Kerberos authentication failure [Answered]RSS

5 replies

Last post Mar 01, 2014 08:58 PM by Ken Schaefer

  • Kerberos authentication failure

    Feb 27, 2014 12:44 PM|John Blight|LINK

    I have a problem, both on a customer's system and my own test system intended to reflect theirs, where access to a file on a website is being denied. The following is a summary of the set-up.

    There's a 'Documents' virtual directory under 'Default Web Site':

    Default Web Site (-> C:\inetpub\wwwroot)
        Documents (-> E:\Application\Documents)

    Application Pools:

    DefaultAppPool, which runs as its ApplicationPoolIdentity
    ApplicationAppPool, which runs as NetworkService

    Default Web Site is configured to run as its ApplicationPoolIdentity.

    Authentication is defined at the computer level, with only Windows Authentication enabled. Its only provider is Negotiate:Kerberos.

    Trying to open 'http://<Host>/Documents/Test.html' prompts for credentials. No matter what the credentials supplied, this fails with a '401 - Unauthorized: Access is denied due to invalid credentials.' message. This is despite 'Everyone' having been given 'Full Control' (in addition to what should be sufficient access for others) of the 'Documents' folder.

    Access to that page is successful in either of these scenarios:

     - 'Default Web Page' runs under 'ApplicationPool'.
     - the 'Documents' virtual directory is converted to an application that runs under 'ApplicationPool'.
     - Anonymous Authentication is enabled for the 'Documents' virtual directory.

    According to Fiddler, the client browser is sending the correct header (Authorization: Negotiate YII...etc.), but there's no recognition of this in the server's response.

    I'm fairly confident that access to that page had worked, both on the customer's system and my own test system. The problem was reported very recently by that customer, and replicated on my system only today (prior to that, I believe it had worked).

    Can anyone offer an explanation for this behaviour?

    With thanks.

  • Rovastar Rovastar

    5473 Posts



    Re: Kerberos authentication failure

    Feb 27, 2014 01:09 PM|Rovastar|LINK

    The first thing for Kerberos issues is to turn on Kerberos logging in the event veiwer and also look at audit event logs for the event viewer to see 'why' it is not failing and teh error messgae it gives.

    Troubleshoot IIS in style
  • Re: Kerberos authentication failure

    Feb 27, 2014 10:36 PM|Ken Schaefer|LINK

    a) Account Logon auditing will also help (it will tell you why the account logon is failing)

    b) Can you get a network packet capture from the client?

    c) What version of IIS are you using? If IIS 7.5 or later, is kernel mode authentication on or off?

  • Re: Kerberos authentication failure

    Feb 28, 2014 07:13 AM|John Blight|LINK

    Thanks for replies.

    Enabling Kerberos logging resulted in this record:

    Log Name:      System
    Source:        Microsoft-Windows-Security-Kerberos
    Date:          28/02/2014 09:16:49
    Event ID:      3
    Task Category: None
    Level:         Error
    Keywords:      Classic
    User:          N/A
    A Kerberos Error Message was received:
     on logon session
     Client Time:
     Server Time: 9:16:49.0000 2/28/2014 Z
     Error Code: 0xd KDC_ERR_BADOPTION
     Extended Error: 0xc00000bb KLIN(0)
     Client Realm:
     Client Name:
     Server Realm: MYDOMAIN.CO.UK
     Server Name: MyServer$@MYDOMAIN.CO.UK
     Target Name: MyServer$@MYDOMAIN.CO.UK@MYDOMAIN.CO.UK
     Error Text:
     File: 9
     Line: f09
     Error Data is in record data.
    Event Xml:
    <Event xmlns="">
        <Provider Name="Microsoft-Windows-Security-Kerberos" Guid="{98E6CFCB-EE0A-41E0-A57B-622D4E1B30B1}" EventSourceName="Kerberos" />
        <EventID Qualifiers="32768">3</EventID>
        <TimeCreated SystemTime="2014-02-28T09:16:49.000000000Z" />
        <Correlation />
        <Execution ProcessID="0" ThreadID="0" />
        <Security />
        <Data Name="LogonSession">
        <Data Name="ClientTime">
        <Data Name="ServerTime">9:16:49.0000 2/28/2014 Z</Data>
        <Data Name="ErrorCode">0xd</Data>
        <Data Name="ErrorMessage">KDC_ERR_BADOPTION</Data>
        <Data Name="ExtendedError">0xc00000bb KLIN(0)</Data>
        <Data Name="ClientRealm">
        <Data Name="ClientName">
        <Data Name="ServerRealm">MYDOMAIN.CO.UK</Data>
        <Data Name="ServerName">MyServer$@MYDOMAIN.CO.UK</Data>
        <Data Name="TargetName">MyServer$@MYDOMAIN.CO.UK@MYDOMAIN.CO.UK</Data>
        <Data Name="ErrorText">
        <Data Name="File">9</Data>
        <Data Name="Line">f09</Data>

    which corresponds to an error reported in a reply to this blog post:

    I'll include the suggestions made there in my investigations.

    Apologies in advance if my updates are somewhat tardy: I'm trying to fit this in amongst other work (I have the convert to application workaround in place, but would still like an undertanding of what the issue is).

  • Rovastar Rovastar

    5473 Posts



    Re: Kerberos authentication failure

    Feb 28, 2014 08:36 AM|Rovastar|LINK

    So you have confirmed

    1.Use Network Monitor to determine the SPN to which the client is attempting to delegate credentials. You will need this information in a later step.

    That is one of the most common issues is your are not using the actual SPN

    And answer Kens questions too.

    Troubleshoot IIS in style
  • Re: Kerberos authentication failure

    Mar 01, 2014 08:58 PM|Ken Schaefer|LINK

    John Blight

    <Data Name="ErrorCode">0xd</Data>
        <Data Name="ErrorMessage">KDC_ERR_BADOPTION</Data>
        <Data Name="ExtendedError">0xc00000bb KLIN(0)</Data>

    0xD = KDC_ERR_BADOPTION (so, in the Kerberos options, there's something that's not correct for the request)

    0xC00000BB = ERR_NOT_SUPPORTED (so, something's not configured correctly and the request can't be fulfilled, or there's a request for an option in the ticket that isn't permitted, or similar)

    I think a network packet capture may help here, because we should be able to see the Kerberos options being requested by the client.