Re: Windows event id 4 (kerberos)
Re-joining all 3 computers is bit difficult. We get 3 to 4 more events per day and always BRAPRINT001 is common but rest two computer names are changed. If I try to do it in such a way I have to un-join many computers. The rest two computers are always winxp. I think if we understand the description very well, we can easily trouble shoot it. I generated Lsass.log and nemon captures but could not understand. Do you know any blog who could hlep by analyzing netmon captures? However thanks for all your help you provided so far. From: Christopher D. Clausen To: raj esh L Cc: kerberos@mit.edu Sent: Wed, 20 January, 2010 22:53:11 Subject: Re: Windows event id 4 (kerberos) I have no other suggestions. I'd say to try re-joining all three computers, one at a time, and see if the errors go away. The error basically means that the Kerberos "stuff" sent across the network could not be used by the client computer. Again, this is usually due to two computer accounts with the same name and the wrong one being used for communication from some other computer. It could also be that network errors caused packet corruption causing the message to be generated. < wrote: > Thanks for your response. > > I have not tried to un-join & join. I can try this option as a last > effort. > If i need to un-join, Which machine do I need to do? Is BRAPRINT001? > Time zones are correct on all servers. > I queried all the dcs event logs for eventid 11 through > eventcombat.exe but none of these SPNS found. > > As per the description, 3 server names (braprint001 where I get > alerts and other two) are involved in this problem. I could not able > to understand the description itself. Can you plz explain what it is? > I captured netmon for it at the time of problem occurred. These all > names are appearing over there. But I could not understand it. > > It's my humble request to verify those and make me understand. > > > > > > From: Christopher D. Clausen > To: raj esh L > Cc: kerberos@mit.edu > Sent: Wed, 20 January, 2010 21:15:13 > Subject: Re: Windows event id 4 (kerberos) > > The error list in netstat (as well as in the other email that you > sent) > seems reasonable for a machine that has been up for a period of time. > Setspn output looks reasonable as well. > > Have you tried just un-joining and re-joining the computer account in > question to the domain? This usually fixes the problem in my > experience, assuming there isn't some actual underlying cause (like > duplicated accounts.) You may need to delete and re-create the > computer > account after un-joining. > > Are the times and time zones correct on these systems? Do they > regularly syncronize to the domain controller's time? > > Are there any errors in the event log on the domain controllers about > duplicate computer accounts? > > Some of the suggestions here might be useful to you as well: > http://eventid.net/display.asp?eventid=4&eventno=1968&source=Kerberos&phase=1 > http://eventid.net/display.asp?eventid=11&eventno=569&source=KDC&phase=1 > > < > raj esh L wrote: >> No samba and non-windows. All are windows servers. >> >> >> U:\>setspn -l SLH-001155 >> Registered ServicePrincipalNames for >> CN=SLH-001155,OU=Laptops,OU=SLH,OU=GBR,OU=E >> UR,DC=dir,DC=ucb-group,DC=com: >> HOST/SLH-001155 >> HOST/SLH-001155.dir.ucb-group.com >> >> U:\>setspn -l BRAPRINT001 >> Registered ServicePrincipalNames for >> CN=BRAPRINT001,OU=Servers,OU=Global,OU=BEL, >> OU=EUR,DC=dir,DC=ucb-group,DC=com: >> HOST/BRAPRINT001 >> HOST/BRAPRINT001.dir.ucb-group.com >> >> U:\>setspn -l ATL017784 >> Registered ServicePrincipalNames for >> CN=ATL017784,OU=Laptops,OU=ATL,OU=USA,OU=AM >> E,DC=dir,DC=ucb-group,DC=com: >> HOST/ATL017784 >> HOST/ATL017784.dir.ucb-group.com >> >> U:\>netstat -s >> IPv4 Statistics >> Received Header Errors = 0 >> Received Address Errors = 42563 >> Unknown Protocols Received = 0 >> Received Packets Discarded = 0 >> Routing Discards = 0 >> Discarded Output Packets = 0 >> Output Packet No Route = 0 >> Reassembly Failures = 0 >> Datagrams Failing Fragmentation = 0 >> ICMPv4 Statistics >> Errors 0 13 >> TCP Statistics for IPv4 >> Failed Connection Attempts = 4275 >> Segments Retransmitted = 24512 >> UDP Statistics for IPv4 >> Receive Errors = 22753 >> >> >> Please let me know if any other information is required. >> >> >> >> >> >> From:
Re: Windows event id 4 (kerberos)
Hi, Thanks for your response I found many people faced these sort of problems on DCs and suggested to check SPN duplications. I verified those and could find any issues with it. But we are facing on member server which acts as print server. I verified this article and it is more related to IIS. However I checked DNS side and do not find any problem. If some one assist by analyzing through netmon captures that would be help full. http://support.microsoft.com/kb/558115 From: Douglas E. Engert To: raj esh L Cc: kerberos-ow...@mit.edu; kerberos@mit.edu Sent: Thu, 21 January, 2010 0:57:26 Subject: Re: Windows event id 4 (kerberos) raj esh L wrote: > We have observed Kerberos event id4 on one member server (Print server > )BRAPRINT001 (10.1.37.167). Please find the description below about the event > id. Can some one please help me on it ? > Event Type:Error > Event Source: Kerberos > Event Category: None > Event ID:4 > Date: 1/13/2010 > Time: 6:16:35 PM > User: N/A > Computer: BRAPRINT001 > Description: > The kerberos client received a KRB_AP_ERR_MODIFIED error from the server > SLH-001155$. The target name used was cifs/ATL017784.dir.ucb-group.com. This > indicates that the password used to encrypt the kerberos service ticket is > different than that on the target server. Commonly, this is due to > identically named machine accounts in the target realm (DIR.UCB-GROUP.COM), > and the client realm. Please contact your system administrator. > For more information, see Help and Support Center at > http://go.microsoft.com/fwlink/events.asp. > ATL017784.dir.ucb-group.com [10.70.11.107] > We captured network for it. Can you please help here what is going on? > captured file is available at http://www.megaupload.com/?d=WDIG1CAT > > Googling for: Windows EventID: 4 Kerberos I found there are a number of other people who have had similar problems. You may also want to look at: http://www.eventid.net/display.asp?eventid=4&eventno=1968&source=Kerberos&phase=1 There are a number of other people who have had similiar problems. Also see: http://support.microsoft.com/kb/558115 > > Kerberos mailing list Kerberos@mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > > -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Windows event id 4 (kerberos)
raj esh L wrote: > We have observed Kerberos event id4 on one member server (Print server > )BRAPRINT001 (10.1.37.167). Please find the description below about the event > id. Can some one please help me on it ? > > Event Type:Error > Event Source: Kerberos > Event Category: None > Event ID:4 > Date: 1/13/2010 > Time: 6:16:35 PM > User: N/A > Computer: BRAPRINT001 > Description: > The kerberos client received a KRB_AP_ERR_MODIFIED error from the server > SLH-001155$. The target name used was cifs/ATL017784.dir.ucb-group.com. This > indicates that the password used to encrypt the kerberos service ticket is > different than that on the target server. Commonly, this is due to > identically named machine accounts in the target realm (DIR.UCB-GROUP.COM), > and the client realm. Please contact your system administrator. > > For more information, see Help and Support Center at > http://go.microsoft.com/fwlink/events.asp. > > > ATL017784.dir.ucb-group.com [10.70.11.107] > > We captured network for it. Can you please help here what is going on? > > > captured file is available at http://www.megaupload.com/?d=WDIG1CAT > > Googling for: Windows EventID: 4 Kerberos I found there are a number of other people who have had similar problems. You may also want to look at: http://www.eventid.net/display.asp?eventid=4&eventno=1968&source=Kerberos&phase=1 There are a number of other people who have had similiar problems. Also see: http://support.microsoft.com/kb/558115 > > > Kerberos mailing list Kerberos@mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > > -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Windows event id 4 (kerberos)
I have no other suggestions. I'd say to try re-joining all three computers, one at a time, and see if the errors go away. The error basically means that the Kerberos "stuff" sent across the network could not be used by the client computer. Again, this is usually due to two computer accounts with the same name and the wrong one being used for communication from some other computer. It could also be that network errors caused packet corruption causing the message to be generated. < wrote: > Thanks for your response. > > I have not tried to un-join & join. I can try this option as a last > effort. > If i need to un-join, Which machine do I need to do? Is BRAPRINT001? > Time zones are correct on all servers. > I queried all the dcs event logs for eventid 11 through > eventcombat.exe but none of these SPNS found. > > As per the description, 3 server names (braprint001 where I get > alerts and other two) are involved in this problem. I could not able > to understand the description itself. Can you plz explain what it is? > I captured netmon for it at the time of problem occurred. These all > names are appearing over there. But I could not understand it. > > It's my humble request to verify those and make me understand. > > > > > > From: Christopher D. Clausen > To: raj esh L > Cc: kerberos@mit.edu > Sent: Wed, 20 January, 2010 21:15:13 > Subject: Re: Windows event id 4 (kerberos) > > The error list in netstat (as well as in the other email that you > sent) > seems reasonable for a machine that has been up for a period of time. > Setspn output looks reasonable as well. > > Have you tried just un-joining and re-joining the computer account in > question to the domain? This usually fixes the problem in my > experience, assuming there isn't some actual underlying cause (like > duplicated accounts.) You may need to delete and re-create the > computer > account after un-joining. > > Are the times and time zones correct on these systems? Do they > regularly syncronize to the domain controller's time? > > Are there any errors in the event log on the domain controllers about > duplicate computer accounts? > > Some of the suggestions here might be useful to you as well: > http://eventid.net/display.asp?eventid=4&eventno=1968&source=Kerberos&phase=1 > http://eventid.net/display.asp?eventid=11&eventno=569&source=KDC&phase=1 > > < > raj esh L wrote: >> No samba and non-windows. All are windows servers. >> >> >> U:\>setspn -l SLH-001155 >> Registered ServicePrincipalNames for >> CN=SLH-001155,OU=Laptops,OU=SLH,OU=GBR,OU=E >> UR,DC=dir,DC=ucb-group,DC=com: >> HOST/SLH-001155 >> HOST/SLH-001155.dir.ucb-group.com >> >> U:\>setspn -l BRAPRINT001 >> Registered ServicePrincipalNames for >> CN=BRAPRINT001,OU=Servers,OU=Global,OU=BEL, >> OU=EUR,DC=dir,DC=ucb-group,DC=com: >> HOST/BRAPRINT001 >> HOST/BRAPRINT001.dir.ucb-group.com >> >> U:\>setspn -l ATL017784 >> Registered ServicePrincipalNames for >> CN=ATL017784,OU=Laptops,OU=ATL,OU=USA,OU=AM >> E,DC=dir,DC=ucb-group,DC=com: >> HOST/ATL017784 >> HOST/ATL017784.dir.ucb-group.com >> >> U:\>netstat -s >> IPv4 Statistics >> Received Header Errors = 0 >> Received Address Errors = 42563 >> Unknown Protocols Received = 0 >> Received Packets Discarded = 0 >> Routing Discards = 0 >> Discarded Output Packets = 0 >> Output Packet No Route = 0 >> Reassembly Failures = 0 >> Datagrams Failing Fragmentation = 0 >> ICMPv4 Statistics >> Errors 0 13 >> TCP Statistics for IPv4 >> Failed Connection Attempts = 4275 >> Segments Retransmitted = 24512 >> UDP Statistics for IPv4 >> Receive Errors = 22753 >> >> >> Please let me know if any other information is required. >> >> >> >> >> >> From: raj esh L >> To: Christopher D. Clausen >> Cc: kerberos@mit.edu >> Sent: Wed, 20 January, 2010 3:47:11 >> Subject: Re: Windows event id 4 (kerberos) >> >> >> Than Q very much for your information and would appreciate. But >> >> I verified SPNs and computer names - No duplication found. >> >> These computers not updated recently and exist from long time. >> >> Thanks once again about networking help .I would check and give you >> update. >> >> i will give the setspn details also. >> >> I spent days together to search the fix but did not find a correct >> solution. your help would be highly a
Re: Windows event id 4 (kerberos)
Thanks for your response. I have not tried to un-join & join. I can try this option as a last effort. If i need to un-join, Which machine do I need to do? Is BRAPRINT001? Time zones are correct on all servers. I queried all the dcs event logs for eventid 11 through eventcombat.exe but none of these SPNS found. As per the description, 3 server names (braprint001 where I get alerts and other two) are involved in this problem. I could not able to understand the description itself. Can you plz explain what it is? I captured netmon for it at the time of problem occurred. These all names are appearing over there. But I could not understand it. It's my humble request to verify those and make me understand. From: Christopher D. Clausen To: raj esh L Cc: kerberos@mit.edu Sent: Wed, 20 January, 2010 21:15:13 Subject: Re: Windows event id 4 (kerberos) The error list in netstat (as well as in the other email that you sent) seems reasonable for a machine that has been up for a period of time. Setspn output looks reasonable as well. Have you tried just un-joining and re-joining the computer account in question to the domain? This usually fixes the problem in my experience, assuming there isn't some actual underlying cause (like duplicated accounts.) You may need to delete and re-create the computer account after un-joining. Are the times and time zones correct on these systems? Do they regularly syncronize to the domain controller's time? Are there any errors in the event log on the domain controllers about duplicate computer accounts? Some of the suggestions here might be useful to you as well: http://eventid.net/display.asp?eventid=4&eventno=1968&source=Kerberos&phase=1 http://eventid.net/display.asp?eventid=11&eventno=569&source=KDC&phase=1 < wrote: > No samba and non-windows. All are windows servers. > > > U:\>setspn -l SLH-001155 > Registered ServicePrincipalNames for > CN=SLH-001155,OU=Laptops,OU=SLH,OU=GBR,OU=E > UR,DC=dir,DC=ucb-group,DC=com: > HOST/SLH-001155 > HOST/SLH-001155.dir.ucb-group.com > > U:\>setspn -l BRAPRINT001 > Registered ServicePrincipalNames for > CN=BRAPRINT001,OU=Servers,OU=Global,OU=BEL, > OU=EUR,DC=dir,DC=ucb-group,DC=com: > HOST/BRAPRINT001 > HOST/BRAPRINT001.dir.ucb-group.com > > U:\>setspn -l ATL017784 > Registered ServicePrincipalNames for > CN=ATL017784,OU=Laptops,OU=ATL,OU=USA,OU=AM > E,DC=dir,DC=ucb-group,DC=com: > HOST/ATL017784 > HOST/ATL017784.dir.ucb-group.com > > U:\>netstat -s > IPv4 Statistics > Received Header Errors = 0 > Received Address Errors = 42563 > Unknown Protocols Received = 0 > Received Packets Discarded = 0 > Routing Discards = 0 > Discarded Output Packets = 0 > Output Packet No Route = 0 > Reassembly Failures = 0 > Datagrams Failing Fragmentation = 0 > ICMPv4 Statistics > Errors 0 13 > TCP Statistics for IPv4 > Failed Connection Attempts = 4275 > Segments Retransmitted = 24512 > UDP Statistics for IPv4 > Receive Errors = 22753 > > > Please let me know if any other information is required. > > > > > > From: raj esh L > To: Christopher D. Clausen > Cc: kerberos@mit.edu > Sent: Wed, 20 January, 2010 3:47:11 > Subject: Re: Windows event id 4 (kerberos) > > > Than Q very much for your information and would appreciate. But > > I verified SPNs and computer names - No duplication found. > > These computers not updated recently and exist from long time. > > Thanks once again about networking help .I would check and give you > update. > > i will give the setspn details also. > > I spent days together to search the fix but did not find a correct > solution. your help would be highly appreciable. > > we get the message on every day. But we see the same event id, same > description with different names 'SLH-001155' with different cifs\ > > First of all, I do not understand clearly about the description. if > you would explain what is going here with examples of server names > based on description that would be great. > > > > From: Christopher D. Clausen > To: raj esh L > Cc: kerberos@mit.edu > Sent: Wed, 20 January, 2010 3:01:30 > Subject: Re: Windows event id 4 (kerberos) > > Is this for an actual Windows computer? Or a non-Windows machine > running something like Samba? > > - > > I see these all the time. I believe these occur on occation when a > computer account automatically updates its machine account password in > Active Directory. (This is a normal function of a computer joined to > AD.) > > I'd suggest un-joining and re-joining the computer to the domain if > this &g
Windows event id 4 (kerberos)
No samba and non-windows. All are windows servers. U:\>setspn -l SLH-001155 Registered ServicePrincipalNames for CN=SLH-001155,OU=Laptops,OU=SLH,OU=GBR,OU=E UR,DC=dir,DC=ucb-group,DC=com: HOST/SLH-001155 HOST/SLH-001155.dir.ucb-group.com U:\>setspn -l BRAPRINT001 Registered ServicePrincipalNames for CN=BRAPRINT001,OU=Servers,OU=Global,OU=BEL, OU=EUR,DC=dir,DC=ucb-group,DC=com: HOST/BRAPRINT001 HOST/BRAPRINT001.dir.ucb-group.com U:\>setspn -l ATL017784 Registered ServicePrincipalNames for CN=ATL017784,OU=Laptops,OU=ATL,OU=USA,OU=AM E,DC=dir,DC=ucb-group,DC=com: HOST/ATL017784 HOST/ATL017784.dir.ucb-group.com U:\>netstat -s IPv4 Statistics Packets Received = 38101798 Received Header Errors = 0 Received Address Errors = 42563 Datagrams Forwarded = 0 Unknown Protocols Received = 0 Received Packets Discarded = 0 Received Packets Delivered = 38059228 Output Requests = 31080179 Routing Discards = 0 Discarded Output Packets = 0 Output Packet No Route = 0 Reassembly Required = 85 Reassembly Successful = 37 Reassembly Failures = 0 Datagrams Successfully Fragmented = 9 Datagrams Failing Fragmentation = 0 Fragments Created = 18 ICMPv4 Statistics Received Sent Messages 227967 227817 Errors 0 13 Destination Unreachable 723 717 Time Exceeded 34 0 Parameter Problems 0 0 Source Quenches 0 0 Redirects 0 0 Echos 212083 15017 Echo Replies 15127 212070 Timestamps 0 0 Timestamp Replies 0 0 Address Masks 0 0 Address Mask Replies 0 0 TCP Statistics for IPv4 Active Opens = 143960 Passive Opens = 9560 Failed Connection Attempts = 4275 Reset Connections = 6759 Current Connections = 156 Segments Received = 36346619 Segments Sent = 29722129 Segments Retransmitted = 24512 UDP Statistics for IPv4 Datagrams Received = 1347067 No Ports = 268826 Receive Errors = 22753 Datagrams Sent = 1105790 Please let me know if any other information is required. From: raj esh L To: Christopher D. Clausen Cc: kerberos@mit.edu Sent: Wed, 20 January, 2010 3:47:11 Subject: Re: Windows event id 4 (kerberos) Than Q very much for your information and would appreciate. But I verified SPNs and computer names - No duplication found. These computers not updated recently and exist from long time. Thanks once again about networking help .I would check and give you update. i will give the setspn details also. I spent days together to search the fix but did not find a correct solution. your help would be highly appreciable. we get the message on every day. But we see the same event id, same description with different names 'SLH-001155' with different cifs\ First of all, I do not understand clearly about the description. if you would explain what is going here with examples of server names based on description that would be great. From: Christopher D. Clausen To: raj esh L Cc: kerberos@mit.edu Sent: Wed, 20 January, 2010 3:01:30 Subject: Re: Windows event id 4 (kerberos) Is this for an actual Windows computer? Or a non-Windows machine running something like Samba? - I see these all the time. I believe these occur on occation when a computer account automatically updates its machine account password in Active Directory. (This is a normal function of a computer joined to AD.) I'd suggest un-joining and re-joining the computer to the domain if this is a persistent problem on this system. If the issue persists you likely have a network connection problem. Check netstat -s output and look for high error counts and check duplex settings on all ends of the connection. - Another thing to check is for identially named accounts (as mentioned,) including SPNs that were set with setspn.exe or ktpass.exe. These are hard to track down and may require specific LDAP queries to locate. - Please send output of setspn -l SLH-001155 < wrote: > We have observed Kerberos event id4 on one member server (Print > server )BRAPRINT001 (10.1.37.167). Please find the description below > about the event id. Can some one please help me on it ? > > Event Type: Error > Event Source: Kerberos > Event Cate
Re: Windows event id 4 (kerberos)
Sorry I put wrong server details of netstat -s. Plz find now the correct one. C:\>netstat -s IPv4 Statistics Packets Received = 207484084 Received Header Errors = 0 Received Address Errors = 4204 Datagrams Forwarded = 0 Unknown Protocols Received = 0 Received Packets Discarded = 0 Received Packets Delivered = 207479903 Output Requests = 203812438 Routing Discards = 0 Discarded Output Packets = 0 Output Packet No Route = 0 Reassembly Required = 4 Reassembly Successful = 2 Reassembly Failures = 0 Datagrams Successfully Fragmented = 2 Datagrams Failing Fragmentation = 0 Fragments Created = 4 ICMPv4 Statistics Received Sent Messages 123384 67298 Errors 0 0 Destination Unreachable 53043 285 Time Exceeded 5870 0 Parameter Problems 0 0 Source Quenches 0 0 Redirects 0 0 Echos 47557 19456 Echo Replies 16914 47557 Timestamps 0 0 Timestamp Replies 0 0 Address Masks 0 0 Address Mask Replies 0 0 TCP Statistics for IPv4 Active Opens = 182529 Passive Opens = 246806 Failed Connection Attempts = 120080 Reset Connections = 17762 Current Connections = 805 Segments Received = 206256325 Segments Sent = 199667155 Segments Retransmitted = 1662797 UDP Statistics for IPv4 Datagrams Received = 1090012 No Ports = 97063 Receive Errors = 17 Datagrams Sent = 2400610 From: raj esh L To: Christopher D. Clausen Cc: kerberos@mit.edu Sent: Wed, 20 January, 2010 15:49:56 Subject: Windows event id 4 (kerberos) No samba and non-windows. All are windows servers. U:\>setspn -l SLH-001155 Registered ServicePrincipalNames for CN=SLH-001155,OU=Laptops,OU=SLH,OU=GBR,OU=E UR,DC=dir,DC=ucb-group,DC=com: HOST/SLH-001155 HOST/SLH-001155.dir.ucb-group.com U:\>setspn -l BRAPRINT001 Registered ServicePrincipalNames for CN=BRAPRINT001,OU=Servers,OU=Global,OU=BEL, OU=EUR,DC=dir,DC=ucb-group,DC=com: HOST/BRAPRINT001 HOST/BRAPRINT001.dir.ucb-group.com U:\>setspn -l ATL017784 Registered ServicePrincipalNames for CN=ATL017784,OU=Laptops,OU=ATL,OU=USA,OU=AM E,DC=dir,DC=ucb-group,DC=com: HOST/ATL017784 HOST/ATL017784.dir.ucb-group.com U:\>netstat -s IPv4 Statistics Packets Received = 38101798 Received Header Errors = 0 Received Address Errors = 42563 Datagrams Forwarded = 0 Unknown Protocols Received = 0 Received Packets Discarded = 0 Received Packets Delivered = 38059228 Output Requests = 31080179 Routing Discards = 0 Discarded Output Packets = 0 Output Packet No Route = 0 Reassembly Required = 85 Reassembly Successful = 37 Reassembly Failures = 0 Datagrams Successfully Fragmented = 9 Datagrams Failing Fragmentation = 0 Fragments Created = 18 ICMPv4 Statistics Received Sent Messages 227967 227817 Errors 0 13 Destination Unreachable 723 717 Time Exceeded 34 0 Parameter Problems 0 0 Source Quenches 0 0 Redirects 0 0 Echos 212083 15017 Echo Replies 15127 212070 Timestamps 0 0 Timestamp Replies 0 0 Address Masks 0 0 Address Mask Replies 0 0 TCP Statistics for IPv4 Active Opens = 143960 Passive Opens = 9560 Failed Connection Attempts = 4275 Reset Connections = 6759 Current Connections = 156 Segments Received = 36346619 Segments Sent = 29722129 Segments Retransmitted = 24512 UDP Statistics for IPv4 Datagrams Received = 1347067 No Ports = 268826 Receive Errors = 22753 Datagrams Sent = 1105790 Please let me know if any other information is required. From: raj esh L To: Christopher D. Clausen Cc: kerberos@mit.edu Sent: Wed, 20 January, 2010 3:47:11 Subje
Re: Windows event id 4 (kerberos)
The error list in netstat (as well as in the other email that you sent) seems reasonable for a machine that has been up for a period of time. Setspn output looks reasonable as well. Have you tried just un-joining and re-joining the computer account in question to the domain? This usually fixes the problem in my experience, assuming there isn't some actual underlying cause (like duplicated accounts.) You may need to delete and re-create the computer account after un-joining. Are the times and time zones correct on these systems? Do they regularly syncronize to the domain controller's time? Are there any errors in the event log on the domain controllers about duplicate computer accounts? Some of the suggestions here might be useful to you as well: http://eventid.net/display.asp?eventid=4&eventno=1968&source=Kerberos&phase=1 http://eventid.net/display.asp?eventid=11&eventno=569&source=KDC&phase=1 < wrote: > No samba and non-windows. All are windows servers. > > > U:\>setspn -l SLH-001155 > Registered ServicePrincipalNames for > CN=SLH-001155,OU=Laptops,OU=SLH,OU=GBR,OU=E > UR,DC=dir,DC=ucb-group,DC=com: > HOST/SLH-001155 > HOST/SLH-001155.dir.ucb-group.com > > U:\>setspn -l BRAPRINT001 > Registered ServicePrincipalNames for > CN=BRAPRINT001,OU=Servers,OU=Global,OU=BEL, > OU=EUR,DC=dir,DC=ucb-group,DC=com: > HOST/BRAPRINT001 > HOST/BRAPRINT001.dir.ucb-group.com > > U:\>setspn -l ATL017784 > Registered ServicePrincipalNames for > CN=ATL017784,OU=Laptops,OU=ATL,OU=USA,OU=AM > E,DC=dir,DC=ucb-group,DC=com: > HOST/ATL017784 > HOST/ATL017784.dir.ucb-group.com > > U:\>netstat -s > IPv4 Statistics > Received Header Errors = 0 > Received Address Errors = 42563 > Unknown Protocols Received = 0 > Received Packets Discarded = 0 > Routing Discards = 0 > Discarded Output Packets = 0 > Output Packet No Route = 0 > Reassembly Failures = 0 > Datagrams Failing Fragmentation = 0 > ICMPv4 Statistics > Errors 0 13 > TCP Statistics for IPv4 > Failed Connection Attempts = 4275 > Segments Retransmitted = 24512 > UDP Statistics for IPv4 > Receive Errors = 22753 > > > Please let me know if any other information is required. > > > > > > From: raj esh L > To: Christopher D. Clausen > Cc: kerberos@mit.edu > Sent: Wed, 20 January, 2010 3:47:11 > Subject: Re: Windows event id 4 (kerberos) > > > Than Q very much for your information and would appreciate. But > > I verified SPNs and computer names - No duplication found. > > These computers not updated recently and exist from long time. > > Thanks once again about networking help .I would check and give you > update. > > i will give the setspn details also. > > I spent days together to search the fix but did not find a correct > solution. your help would be highly appreciable. > > we get the message on every day. But we see the same event id, same > description with different names 'SLH-001155' with different cifs\ > > First of all, I do not understand clearly about the description. if > you would explain what is going here with examples of server names > based on description that would be great. > > > > From: Christopher D. Clausen > To: raj esh L > Cc: kerberos@mit.edu > Sent: Wed, 20 January, 2010 3:01:30 > Subject: Re: Windows event id 4 (kerberos) > > Is this for an actual Windows computer? Or a non-Windows machine > running something like Samba? > > - > > I see these all the time. I believe these occur on occation when a > computer account automatically updates its machine account password in > Active Directory. (This is a normal function of a computer joined to > AD.) > > I'd suggest un-joining and re-joining the computer to the domain if > this > is a persistent problem on this system. > > If the issue persists you likely have a network connection problem. > Check netstat -s output and look for high error counts and check > duplex > settings on all ends of the connection. > > - > > Another thing to check is for identially named accounts (as > mentioned,) > including SPNs that were set with setspn.exe or ktpass.exe. These are > hard to track down and may require specific LDAP queries to locate. > > - > > Please send output of setspn -l SLH-001155 > > < > raj esh L wrote: >> We have observed Kerberos event id4 on one member server (Print >> server )BRAPRINT001 (10.1.37.167). Please find the description below >> about the event id. Can some one please help me on it ? >> >> Event Type: Error >> Event Source: Kerberos >> Event Categor
Re: Windows event id 4 (kerberos)
Than Q very much for your information and would appreciate. But I verified SPNs and computer names - No duplication found. These computers not updated recently and exist from long time. Thanks once again about networking help .I would check and give you update. i will give the setspn details also. I spent days together to search the fix but did not find a correct solution. your help would be highly appreciable. we get the message on every day. But we see the same event id, same description with different names 'SLH-001155' with different cifs\ First of all, I do not understand clearly about the description. if you would explain what is going here with examples of server names based on description that would be great. From: Christopher D. Clausen To: raj esh L Cc: kerberos@mit.edu Sent: Wed, 20 January, 2010 3:01:30 Subject: Re: Windows event id 4 (kerberos) Is this for an actual Windows computer? Or a non-Windows machine running something like Samba? - I see these all the time. I believe these occur on occation when a computer account automatically updates its machine account password in Active Directory. (This is a normal function of a computer joined to AD.) I'd suggest un-joining and re-joining the computer to the domain if this is a persistent problem on this system. If the issue persists you likely have a network connection problem. Check netstat -s output and look for high error counts and check duplex settings on all ends of the connection. - Another thing to check is for identially named accounts (as mentioned,) including SPNs that were set with setspn.exe or ktpass.exe. These are hard to track down and may require specific LDAP queries to locate. - Please send output of setspn -l SLH-001155 < wrote: > We have observed Kerberos event id4 on one member server (Print > server )BRAPRINT001 (10.1.37.167). Please find the description below > about the event id. Can some one please help me on it ? > > Event Type:Error > Event Source: Kerberos > Event Category: None > Event ID:4 > Date: 1/13/2010 > Time: 6:16:35 PM > User: N/A > Computer: BRAPRINT001 > Description: > The kerberos client received a KRB_AP_ERR_MODIFIED error from the > server SLH-001155$. The target name used was > cifs/ATL017784.dir.ucb-group.com. This indicates that the password > used to encrypt the kerberos service ticket is different than that on > the target server. Commonly, this is due to identically named > machine accounts in the target realm (DIR.UCB-GROUP.COM), and the > client realm. Please contact your system administrator. > > For more information, see Help and Support Center at > http://go.microsoft.com/fwlink/events.asp. > > > ATL017784.dir.ucb-group.com [10.70.11.107] > > We captured network for it. Can you please help here what is going on? > > > captured file is available at http://www.megaupload.com/?d=WDIG1CAT > > > > > Kerberos mailing list Kerberos@mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Windows event id 4 (kerberos)
Is this for an actual Windows computer? Or a non-Windows machine running something like Samba? - I see these all the time. I believe these occur on occation when a computer account automatically updates its machine account password in Active Directory. (This is a normal function of a computer joined to AD.) I'd suggest un-joining and re-joining the computer to the domain if this is a persistent problem on this system. If the issue persists you likely have a network connection problem. Check netstat -s output and look for high error counts and check duplex settings on all ends of the connection. - Another thing to check is for identially named accounts (as mentioned,) including SPNs that were set with setspn.exe or ktpass.exe. These are hard to track down and may require specific LDAP queries to locate. - Please send output of setspn -l SLH-001155 < wrote: > We have observed Kerberos event id4 on one member server (Print > server )BRAPRINT001 (10.1.37.167). Please find the description below > about the event id. Can some one please help me on it ? > > Event Type:Error > Event Source: Kerberos > Event Category: None > Event ID:4 > Date: 1/13/2010 > Time: 6:16:35 PM > User: N/A > Computer: BRAPRINT001 > Description: > The kerberos client received a KRB_AP_ERR_MODIFIED error from the > server SLH-001155$. The target name used was > cifs/ATL017784.dir.ucb-group.com. This indicates that the password > used to encrypt the kerberos service ticket is different than that on > the target server. Commonly, this is due to identically named > machine accounts in the target realm (DIR.UCB-GROUP.COM), and the > client realm. Please contact your system administrator. > > For more information, see Help and Support Center at > http://go.microsoft.com/fwlink/events.asp. > > > ATL017784.dir.ucb-group.com [10.70.11.107] > > We captured network for it. Can you please help here what is going on? > > > captured file is available at http://www.megaupload.com/?d=WDIG1CAT > > > > > Kerberos mailing list Kerberos@mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Windows event id 4 (kerberos)
We have observed Kerberos event id4 on one member server (Print server )BRAPRINT001 (10.1.37.167). Please find the description below about the event id. Can some one please help me on it ? Event Type:Error Event Source: Kerberos Event Category: None Event ID:4 Date: 1/13/2010 Time: 6:16:35 PM User: N/A Computer: BRAPRINT001 Description: The kerberos client received a KRB_AP_ERR_MODIFIED error from the server SLH-001155$. The target name used was cifs/ATL017784.dir.ucb-group.com. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named machine accounts in the target realm (DIR.UCB-GROUP.COM), and the client realm. Please contact your system administrator. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. ATL017784.dir.ucb-group.com [10.70.11.107] We captured network for it. Can you please help here what is going on? captured file is available at http://www.megaupload.com/?d=WDIG1CAT Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos