none
MAP tool only works when connecting to single machines, not when mass-checking (possible Kerberos error) RRS feed

  • Question

  • Hi,

    we have a problem that the tool fails when we try to invetory the whole list of computers in our AD. When we try to inventor single PCs, it works fine.
    The only obvious error we have seen so far is in the Event Log File on the MAP-(server) side:

    The kerberos client received a KRB_AP_ERR_MODIFIED error from the server MXXX081$.  This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named  machine accounts in the target realm (AD.COMPANY.DE), and the client realm.  
    Please contact your system administrator.

    Any idea would be appreciated,
    Torsten.
    Thursday, November 12, 2009 9:15 AM

All replies

  • When the tool fails what is the error message you get?   I assume its failure to connect during the inventory.  If this is the case take a look at the 2nd column of your inventory report, which shows WMI status, what errors are listed here?  If this isn’t the case, let me know what exactly  your seeing.

     

    Did you take the steps for preparing your environment in the Getting Started guide?

     

    Also, in your MAPS\bin\log folder there will be a log which may have a better indicating error message.

     

    Let me know what you find out.

     

    -Eric

    Thursday, November 12, 2009 4:55 PM
  • Hi Eric,

    that is the interesting part: in the inventory report, the error message is "Failed, other reasons". We also thought about the firewall settings, but firewall is disabled; that also seems to be right as the inventory scan works, when we put a few PC-names in a text file and run the inventory only for those.

    I checked the log file in bin/log/, but it does not provide any hint regarding failures, at least nothing obvious (is there a way to change tracing level :).

    Any other idea?

    Thanks,
    Torsten.
    Friday, November 13, 2009 2:11 PM
  • Hi Torsten,

     

    There are a couple of steps outlined in the Getting Started Guide on configuring target machines: http://go.microsoft.com/fwlink/?LinkID=158015

     

    Also, here’s a video that describes using the WBEMTEST tool to help diagnose connectivity issues, use this from the machine where MAP is installed to try to connect to some of the machines giving the failure message:

    http://www.youtube.com/watch?v=Xtxo8re2_9w

     

    -Eric

    Friday, November 13, 2009 5:04 PM
  • Hi Eric,

    I did the test with wbemtest as described in the video. It succeeds perfectly for selected computers (as MAP tool does when connecting to single PCs), but MAP tool returns "Failed - Other Reasons" when checking all PCs in the domain. I suspect some mass-connectivity problem.

    As written above, I found lots of system events regarding the Kerberos and DCOM connection error (two errors per analysed PC - events 4 and 10009), and a general error indicating the MAP tool opened too many TCP/IP connections (event 4226).

    I'm running the tool with Windows XP Pro.

    [edit]

    and now a new error (LSASRV, event 40960):
    "Das Sicherheitssystem hat einen versuchten Herunterstufungsangriff für den Server RPCSS/xxxx111 festgestellt. Der Fehlercode des Authentifizierungsprotokolls Kerberos war "Das Benutzerkonto wurde automatisch gesperrt, da zu viele ungültige Anmeldeversuche oder zu viele ungültige Anforderungen zur Kennwortänderung durchgeführt wurden. (0xc0000234)".

    [translation: The security system detected a downgrade-attack for the server RPCSS/xxxx111. The errorcode of the autheticationprotocol Kerberos was "The useraccount was automatically blocked due to too many connection-tries or too many invalid requests for password changes (0xc0000234)"]

    xxxx111 is one of the computers to be analysed.


    BR, Torsten.
    Wednesday, November 18, 2009 11:14 AM
  • Which version of MAPS are you running?

     

    If you are not running the latest CPT build, can you please attempt this again after you have installed the CPT build.  This build has increased logging and a few other fixs which may help us get to the bottom of your issues.

     

    Thanks.

     

    ·         NEW! Microsoft Assessment and Planning Toolkit 5.0 Community Technical Preview (CTP) is now available.


    Register for the MAP Toolkit 5.0 CTP and download. (Live ID required)

    Wednesday, November 18, 2009 7:17 PM
  • Also the new tool does not behave much different. In every scan only a few computers are analysed, so I need to run the tool again and again.

    Instead of further troubleshooting, I set-up a Windows 7 machine to do the assessment, and it looks like that now it runs much better than using Windows XP.

    BR,
    Torsten.
    Thursday, November 19, 2009 1:44 PM
  • Well as long as your are  running fine enough.

     

    Do let us know if there is anything you would like to fix/figure out.

     

    Thanks,

    Eric

    Thursday, November 19, 2009 5:54 PM