Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Kerberos errors in event log, authentication, IPSec transport mode on port 445 issues

491 views
Skip to first unread message

Edward W. Ray (502974)

unread,
Mar 12, 2004, 11:15:22 AM3/12/04
to
On all three of my four Windows Server 2003 machines
( 2 domain controllers and a file server) I have persistent (every few
minutes or so) Kerberos errors like the one below. Has anyone else seen
this? The Knowledge base has nothing on it. I suspect there are
authentication issues going on between the file server and the domain
controller. Other symptoms include being unable to IPSec encrypt TCP port
445 traffic between my file server and any other client, server, or domain
controller. IPSec encryption of TCP port 445 works fine between the DCs and
other clients, and between my clients and the print/DHCP server (also
running v1159). My file server also cannot authenticate when connecting to
other servers via RDP. A lot of different stuff mentioned here, but I think
it all my be related.

Event log entry from file server is below:


Event Type: Error
Event Source: Kerberos
Event Category: None
Event ID: 3
Date: 3/10/2004
Time: 1:28:55 PM
User: N/A
Computer: BLACKDOG
Description:
A Kerberos Error Message was received:
on logon session
Client Time:
Server Time: 21:27:51.0000 3/10/2004 Z
Error Code: 0x6 KDC_ERR_C_PRINCIPAL_UNKNOWN
Extended Error: 0xc0000272 KLIN(0)
Client Realm:
Client Name:
Server Realm: MMICMANHOMENET.LOCAL
Server Name: host/blackdog.mmicmanhomenet.local
Target Name: host/blackdog.mmicm...@MMICMANHOMENET.LOCAL
Error Text:
File: 9
Line: ac0
Error Data is in record data.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 30 15 a1 03 02 01 03 a2 0.¡....¢
0008: 0e 04 0c 72 02 00 c0 00 ...r..À.
0010: 00 00 00 03 00 00 00 .......

Kristin Thomas [MSFT]

unread,
Mar 12, 2004, 11:59:17 AM3/12/04
to
Edward,

It sounds like the file server does not have a valid Kerberos Ticket.
KDC_ERR_C_PRINCIPAL_UNKNOWN equates to "Client not found in Kerberos
database".

Run a netdiag /v >netdiag.txt look for kerberos ticket errors specifically
and of course any other errors that might relate. Also, check your time
synchronization on that File Server. If it's not within 5 minutes of the
domain controllers the ticket will expire before you use it. If you still
need help, please post back any errors from the netdiag and the bottom of
the event viewer error when you change the data to words. Thanks.

Best Regards,

Kristin Thomas, MCSE, MCP
Microsoft Enterprise Network Support

Get Secure! - www.microsoft.com/security

=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
| From: "Edward W. Ray \(502974\)" <hom...@greekgod.net>
| Subject: Kerberos errors in event log, authentication, IPSec transport
mode on port 445 issues
| Date: Fri, 12 Mar 2004 08:15:22 -0800
| Lines: 52
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.3790.1159
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1159
| Message-ID: <Obev50E...@tk2msftngp13.phx.gbl>
| Newsgroups: microsoft.public.windows.server.networking
| NNTP-Posting-Host: dazedandconfused.mmicman.com 24.199.20.218
| Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftngp13.phx.gbl
| Xref: cpmsftngxa06.phx.gbl
microsoft.public.windows.server.networking:10204
| X-Tomcat-NG: microsoft.public.windows.server.networking

Edward W. Ray (502974)

unread,
Mar 15, 2004, 7:07:56 PM3/15/04
to
No netdiag errors until I enable IPSec transport mode on port 445 between
file server and DC. Then secure channel fails. No netdiag errors when
IPSec "Permit" is used. Kerberos errors persist:

Event Type: Error
Event Source: Kerberos
Event Category: None
Event ID: 3

Date: 3/15/2004
Time: 3:55:12 PM


User: N/A
Computer: BLACKDOG
Description:
A Kerberos Error Message was received:
on logon session
Client Time:

Server Time: 23:55:11.0000 3/15/2004 Z
Error Code: 0x34 KRB_ERR_RESPONSE_TOO_BIG
Extended Error:


Client Realm:
Client Name:
Server Realm: MMICMANHOMENET.LOCAL

Server Name: ldap/bigdogmedina.mmicmanhomenet.local/mmicmanhomenet.local
Target Name:
ldap/bigdogmedina.mmicmanhomenet.local/mmicmanhomenet.local@MMICMANHOMENET.L


OCAL
Error Text:
File: 9
Line: ac0
Error Data is in record data.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: Kerberos
Event Category: None
Event ID: 3

Date: 3/15/2004
Time: 3:46:05 PM


User: N/A
Computer: BLACKDOG
Description:
A Kerberos Error Message was received:
on logon session
Client Time:

Server Time: 23:46:4.0000 3/15/2004 Z
Error Code: 0xd KDC_ERR_BADOPTION
Extended Error: 0xc00000bb KLIN(0)


Client Realm:
Client Name:
Server Realm: MMICMANHOMENET.LOCAL
Server Name: host/blackdog.mmicmanhomenet.local
Target Name: host/blackdog.mmicm...@MMICMANHOMENET.LOCAL
Error Text:
File: 9
Line: ac0
Error Data is in record data.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:

0000: 03a11530 a2030102 bb0c040e 00c00000
0010: 03000000 000000

"Kristin Thomas [MSFT]" <kth...@online.microsoft.com> wrote in message
news:TRZahNFC...@cpmsftngxa06.phx.gbl...

Kristin Thomas [MSFT]

unread,
Mar 16, 2004, 10:45:30 AM3/16/04
to
Edward,

It sounds like you are having Kerberos over UDP issues, the packet is too
big for UDP so it ends up fragmented and failing. Try forcing Kerberos over
TCP by following this article:

244474 How to Force Kerberos to Use TCP Instead of UDP
http://support.microsoft.com/?id=244474

Best Regards,

Kristin Thomas, MCSE, MCP
Microsoft Enterprise Network Support

Get Secure! - www.microsoft.com/security

=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
| From: "Edward W. Ray \(502974\)" <hom...@greekgod.net>

| References: <Obev50E...@tk2msftngp13.phx.gbl>
<TRZahNFC...@cpmsftngxa06.phx.gbl>
| Subject: Re: Kerberos errors in event log, authentication, IPSec

transport mode on port 445 issues

| Date: Mon, 15 Mar 2004 16:07:56 -0800

Edward W. Ray (502974)

unread,
Mar 16, 2004, 11:09:39 PM3/16/04
to
Kristin:

I made the change you suggested, the Kerberos errors subsided a little. I
was able to make the change to all but one of the XP clients, so it may be
coming from that one, I am not sure and will be unable to make the change to
that machine because the user is performing detailed simulations.

IPSec is still a mystery. The link is established between the Windows 2003
File server and the Windows 2003 DC, then fails. I get the following error
message (deletion by peer seems to be the issues, why it is deleted I do not
know):

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 547
Date: 3/16/2004
Time: 7:58:00 PM
User: NT AUTHORITY\NETWORK SERVICE
Computer: BLACKDOG
Description:
IKE security association negotiation failed.
Mode:
Key Exchange Mode (Main Mode)

Filter:
Source IP Address 192.168.1.99
Source IP Address Mask 255.255.255.255
Destination IP Address 192.168.1.102
Destination IP Address Mask 255.255.255.255
Protocol 0
Source Port 0
Destination Port 0
IKE Local Addr 192.168.1.99
IKE Peer Addr 192.168.1.102
IKE Source Port 500
IKE Destination Port 500
Peer Private Addr

Peer Identity:
Kerberos based Identity: bigdogmedina$@MMICMANHOMENET.LOCAL
Peer IP Address: 192.168.1.102

Failure Point:
Me

Failure Reason:
IKE SA deleted by peer before establishment completed

Extra Status:
Processed first (SA) payload
Initiator. Delta Time 49
0x0 0x0


For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

"Kristin Thomas [MSFT]" <kth...@online.microsoft.com> wrote in message
news:coNHA32...@cpmsftngxa06.phx.gbl...

Kristin Thomas [MSFT]

unread,
Mar 17, 2004, 9:52:40 AM3/17/04
to
Edward,

That error looks like it can't find a valid Security Cert, try following
this article to see if it helps:

323342 HOW TO: Install a Certificate for Use with IP Security in Windows
Server
http://support.microsoft.com/?id=323342

Also have you used IPSec Monitor to try to troubleshoot this?

324269 HOW TO: Use IPSec Monitor in Windows Server 2003
http://support.microsoft.com/?id=324269


Best Regards,

Kristin Thomas, MCSE, MCP
Microsoft Enterprise Network Support

Get Secure! - www.microsoft.com/security

=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
| From: "Edward W. Ray \(502974\)" <hom...@greekgod.net>
| References: <Obev50E...@tk2msftngp13.phx.gbl>
<TRZahNFC...@cpmsftngxa06.phx.gbl>

<#oE48quC...@tk2msftngp13.phx.gbl>
<coNHA32...@cpmsftngxa06.phx.gbl>


| Subject: Re: Kerberos errors in event log, authentication, IPSec
transport mode on port 445 issues

| Date: Tue, 16 Mar 2004 20:09:39 -0800

Edward Ray

unread,
Mar 17, 2004, 6:55:09 PM3/17/04
to
Kristin:

I figure somehow it would come back to this. Last summer, while trying to
get Certificate Services to work properly, I installed and uninstalled Cert
Services on both my domain controllers plus this file server. I did not
uninstall correctly; as a result I am unable to reinstall Certificate
Services on any of the three machines. the executable is there; just grayed
out.

Tried playing with the certutil command to clean things up but I did not get
very far.

I knew a while ago this was going to require a support call and $245 to walk
me through the procedure of cleaning up my AD and ridding all certificate
entries. I was just hoping to get everything else working, including IPSec
with Kerberos authentication.

So I do not have to go through half a dozen "I forgot my password" support
people, could you direct me to a person within the MSDN support structure
who is familiar with IPSec/Certificate Services interaction and how to use
certutil properly to clean up my AD?


Thanks in advance!

Edward W. Ray


"Kristin Thomas [MSFT]" <kth...@online.microsoft.com> wrote in message

news:8PcIC%23CDE...@cpmsftngxa06.phx.gbl...

Kristin Thomas [MSFT]

unread,
Mar 25, 2004, 10:42:02 AM3/25/04
to
Edward,

I'm sorry, I just saw this post now. I actually don't know anyone in the
MSDN area of Microsoft. With 50,000 people and several internal
organizations and sites around the world, I'm lucky I know the guy who sits
next to me in Charlotte, NC. :-) Sorry, I can't be more help.

Best Regards,

Kristin Thomas, MCSE, MCP
Microsoft Enterprise Network Support

Get Secure! - www.microsoft.com/security

=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
| From: "Edward Ray" <nob...@dufus.net>


| References: <Obev50E...@tk2msftngp13.phx.gbl>
<TRZahNFC...@cpmsftngxa06.phx.gbl>
<#oE48quC...@tk2msftngp13.phx.gbl>
<coNHA32...@cpmsftngxa06.phx.gbl>

<Oky4rW9C...@TK2MSFTNGP09.phx.gbl>
<8PcIC#CDEH...@cpmsftngxa06.phx.gbl>
| Subject: AHHHHH! Certicate Services
| Date: Wed, 17 Mar 2004 15:55:09 -0800

0 new messages