« Previous Next »

• 11-05-2009, 3:58 AM

  Kelvin.uk Joined on 11-04-2009, 5:14 PM Posts 2

  Kerberos Authentication Reply Contact When users try to connect to websites hosted on our intranet server they get the following authentication error in Internet Explorer:   "HTTP Error 401.1 - Unauthorized: Access is denied due to invalid credentials"   We get the error with all accounts; even aq\administrator (our domain admin account). This seems to be happening on only some computers. Interestingly if we use the intranet servers IP address rather than host name, authentication works. For example: http://192.168.0.16/website. We have not made any changes and have never had this problem in the past.   Our Setup Domain name: AQ and AQ.COMPANYNAME.CO.UK   Domain Server: Host name: AQ-AD Windows Server 2003 R2 Service Pack 2 IIS 6 (anonymous access enabled)   Intranet Server: Host name: AQWEB Windows Server 2003 Service Pack 1 IIS 6 (anonymous access enabled)   Clients: Windows XP SP2/3 Tested on IE6/7/8   The Errors Client error (from the event viewer) The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/aqweb.aq.companyname.co.uk.  This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named machine accounts in the target realm (AQ.COMPANYNAME.CO.UK), and the client realm.   Please contact your system administrator. Domain server errors (3 errors that keep appearing in the event viewer)   1) There are multiple accounts with name HTTP/aqweb of type DS_SERVICE_PRINCIPAL_NAME.   2) A Kerberos Error Message was received:          on logon session  Client Time:  Server Time: 14:17:15.0000 11/4/2009 Z  Error Code: 0xd KDC_ERR_BADOPTION  Extended Error: 0xc00000bb KLIN(0)  Client Realm:  Client Name:  Server Realm: AQ.COMPANYNAME.CO.UK  Server Name: host/aq-ad.aq.companyname.co.uk  Target Name: host/aq-ad.aq.companyname.co.uk@AQ.COMPANYNAME.CO.UK 3) A Kerberos Error Message was received:          on logon session  Client Time:  Server Time: 14:14:11.0000 11/4/2009 Z  Error Code: 0x7  KDC_ERR_S_PRINCIPAL_UNKNOWN  Extended Error:  Client Realm:  Client Name:  Server Realm: AQ.COMPANYNAME.CO.UK  Server Name: DNS/ns0.bt.net  Target Name: DNS/ns0.bt.net@AQ.COMPANYNAME.CO.UK No errors to report on the intranet server (AQWEB) Authentication and Access Control Diagnostics (Microsoft tool to diagnose IIS security) Kerberos configuration failures on AQ-AD: Wrong credentials for AppPoolIdentity (currently Network Service) Service principal name (SPN) for user 'aq\admin' not found in Active Directory Service principal name (SPN) for user 'aq\administrator' not found in Active Directory Kerberos configuration failures on AQWEB: Wrong credentials for AppPoolIdentity: (currently Network Service) Service principal name (SPN) for user 'aq\administrator' not found in Active Directory SPN Setups using "setspn setspn -l <hostname>" in the console (Windows Resource tool kit needed) I can view our current SPN mappings: SPNs for AQWEB: http/AQWEB MSSQLSvc/AQWEB.AQ.COMPANYNAME.CO.UK:1433 NtFrs-88f5d2bd-b646-11d2-a6d3-00c04fc9b232/AQWEB.AQ.COMPANYNAME.CO.UK HOST/AQWEB HOST/AQWEB.AQ.COMPANYNAME.CO.UK SPNs for AQ-AD: MSSQLSvc/aq-ad.AQ.COMPANYNAME.CO.UK ldap/aq-ad.AQ.COMPANYNAME.CO.UK/LimitLogin.AQ.COMPANYNAME.CO.UK Dfsr-12F9A27C-BF97-4787-9364-D31B6C55EB04/aq-ad.AQ.COMPANYNAME.CO.UK GC/aq-ad.AQ.COMPANYNAME.CO.UK/AQ.COMPANYNAME.CO.UK HOST/aq-ad.AQ.COMPANYNAME.CO.UK/AQ.COMPANYNAME.CO.UK HOST/aq-ad.AQ.COMPANYNAME.CO.UK/AQ ldap/80ad2477-baa1-4c58-b419-8df53c616709._msdcs.AQ.COMPANYNAME.CO.UK ldap/aq-ad.AQ.COMPANYNAME.CO.UK/AQ ldap/AQ-AD ldap/aq-ad.AQ.COMPANYNAME.CO.UK ldap/aq-ad.AQ.COMPANYNAME.CO.UK/AQ.COMPANYNAME.CO.UK DNS/aq-ad.AQ.COMPANYNAME.CO.UK E3514235-4B06-11D1-AB04-00C04FC2DCD2/80ad2477-baa1-4c58-b419-8df53c616709/AQ.COMPANYNAME.CO.UK NtFrs-88f5d2bd-b646-11d2-a6d3-00c04fc9b232/aq-ad.AQ.COMPANYNAME.CO.UK SMTPSVC/aq-ad.AQ.COMPANYNAME.CO.UK SMTPSVC/AQ-AD HOST/AQ-AD HOST/aq-ad.AQ.COMPANYNAME.CO.UK This sounds like we have a Kerberos authentication issues but I am not sure how to fix them, I have never come across this before. Any help would be great! Thanks.

• 11-05-2009, 5:40 AM

  In reply to

  lextm Joined on 10-22-2008, 12:18 AM Shanghai, PRC Posts 1,430

  Re: Kerberos Authentication Reply Contact What's recorded in Security event log on the server at that time if you enable logon audit for Failures in Local Security Policy? That can tell us more. Besides, Kerberos issues are tougher to diagnose, so you may consider opening a support case via http://support.microsoft.com Lex Li Support Engineer at Microsoft --------------------------- This posting is provided "AS IS" with no warranties, and confers no rights.

• 11-05-2009, 6:32 AM

  In reply to

  Kelvin.uk Joined on 11-04-2009, 5:14 PM Posts 2	Re: Kerberos Authentication Reply Contact Hey, Thanks for the reply, I have enabled logon audit for failures for our domain server AQ-AD, No failures yet. I can not enable it on AQWEB as everything is grayed out for some reason. I doubt I will be allowed to log the issue with Microsoft as their support is expensive.

• 11-05-2009, 8:33 AM

  In reply to

  Paul Lynch Joined on 05-24-2006, 5:41 AM UK Posts 1,254	Re: Kerberos Authentication Reply Contact Hi, You don't need to raise a support ticket with MS, we should be able to resolve this issue here. Start by reviewing this KB article and then post any further questions you have : How to use SPNs when you configure Web applications that are hosted on IIS 6.0 Regards, Paul Lynch | www.iisadmin.co.uk