RE: Kerberos Authentication to VWMare...
Praveen Kumar D
file:
456.580> Kerb-Warn: SPN not found HTTP <systemname>.domain.local
456.580> Kerb-Warn: SpInitLsaModeContext failed to get outbound ticket,
KerbGetServiceTicket failed with 0xc000018b
Sometimes in the Windows Event Log following errors:
A Kerberos Error Message was received:
on logon session
Client Time:
Server Time: 15:41:50.0000 3/4/2009 Z
Error Code: 0x7 KDC_ERR_S_PRINCIPAL_UNKNOWN
Extended Error: 0xc0000035 KLIN(0)
Client Realm:
Client Name:
Server Realm: <domain>
Server Name: HTTP/<domain>
Target Name: HTTP/<domain>
Error Text:
File: 9
Line: ae0
Error Data is in record data.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
A Kerberos Error Message was received:
on logon session <domain>\<user>
Client Time:
Server Time: 14:11:24.0000 3/4/2009 Z
Error Code: 0x12 KDC_ERR_CLIENT_REVOKED
Extended Error: 0xc0000072 KLIN(0)
Client Realm:
Client Name:
Server Realm: DOMAIN
Server Name: krbtgt/<domain>
Target Name: krbtgt/<domain>
Error Text:
File: e
Line: 6c0
Error Data is in record data.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
We have checked the SPN using SetSPN with -L option and see that both MOSS
and VMWare are part of the same domain.
"Praveen Kumar D" wrote:
> Hello All,
>
> We are running into authentication issues when we use Kerberos based
> authentication from MOSS webpart (installed on physical machine) when it
> communicate with web services installed on Windows Server 2003 on VMWare.
>
> Both MOSS and VMWare server are part of the same domain and use same domain
> admin credentials.
>
> Scenario: When we try to access the MOSS website which contains our webpart
> from anywhere (on a new system or from the VMWare system where web services
> are installed) we running into authentication issues. But, when we acces the
> MOSS website from MOSS system, authentication to web services installed on
> VMWare goes through and everything works fine.
>
> Environment:
> MOSS system: Windows Server 2003 R2, MOSS 2007
> VWMare system: Windows Server 2003 R2, .NET Framework 2.0
>
> Any help or inputs would be greatly appreciated.
>
> Thanks in advance.
DaveMo
<PraveenKum...@discussions.microsoft.com> wrote:
> When we enabled Kerberos Debugging find the following warnings in LSASS.log
> file:
>
> 456.580> Kerb-Warn: SPN not found HTTP <systemname>.domain.local
> 456.580> Kerb-Warn: SpInitLsaModeContext failed to get outbound ticket,
> KerbGetServiceTicket failed with 0xc000018b
>
> Sometimes in the Windows Event Log following errors:
>
> A Kerberos Error Message was received:
> on logon session
> Client Time:
> Server Time: 15:41:50.0000 3/4/2009 Z
> Error Code: 0x7 KDC_ERR_S_PRINCIPAL_UNKNOWN
> Extended Error: 0xc0000035 KLIN(0)
> Client Realm:
> Client Name:
> Server Realm: <domain>
> Server Name: HTTP/<domain>
> Target Name: HTTP/<domain>
> Error Text:
> File: 9
> Line: ae0
> Error Data is in record data.
>
>
> A Kerberos Error Message was received:
> on logon session <domain>\<user>
> Client Time:
> Server Time: 14:11:24.0000 3/4/2009 Z
> Error Code: 0x12 KDC_ERR_CLIENT_REVOKED
> Extended Error: 0xc0000072 KLIN(0)
> Client Realm:
> Client Name:
> Server Realm: DOMAIN
> Server Name: krbtgt/<domain>
> Target Name: krbtgt/<domain>
> Error Text:
> File: e
> Line: 6c0
> Error Data is in record data.
>
>
> We have checked the SPN using SetSPN with -L option and see that both MOSS
> and VMWare are part of the same domain.
>
>
>
> "Praveen Kumar D" wrote:
> > Hello All,
>
> > We are running into authentication issues when we use Kerberos based
> > authentication from MOSS webpart (installed on physical machine) when it
> > communicate with web services installed on Windows Server 2003 on VMWare.
>
> > Both MOSS and VMWare server are part of the same domain and use same domain
> > admin credentials.
>
> > Scenario: When we try to access the MOSS website which contains our webpart
> > from anywhere (on a new system or from the VMWare system where web services
> > are installed) we running into authentication issues. But, when we acces the
> > MOSS website from MOSS system, authentication to web services installed on
> > VMWare goes through and everything works fine.
>
> > Environment:
> > MOSS system: Windows Server 2003 R2, MOSS 2007
> > VWMare system: Windows Server 2003 R2, .NET Framework 2.0
>
> > Any help or inputs would be greatly appreciated.
>
>
> - Show quoted text -
Where are you configuring Kerberos authenticaton to be used MOSS ->
VMWare? What you might be configuring is Negotiate and when it works
you are actually using NTLM. This would likely be the case if you
start from a session on the MOSS machine.
When you are remote, the system will try Kerberos and start that
process by trying to find an SPN. This looks to be failing, so there
is something going wrong. If you want to have additional tools to
troubleshoot this issue try the updated klist from my website
www.securitay.com/support. You can try to get a ticket directly
without going through the app layer which might help. You can also use
it to clear the SPN lookup cache which can cause problems in testing.
KDC_ERR_CLIENT_REVOKED is more puzzling because this typically
indicates that the client account has been locked out in AD. Can you
use the account to log on? Are you sure that the service account for
the VMWare "service" is really running as who you think it is?
HTH,
Dave
Praveen Kumar D
We figured by looking at the event log on the domain controller server that
there were multiple SPNs defined. Once we removed one of the SPN, Kerberose
authentication started working fine from VMWare system.
But, we ran into other issues but they are related to deleted SPS being used
by the client intranet and our web services application pool configured using
Network Services.