Generally if time is off you get a completely different error: something like KDC_ERR_TIME_SKEW (off the top of my head)
Cheers Ken -----Original Message----- From: Maglinger, Paul [mailto:[email protected]] Sent: Wednesday, 23 June 2010 10:36 PM To: NT System Admin Issues Subject: RE: Need help nailing down Kerberos errors That looks good. The worst one was .01. -----Original Message----- From: Raper, Jonathan - Eagle [mailto:[email protected]] Sent: Wednesday, June 23, 2010 9:23 AM To: NT System Admin Issues Subject: RE: Need help nailing down Kerberos errors Paul, Are you certain that your time is properly in sync across your domain? What is your NTP source? Is it stable, and is the same source consistent across the domain? Use this line to see if your DCs are properly in sync: w32tm /monitor | find /i "NTP:" should be (ideally) 1-2 seconds difference or less. Jonathan L. Raper, A+, MCSA, MCSE Technology Coordinator Eagle Physicians & Associates, PA [email protected] www.eaglemds.com -----Original Message----- From: Maglinger, Paul [mailto:[email protected]] Sent: Wednesday, June 23, 2010 10:15 AM To: NT System Admin Issues Subject: Need help nailing down Kerberos errors Some background here. We're running a Windows 2003 Server environment. We have a Windows 2003 Storage Server that is serving both the Windows servers through file shares and our HP-UX servers using NFS. We started seeing some problems with RPC and disk I/O errors when copying from the HP-UX machines. From the Windows machines, Explorer sometimes takes a long time to display directory contents on the shared directories. Because of the RPC errors, I was thinking that it was taking awhile to authenticate and timing out. While trying to troubleshoot this, I changed the primary DNS server in the network settings and that seemed to improve things quite a bit. This led me to think to look at checking out communication between the domain controllers. It was at this time that something led me to turn on logging for Kerberos. After doing that, I'm getting event ID 3 errors from source Kerberos. The error code is either 0x7 KDC_ERR_S_PRINCIPAL_UNKNOWN or 0xd KDC_ERR_BADOPTION. Googling has brought back that is caused by SPN that is not registered. There were several sites that recommended using the Network Monitor to find the offending SPN and then gave the instructions to authenticate it. Unfortunely, I am unclear on what to look for in the Network Monitor to determine the bad SPN. And it seems that a lot of the sites I went to just copied and pasted the same instructions. So to sum it up, how do I use Network Monitor to determine the SPN that needs to be authenticated? -Paul ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ Any medical information contained in this electronic message is CONFIDENTIAL and privileged. It is unlawful for unauthorized persons to view, copy, disclose, or disseminate CONFIDENTIAL information. This electronic message may contain information that is confidential and/or legally privileged. It is intended only for the use of the individual(s) and/or entity named as recipients in the message. If you are not an intended recipient of this message, please notify the sender immediately and delete this material from your computer. Do not deliver, distribute or copy this message, and do not disclose its contents or take any action in reliance on the information that it contains. Any medical information contained in this electronic message is CONFIDENTIAL and privileged. It is unlawful for unauthorized persons to view, copy, disclose, or disseminate CONFIDENTIAL information. This electronic message may contain information that is confidential and/or legally privileged. It is intended only for the use of the individual(s) and/or entity named as recipients in the message. If you are not an intended recipient of this message, please notify the sender immediately and delete this material from your computer. Do not deliver, distribute or copy this message, and do not disclose its contents or take any action in reliance on the information that it contains. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
