Forum Discussion

donm808's avatar
donm808
Copper Contributor
May 20, 2024

Kerberos Issues Windows Server 2016

Hi team,

 

I have been working on a Kerberos issue, Event ID 4 for a little over 2 months now. I have gone through all of the articles that I have found via Google and have the problem down to communications between two servers that I just cannot get to play nice. We have 3 locations on three separate islands in Hawaii. I have all three locations connected via Sonicwall Site-to-Site VPN. DNS is confirmed working. All three sites have DC present and syncronizing AD across the VPN. I have a site on Kauai that is the target server in the log files I will post and a site on Maui which is the client in the logs. I can run klist ticket on the Kauai server but when I run Klist on the Maui server, I get only the following:
C:\Users\administrator.MYDOMAIN>klist
Credentials cache C:\Users\administrator.MYDOMAIN\krb5cc_administrator not found.

 

When I run klist ticket, I get the following:

C:\Users\administrator.MYDOMAIN>klist ticket

Usage: klist [[-c] [-f] [-e] [-a [-n]]] [-k [-t] [-K]] [name]
name name of credentials cache or keytab with the prefix. File-based cache or keytab's prefix is FILE:.
-c specifies that credential cache is to be listed
-k specifies that key tab is to be listed
options for credentials caches:
-f shows credentials flags
-e shows the encryption type
-a shows addresses
-n do not reverse-resolve addresses
options for keytabs:
-t shows keytab entry timestamps
-K shows keytab entry key value
-e shows keytab entry key type
The Event Logs are littered with these errors:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server eskimo-server09$. The target name used was E3514235-4B06-11D1-AB04-00C04FC2DCD2/1e6f523a-ac4d-4045-a2fc-4fab4d338d6e/MYDOMAIN@MYDOMAIN This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (MYDOMAIN) is different from the client domain (MYDOMAIN), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

From the client server on Maui I have run setspn -D E3514235-4B06-11D1-AB04-00C04FC2DCD2/1e6f523a-ac4d-4045-a2fc-4fab4d338d6e/MYDOMAIN@MYDOMAIN KauaiServer$
And re-registered it with setspn -S E3514235-4B06-11D1-AB04-00C04FC2DCD2/1e6f523a-ac4d-4045-a2fc-4fab4d338d6e/MYDOMAIN@MYDOMAIN KauaiServer$

 

I have queried for duplicate SPN's in the domain and there aren't any listed. In fact, after deleting the record and querying the domain for the record, the client server reports that NO SUCH SPN Found. 

So I have two issues that I am trying to solve. 

1) klist.exe seems to not be working on the client server

2) The Error Event ID 4 on the client with the Kauai Server.

Thanks for any help you can provide.

No RepliesBe the first to reply

Resources