none
KERBEROS AUTHENTICATION ERRORS ON DOMAIN CONTROLLER Error Code: 0x7 KDC_ERR_S_PRINCIPAL_UNKNOWN AND Error Code: 0xd KDC_ERR_BADOPTION

    Question

  • I am getting the following errors on my domain controllers in system log , every five mintue or during the time i login in to my domain controller.

    Please update me if there is any fix for this isue


    A Kerberos Error Message was received:
             on logon session
     Client Time:
     Server Time: 8:42:59.0000 4/12/2009 Z
     Error Code: 0x7  KDC_ERR_S_PRINCIPAL_UNKNOWN
     Extended Error:
     Client Realm:
     Client Name:
     Server Realm: nbk.COM.KW
     Server Name: nbkDC01.nbk.COM.KW
     Target Name: nbkDC01.nbk.COM.KW@nbk.COM.KW
     Error Text:
     File: 9
     Line: ae0
     Error Data is in record data.

    -------------------------------------------------------------
    Second error is below and both of them come togeather.
    A Kerberos Error Message was received:
             on logon session
     Client Time:
     Server Time: 8:51:10.0000 4/12/2009 Z
     Error Code: 0xd KDC_ERR_BADOPTION
     Extended Error: 0xc00000bb KLIN(0)
     Client Realm:
     Client Name:
     Server Realm: nbk.COM.KW
     Server Name: host/nbkdc01.nbk.com.kw
     Target Name: host/nbkdc01.nbk.com.kw@nbk.COM.KW
     Error Text:
     File: 9
     Line: ae0
     Error Data is in record data.

    Sunday, April 12, 2009 9:03 AM

Answers

  • Hi,

    Thank you for update. From the log file, it seems the Kerberos Logging is enabled, if there is no other issues, we can safely ignore those errors. I suggest diabling Kerberos logging to solve this issue.

    Click Start, click Run, type "regedit", navigate to:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters

    Add or edit the following key.

    Registry Value: LogLevel
    Value Type: REG_DWORD
    Value Data: 0x0

    After that, restart the server to test.

    Thanks.

    This posting is provided "AS IS" with no warranties, and confers no rights.
    Tuesday, April 14, 2009 3:36 AM
    Moderator

All replies

  • another funny thing is that I turned on this registry value to turn on loglevel  and i see the same error on test domain , so it must be there with all active directory domains and this is a problem in kerberos authentication by default but not displayed to everyone since loglevel registry is not there by default and mine was turned on since i turned on auditing feature.

    anyway if Microsoft specialist have some idea or if you can re create this problem and let us know.

    Regards,

    Salman Gilani

    Sunday, April 12, 2009 9:38 AM
  • Hi,

    This error may be caused by incorrect SPNs, please try the suggestions in the following articles for troubleshooting.

    Service Logons Fail Due to Incorrectly Set SPNs
    http://technet.microsoft.com/en-us/library/cc772897.aspx

    Regarding error 0xd KDC_ERR_BADOPTION, please find the error in the following documents and try the suggestions.

    Troubleshooting Kerberos Errors
    http://download.microsoft.com/download/5/9/c/59c349f5-f0c8-4b9e-9f70-dbc5f2a8c330/Troubleshooting_Kerberos_Errors.DOC

    If the error persists, please help to collect the following information for research.

    A.  Download MPS Reporting Tool (MPSRPT_PFE.EXE) from the following link:
    (http://www.microsoft.com/downloads/details.aspx?FamilyID=00ad0eac-720f-4441-9ef6-ea9f657b5c2f&DisplayLang=en)

    Please note: The link may be truncated when you read the E-mail. Be sure to include all text between '(' and ')' when navigating to the download location.

    B . Right click MPSRPT_PFE.EXE and select Run as Administrator to run this tool, and you will see a Command Window start up.

    C . Please type Y with the message of <Include the MSINFO32 report? (defaults to Y in 15 seconds)[Y,N]?

    D . When the tool is done you will see an Explorer Window opening up the %systemroot%\MPSReports\Setup\Reports\cab folder and containing a <Computername>MPSReports.cab file. After collecting, please use Windows Live SkyDrive (http://www.skydrive.live.com/) to upload the file and then give me the download address.

    Thanks.

    This posting is provided "AS IS" with no warranties, and confers no rights.
    Monday, April 13, 2009 7:44 AM
    Moderator
  • Hi,

    Thank you for update. From the log file, it seems the Kerberos Logging is enabled, if there is no other issues, we can safely ignore those errors. I suggest diabling Kerberos logging to solve this issue.

    Click Start, click Run, type "regedit", navigate to:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters

    Add or edit the following key.

    Registry Value: LogLevel
    Value Type: REG_DWORD
    Value Data: 0x0

    After that, restart the server to test.

    Thanks.

    This posting is provided "AS IS" with no warranties, and confers no rights.
    Tuesday, April 14, 2009 3:36 AM
    Moderator
  • Hi 

    I have similar issue full of event log 

    Do you have any advice for that?

    A Kerberos Error Message was received:
     on logon session 
     Client Time: 
     Server Time: 13:28:34.0000 11/2/2010 Z
     Error Code: 0x7  KDC_ERR_S_PRINCIPAL_UNKNOWN
     Extended Error: 0xc0000035 KLIN(0)
     Client Realm: 
     Client Name: 
     Server Realm: cantos.int
     Server Name: MSSQLSvc/kashmir.cantos.int:23846
     Target Name: MSSQLSvc/kashmir.cantos.int:23846@cantos.int
     Error Text: 
     File: 9
     Line: e2d
     Error Data is in record data.
    Tuesday, November 2, 2010 4:47 PM
  • use dsa.msc

    1. Search for the DC computer object

    2. Select the delegates tab, what has been set? it should be set to "Trust this computer for delegation to any service (kerberos Only)

    3. open adsi edit, find the DC, select properties, scroll down to ServicePrinciple Name  - what records are present?

    • Proposed as answer by Wayne evans Monday, June 6, 2011 5:37 PM
    Tuesday, November 2, 2010 6:04 PM
  • if i find 'Do not trust this computer for delegation" checked

    and I'm getting multiple errors like below - what does that mean?

    Error Code: 0xd KDC_ERR_BADOPTION
     Extended Error: 0xc00000bb KLIN(0)
     Client Realm:
     Client Name:
     Server Realm: UCAAS.LOCAL
     Server Name: xxx505$@UC.LOCAL
     Target Name: xxx505$@UC.LOCAL@UC.LOCAL
     Error Text:
     File: 9
     Line: e2d

    Error Code: 0xe KDC_ERR_ETYPE_NOTSUPP
     Extended Error:
     Client Realm:
     Client Name:
     Server Realm: UC.LOCAL
     Server Name: krbtgt/UC.LOCAL
     Target Name: krbtgt/UC.LOCAL@UC.LOCAL

    Error Code: 0x19 KDC_ERR_PREAUTH_REQUIRED
     Extended Error:
     Client Realm:
     Client Name:
     Server Realm: UC.LOCAL
     Server Name: krbtgt/UC.LOCAL
     Target Name: krbtgt/UC.LOCAL@UC.LOCAL

    • Proposed as answer by Arkturas Wednesday, November 3, 2010 9:42 AM
    Wednesday, November 3, 2010 1:46 AM
  • have a look at this regarding your error : http://technet.microsoft.com/en-us/library/cc738673(WS.10).aspx

     

    • Proposed as answer by Arkturas Wednesday, November 3, 2010 9:52 AM
    Wednesday, November 3, 2010 9:50 AM
  • In powershell

    Get-ADComputer -Filter 'servicePrincipalName -like "nbkDC01.nbk.COM.KW@nbk.COM.KW"'

    you get path where is error like this: DistinguishedName : CN=xxxx,OU=xxxx,OU=xxxxxx,DC=domain,DC=COM

    Go to adsi, find this container, right-click properties, find servicePrincipalName, double click and fix your error (remove or edit error line.

    Wednesday, December 7, 2016 4:47 PM
  • not sure which lines are in error. how do I determine that?
    Thursday, February 16, 2017 8:20 PM