computer: DCMUM1
> Description:
> A Kerberos Error Message was received:
> on logon session
> Client Time:
> Server Time: 9:3:5.0000 3/13/2010 Z
> Error Code: 0x7 KDC_ERR_S_PRINCIPAL_UNKNOWN
> Extended Error:
> Client Realm:
> Client Name:
> Server Realm: Domain.COM
> Server Name: dcmum1.Domain.COM
> Target Name: dcmum1.Domain.COM@Domain.COM
> Error Text:
> File: 9
> Line: b22
> Error Data is in record data.
>
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
>
> Event Type: Error
> Event Source: Kerberos
> Event Category: None
> Event ID: 3
> Date: 3/13/2010
> Time: 1:32:40 PM
> User: N/A
> Computer: DCMUM1
> Description:
> A Kerberos Error Message was received:
> on logon session
> Client Time:
> Server Time: 8:2:40.0000 3/13/2010 Z
> Error Code: 0xd KDC_ERR_BADOPTION
> Extended Error: 0xc00000bb KLIN(0)
> Client Realm:
> Client Name:
> Server Realm: Domain.COM
> Server Name: host/dcmum1.Domain.com
> Target Name: host/dcmum1.Domain.com@Domain.COM
> Error Text:
> File: 9
> Line: b22
> Error Data is in record data.
>
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
> Data:
> 0000: 30 15 a1 03 02 01 03 a2 0.¡....¢
> 0008: 0e 04 0c bb 00 00 c0 00 ...»..À.
> 0010: 00 00 00 03 00 00 00 .......
>
>
> Cheers,
>
> Andy
> Success is always Demanding.
> Cheers,
>
>
>
> On Fri, Mar 12, 2010 at 10:43 AM, Nathaniel V Bahta
> <nathaniel.v.bahta@gmail.com> wrote:
>>
>> It looks as though your server time is being shown in ZULU time or GMT
>> (UTC). The event time is therefore your local time which is 2:13 and the
>> GMT (UTC) is 8:43. It looks like your timezone puts you 6hrs and 30
>> minutes
>> ahead of GMT. So your time looks correct.
>>
>> Nathaniel V Bahta
>> MCS
>>
>> On Thu, Mar 11, 2010 at 4:35 AM, Andy <coolandy.net@gmail.com> wrote:
>>>
>>> On internet I am getting same result that it is related with service
>>> account or SPN, But when I see the time details I though it might be related
>>> with time.
>>> any thought on this why it is showing different time??
>>>
>>> Also I am not clear about how SA or SPN need to configure.
>>>
>>>
>>> Cheers,
>>>
>>> Andy
>>> Success is always Demanding.
>>>
>>>
>>> On Thu, Mar 11, 2010 at 2:56 PM, Tomasz Onyszko <t.onyszko@w2k.pl> wrote:
>>>>
>>>> On 3/11/2010 10:22 AM, Andy wrote:
>>>>>
>>>>> Error Code: 0x7 KDC_ERR_S_PRINCIPAL_UNKNOWN
>>>>
>>>> But this error indicates that you have a problem with configuration of
>>>> service account or SPNs rather than time issue
>>>>
>>>> --
>>>> Tomasz Onyszko
>>>> http://www.w2k.pl/ - (PL)
>>>> http://blogs.dirteam.com/blogs/tomek/ - (EN)
>>>
>>
>
>
| | | |
|
|