locked
Kerberos error in NLB environment RRS feed

  • Question

  • Hi,

    anyone got this error in context with Moss2007 SP2, NLB, Win2k8r2 64-bit, Kerberos.

    I get this error only on one server, host2.

    Log Name:      System
    Source:        Microsoft-Windows-Security-Kerberos
    Date:          17.11.2010 04:37:52
    Event ID:      3
    Task Category: None
    Level:         Error
    Keywords:      Classic
    User:          N/A
    Computer:      host2.gtv.grp
    Description:
    A Kerberos Error Message was received:
     on logon session
     Client Time:
     Server Time: 3:38:7.0000 11/17/2010 Z
     Error Code: 0x7  KDC_ERR_S_PRINCIPAL_UNKNOWN
     Extended Error: 0xc0000035 KLIN(0)
     Client Realm:
     Client Name:
     Server Realm: domain.GRP
     Server Name: HTTP/host1.domain.grp
     Target Name: HTTP/host1.domain.grp@domain.GRP
     Error Text:
     File: 9
     Line: efb
     Error Data is in record data.
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Microsoft-Windows-Security-Kerberos" Guid="{98E6CFCB-EE0A-41E0-A57B-622D4E1B30B1}" EventSourceName="Kerberos" />
        <EventID Qualifiers="32768">3</EventID>
        <Version>0</Version>
        <Level>2</Level>
        <Task>0</Task>
        <Opcode>0</Opcode>
        <Keywords>0x80000000000000</Keywords>
        <TimeCreated SystemTime="2010-11-17T03:37:52.000000000Z" />
        <EventRecordID>31906</EventRecordID>
        <Correlation />
        <Execution ProcessID="0" ThreadID="0" />
        <Channel>System</Channel>
        <Computer>host2.domain.grp</Computer>
        <Security />
      </System>
      <EventData>
        <Data Name="LogonSession">
        </Data>
        <Data Name="ClientTime">
        </Data>
        <Data Name="ServerTime">3:38:7.0000 11/17/2010 Z</Data>
        <Data Name="ErrorCode">0x7</Data>
        <Data Name="ErrorMessage"> KDC_ERR_S_PRINCIPAL_UNKNOWN</Data>
        <Data Name="ExtendedError">0xc0000035 KLIN(0)</Data>
        <Data Name="ClientRealm">
        </Data>
        <Data Name="ClientName">
        </Data>
        <Data Name="ServerRealm">DOMAIN.GRP</Data>
        <Data Name="ServerName">HTTP/host1.domain.grp</Data>
        <Data Name="TargetName">HTTP/host1.domain.grp@domain.GRP</Data>
        <Data Name="ErrorText">
        </Data>
        <Data Name="File">9</Data>
        <Data Name="Line">efb</Data>
        <Binary>3015A103020103A20E040C350000C00000000001000000</Binary>
      </EventData>
    </Event>

    best regards,

    Knut

    Wednesday, November 17, 2010 8:26 AM

Answers

  • The KDC_ERR_S_PRINCIPAL_UNKNOWN is described http://www.windowsecurity.com/articles/Troubleshooting-Kerberos-SharePoint-environment-Part1.html

    "...As the SPN missing the Active Directory will send a KDC_ERR_S_PRINCIPAL_UNKNOWN. This is the message saying that the Active Directory cannot find a matching SPN for this website...."

    (found by google search, very handy)

     Server Name: HTTP/host1.domain.grp
     Target Name: HTTP/host1.domain.grp@domain.GRP


    /bac
    • Marked as answer by Lily Wu Thursday, December 2, 2010 8:56 AM
    Wednesday, November 17, 2010 1:09 PM
  • Hi Knut,

    1 An Event log 3 about a Kerberos error that has the error code Error Code: 0x7  KDC_ERR_S_PRINCIPAL_UNKNOWN for Server Name will be logged when a share access is made against a server IP address and no server name. If the error is logged, the Windows client automatically tries to fail back to NTLM authentication for the user account. If this operation works, receive no error.

    Please disable Kerberos logging to stop throwing these errors.

    2 Duplicate SPN found, aborting operation! Means you no longer have to depend upon boggling commands using LDIFDE or your own custom scripts to find out the duplicate SPNs.

    For detail please see http://blogs.msdn.com/b/saurabh_singh/archive/2009/01/09/new-features-in-setspn-exe-on-windows-server-2008.aspx


    Best regards. Emir
    • Marked as answer by Lily Wu Thursday, December 2, 2010 8:56 AM
    Tuesday, November 23, 2010 11:13 AM

All replies

  • The KDC_ERR_S_PRINCIPAL_UNKNOWN is described http://www.windowsecurity.com/articles/Troubleshooting-Kerberos-SharePoint-environment-Part1.html

    "...As the SPN missing the Active Directory will send a KDC_ERR_S_PRINCIPAL_UNKNOWN. This is the message saying that the Active Directory cannot find a matching SPN for this website...."

    (found by google search, very handy)

     Server Name: HTTP/host1.domain.grp
     Target Name: HTTP/host1.domain.grp@domain.GRP


    /bac
    • Marked as answer by Lily Wu Thursday, December 2, 2010 8:56 AM
    Wednesday, November 17, 2010 1:09 PM
  • Hi Bob,

    the confusing thing is, that the SPN's are in place.

    C:\Users\mossadm-p>setspn -l Service_MossAppPoolp

            http/host2.domain.grp
            http/host2
            http/host1.domain.grp
            http/host1

    Knut

     

    Wednesday, November 17, 2010 2:47 PM
  • Did you provide the full domain\username when you specified the setspn command?  


    /bac
    Wednesday, November 17, 2010 3:15 PM
  • Yepp

     

     

    Wednesday, November 17, 2010 6:53 PM
  • You should also try the SETSPN -X to search for duplicates.  Likewise, use the -S for adds, as it tests for dupes.
    /bac
    Wednesday, November 17, 2010 7:47 PM
  • Also, have you researched the delegconfig tool?  This may be useful for troubleshooting.

    /bac
    Wednesday, November 17, 2010 7:50 PM
  •  

    Hi Bob,

    I did execute the setspn command.

    C:\Users\mossadm-p>setspn -S http/v-st-n002-p v-st-n002-p
    Checking domain DC=gtv,DC=grp
    CN=Service_MossAppPool-p,OU=ServiceAccounts,OU=Administration,DC=domain,DC=grp
            http/v-st-n002-p.domain.grp
            http/v-st-n002-p
            http/v-st-n001-p.domain.grp
            http/v-st-n001-p
    CN=mossadm-p,OU=ServiceAccounts,OU=Administration,DC=domain,DC=grp
            http/v-st-n002-p.domain.grp
            http/v-st-n002-p
            http/v-st-n001-p.domain.grp
            http/v-st-n001-p

    Duplicate SPN found, aborting operation!

    The mossadm-p account is the serverfarm account for MOSS and Service_MossAppPool-p is the ProtalPool account.

    I still dont get it.

    Knut

     

    Thursday, November 18, 2010 7:37 AM
  • Hi Knut,

    1 An Event log 3 about a Kerberos error that has the error code Error Code: 0x7  KDC_ERR_S_PRINCIPAL_UNKNOWN for Server Name will be logged when a share access is made against a server IP address and no server name. If the error is logged, the Windows client automatically tries to fail back to NTLM authentication for the user account. If this operation works, receive no error.

    Please disable Kerberos logging to stop throwing these errors.

    2 Duplicate SPN found, aborting operation! Means you no longer have to depend upon boggling commands using LDIFDE or your own custom scripts to find out the duplicate SPNs.

    For detail please see http://blogs.msdn.com/b/saurabh_singh/archive/2009/01/09/new-features-in-setspn-exe-on-windows-server-2008.aspx


    Best regards. Emir
    • Marked as answer by Lily Wu Thursday, December 2, 2010 8:56 AM
    Tuesday, November 23, 2010 11:13 AM
  • Definately resolve the spns, but also, here are more of my notes on verifying the config in IIS using the IIS Admin Pack Configuration Editor.

     

    1. Our IIS7 configuration had two issues which were clarified via the IIS Admin Pack Configuration Editor.
      1. The IIS Admin Pack http://www.iis.net/download/administrationpack
      2. providers
        1. This was suspect during test 3, so we were on the right track, but using the IIS Admin Pack made the process of editing these changes more straight forward.
    1. useAppPoolCredentials
      1. The IIS Admin Pack Config Editor made it clear this was not set as expected, and made editing simple.

     

     

    1. After installing the IIS7 Admin Pack,
      1. Select the site in question, and under Features view, Management you will see Configuration Editor.  Run it.
      1. Select ApplicationHost.config for the From:
      2. Navigate to the s ystem.webServer/security/authentication/windowsAuthentication

      1. Note the providers and useAppPoolCredentials

      1. Click the ellipses related to the providers to open the collection editor

      1. Update providers.  Delete all entries, then re-add Negotiate first, then NTLM (case sensitive), close the collection editor and click Apply to save the changes.  Note:  You could also use the Generate Script option to make the necessary change scripts for use later.

      1. Change useAppPoolCredentials to True.  Click Apply to save the change.
    1. View the settings using From: www.yoursite.com Web.Config .  We don't want the web.config to override and possibly alter these settings.  Use the From selector to verify these are not overridden.

    /bac
    Thursday, December 2, 2010 2:01 PM