Security Event 676 - Kerberos Failure Code 6

  • Thread starter Thread starter Jeff Smyrski
  • Start date Start date
J

Jeff Smyrski

Failure Code 0x6 - KB 326985
"Client Not Found in Kerberos Database"

I am getting about 50 of these errors at my Domain
Controller, in the security log. Event Id 676.

The machine that is being reported is a Brand New Hp d530
with windows xp pro installed, OEM. I have only
performed the following steps on that machine. I
configured the IP, and then Joined the domain...(where
the same IP machine was a member of at one point in time
and was not previously removed, but rather deleted in
Active Directory/DNS/WINS)

After joining the domain, rebooting a couple of times,
and logging in as the administrator, I get these errors
at the Domain Controller, it seems to take policies for
the first time logging in, Domain Policy and
Organizational Unit policy for the group the
Administrators are in (ie Windows 2000 Admin Tools
publish).

At the same time, I am getting errors on the client
workstation, Userenv Event ID 1053 "Windows can not
determine the user or computer name. (Access Denied)"

Even though - I sign into the domain...

The next error on the client after that one, is Userenv
Event ID 1058, which points to the inability to connect
to the domain SYSVOL where policies are stored.

And finally after that error, there is another Userenv
Event ID 1030, which basically says "Windows can not
query for the list of Group Policy objects"

I went to technet chat for support, they found all sorts
of KBs talking our Kerberos, but nothing on how to
resolve this issue.

Please let me know.

Jeff Smyrski
 
Hi Jeff. Run netdiag and dcdiag on the domain controller to check its health looking
for any failed tests. Then run netdiag on the problem machine looking for failed
tests, using the debug switch for more info and be sure NO isp dns server are ever
listed in tcp/ip properties of a domain member. I don't know the problem offhand but
a couple things, first make sure that theses computers are in time synch with the
domain because kerberos only has a 5 minute skew tolerance by default, make sure ICF
firewall is disabled on XP machines, there are issues with smb signing in a W2K
network so in the Domain Controller Security Policy try disabling all four settings
in security options for "digitally sign communications", and also there may be an
issue with kerberos using udp - see KB link below. --- Steve

http://support.microsoft.com/?kbid=244474
http://www.jsiinc.com/SUBL/tip5800/rh5874.htm
 
Okay, here is what I tried this morning (10/6) The Admin was left signed in
over the weekend, and the machine went to standby...so after waking it up,
and rebooting, the event log showed the usual Userenv 1030/1058 errors.
BUT, after logging back in and rebooting several times, the error has not
surfaced again.

Here is my theory...I was having a heck of time with DNS errors between two
of my domain controllers, which included getting my forwarders to work
properly from the Internal DNS server to the ISP DNS servers...my other DC
was a Proxy Server who had the Internal DNS server, as well as the ISP DNS
entries configured. Last Thursday or Wednesday, I think I got this
resolved. My theory is this? Could it have taken several days for the two
servers to get sync'ed up? Because this morning everything worked
fine...note I did do two other things...but don't think they have an impact
on this...it was after these two steps that I noticed the error was gone.

#1) In active directory, for the group that my Admin account is in there
were group policies, one was standard web urls for all users on the network.
Under the domain admins, and Enterprise Admins, the apply group policy was
NOT checked for applying HOWEVER, it was checked to DENY the policy for the
admins in both cases...I removed the deny check mark. So now the admins,
have the same URLS in that group.

#2) Here is the interesting part...I went to the Domain Controller as you
requested and ran the NETDIAG.EXE and made the output to text file, and also
the DCDIAG.EXE and made the output to a text file...I did not note any thing
that was an error (only the gateway of the Domain Controller was configed to
the firewall which only allows for 53 out for this particular machine.) SO
I expected this.

So I proceeded to go to this client machine, and run the Netdiag tool,
but it was not a recognized program...(no tools installed) so I installed
the Windows 2000 Support tools. But in attempting to run the netdiag
command, I get the following error:

The procedure entry point DnsGetPrimaryDomainName_UTF8 Could not be
located in the dynamic link library DNSAPI.dll.

I suspect, and will test this, that because this is XP I have to install the
Windows 2003 support tools...in order for this to work.

The only other thing I can think of in regards to this, was that Friday
afternoon I synchronized the time to the Time Server, and may be as you said
something was out of sync there? Although after I did the net time /set it
was the same, but I still had errors? When a machine is out of sync like
this, does the server block access for a specified amount of time, kind of
like a black list until a later time? (stretching huh?)

Let me know what you think.

Thanks
Jeff Smyrski
 
Hi Jeff. I will post a reply this evening - busy at work now argh! ---
Steve
 
Hi Jeff. You have a somewhat unusual configuration with the domain
controller also being the proxy server. My top choice for there being a
problem would be dns configuration. DNS issues can cause a lot of problems
in an Active Directory Domain. Make sure your domain controllers only have
each other listed as dns servers by tcp/ip address in the zone properties
and that the ip address on the proxy dc is is the internal lan address. I
would also check the SOA record for the zone to see if the serial numbers
match. If problems persist you may want to look at the proxy dc in network
and dial up connections advanced/advanced to see if internal lan adapter is
listed at the top. Also check the Event Viewer for dns errors. Since you
have an unusual setup, you may want to post in the win2000.active_directory
group if your errors do not stop. See the link below for some good info on
dns.
http://support.microsoft.com/default.aspx?scid=kb;en-us;291382

I would not think that it would take that long for a dns problem to clear up
unless you changed options in the dhcp scope in which case it possibly could
take a while. I doubt the URL setting had anything to do with the problem
and yes the error you saw using netdiag was result of using the wrong
version gor the operating system. Netdiag is also available for XP on the
install disk under the support/tools folder where you have to install the
support tools and is a great tool to use on a domain member when problems
like this come up. The time sync would only matter if the time skew between
the domain controller and a domain member was off by more than five minute
which could occur if a computer had not been connected to the network for a
long time or it had a really bad clock in it - netdiag would show a failed
kerberos test. I don't know how often kerberos would try, but until the skew
was corrected there could not be authentication with kerberos. Anyhow glad
problem was corrected and hope it stays that way. --- Steve
 
Back
Top