Kerberos authentication fails

[raul]

Hello,

We have a problem autenticating a user between 2 machines in the same
domain with Kerberos. I'll try to explain our scenario.

We have a Windows 2003 Server (Enterprise Edition) acting as Domain
Controller with Sql Server 2000 Sp3 running on it. Sql Server process
runs with a custom uesr domain account (SqlCustomUser) (no
Localsystem account). In the same domain we have another Windows 2003
Server with a custom Windows Service (developed with .Net) which runs
with another domain user account (ServiceCustomUser). We have
configure the Sql Server to grant access to this service user and the
service connects to Sql Server using Windows Autentication.

When our service try to connect to a d.b., Kerberos authentication
fails after 1-2 minutes, and finally the conection is stablished using
NTLM. This is our conclusion after reading several articles and forums
of the web. We have tried several workarounds (Delegation, creation of
'Service Principal Names' with SetSpn.exe, ...) but we haven't get it
yet.

Any idea will be well appreciated

Raúl Truco,

More info: There isn't any firewall, the network is a standar
ethernet, and if we use Sql Autentication all works ok.

 

[Steven Umbach]

I don't know what the problem is but if you have not done such you may want to
enable kerberos logging to give you more detail of what is going on in the
kerberos process - not that I could interpret the results --- Steve

http://support.microsoft.com/?id=262177

 

[raul]

Hello, we had have kerberos log activated yesterday while we test the
system. We received basically 2 kind of event log messages. I
copy/paste (I have traslated they ... it could not match the original
english labels):

Notes:
DC Server Name: GPRSServer01 (DC, Sql Server, A.Directory, ...)
Domain DNS name: distromel.gprs
Client Server Name: GPRSServer03 (when service is running)


* System Event logs in GPRSServer03
****************************************************************
An error message was received from Kerberos: in logon
Client time:
Server time: 10:33:9.0000 6/9/2004 Z
Error code: 0xd KDC_ERR_BADOPTION
Extended error: 0xc00000bb KLIN(0)
Client Domain:
Client Name:
Server domain: DISTROMEL.GPRS
Server name: host/gprsserver03.distromel.gprs
Destiny name: host/[email protected]
Error text:
File: 9
Line: ab8

* System Event logs in GPRSServer01
****************************************************************

(15 messeages in a morning of the following type. I think this is
caused by other services, not ours)
An error message was received from Kerberos: in logon

Client time:
Server time: 10:47:48.0000 6/9/2004 Z
Error code: 0x7 KDC_ERR_S_PRINCIPAL_UNKNOWN
Extended error:
Client Domain:
Client Name:
Server domain: DISTROMEL.GPRS
Server name: cifs/distromel.gprs
Destiny name: cifs/[email protected]
Error text:
File: 9
Line: ab8

(5-6 messeages in a morning of the following type)
An error message was received from Kerberos: in logon

Client time:
Server time: 10:37:48.0000 6/9/2004 Z
Error code: 0xd KDC_ERR_BADOPTION
Extended error: 0xc00000bb KLIN(0)
Client Domain:
Client Name:
Server domain: DISTROMEL.GPRS
Server name: host/gprsserver01.distromel.gprs
Destiny name: host/[email protected]
Error text:
File: 9
Line: ab8

I hope it will be enough,

Thanks and best regards,
Raul Truco

 

[Steven L Umbach]

I wish I could be more help, but don't know offhand what the problem could
be. I did find another link that may help that also includes a white paper
on troubleshootong kerberos errors. It may also be worthwhile searching
http://google.com web and groups for those error messages and
http://eventid.net is a great place to find info about particular events
found in the logs in Event Viewer. --- Steve

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/
security/tkerberr.mspx