none
超级疑难问题?涉及exchange server 2007 \kerberos .ad RRS feed

  • 问题

  • 各位大师专家:近二个月来我们邮件系统不定期出现KERBEROS event id:7 ,错误。一出现,邮件系统就慢的不行,出现大量Kerberos event id:7 错误。OUTLOOK客户端连接发送都不正常,但通常在一个小时后就自动正常了,查了N多资料,无从解决。而外国一篇文章描述的和我的非常相似,有解决办法,但是要钱,摘录如下,希望各位大师提供帮助!谢谢

    附:

    Kerberos Event ID 7

    Asked by netsmithcentral in Windows XP Operating System

    Tags: kerberos, event, 7, id

    I have one client computer in my domain (~100 Win XP Pro Boxes, 3 Win 2k3 Servers) that is experiencing major logon problems.  First, the logon synchronization of her files never completes, then the logon script applied to her never executes.  Every other user on her network segment, in her OU, and her associated groups logs on without problem.

    On the computer affected, the event log reports these two errors, one after the other:
    Event ID: 29      Event Source: W32Time
    The time provider NtpClient is configured to acquire time from one or more time sources, however none of the sources are currently accessible.  No attempt to contact a source will be made for 14 minutes. NtpClient has no source of accurate time.

    Event ID: 7      Event Source: Kerberos
    The kerberos subsystem encountered a PAC verification failure.  This indicates that the PAC from the client <client name> in realm <AD DNS Name> had a PAC which failed to verify or was modified.  Contact your system administrator.


    Now, I know Kerberos errors are often caused by unsynched clocks, but in spite of the W32Time error, the DC/Client clocks are synched fine.  I've checked most of the Kerberos Event 7 Resources online and here's what I've found:
          TCP Ports 53, 88, 123, and 464 are in a "Filtered" state
          UDP Ports 53, 88, and 123 are in an "Open/Filtered" state
          My lsass services on the DC/Client are all running in "20 WIN_32_SHARE" Type
          •      HTTPFilter (HTTP SSL)
          •      KDCSVC (Kerberos Key Distribution Center)
          •      Netlogon (Net Logon)
          •      NTLMssp (NTLM Security Support Provider)
          •      PolicyAgent (IPSEC Services)
          •      ProtectedStorage (Protected Storage)   <=== in "120 WIN_32_SHARE (interactive)" Type
          •      SamSs (Security Accounts Manager)
          •      Eventlog (Event Log)
          •      PlugPlay (Plug and Play)

    Once the user is logged in all the way (past the synch/logon script errors) all the access permissions work fine, and she can do whatever she needs unhindered.
    2010年8月30日 4:50

全部回复