Re: krb5kdc_err_s_principal_unknown on Windows Kerberos Domain

---

• From: "Will" <westes-usc@xxxxxxxxxxxxxx>
• Date: Sun, 9 Jul 2006 23:54:32 -0700

---

""Paul B. Hill"" <pbh@xxxxxxx> wrote in message
news:011a01c6a355$4650dcd0$0300a8c0@xxxxxxxxxxxx

Instead of diving down into the network traces, can you describe the
problems that you are seeing from a user's perspective? This thread sounds
like you are getting lost in the details instead of solving the problem.

Install the Microsoft Resource Kit on the member server and/or workstation
that you are trying to troubleshoot. Run the Microsoft klist.exe from the
command line with the parameter "tickets". This will show the tickets that
you, the logged in user, has on the machine. If you want to see what

tickets

the local machine account has use the "at" command to run "klist tickets"
(e.g. a minute from invoking the "at" command.)

To see the list of service principal names issued to a computer use

"setspn

<computername> -l". The program communicates with the DCs so you can check
the SPNs for any computer from any workstation or server in the domain.

For standard Microsoft applications you should not have to create any SPNs
manually, using Setspn. Once in a while you may find that the DC indicates
that an SPN exits for a member machine, but you really can't use Kerberos

to

authenticate to the machine. This is usually fixed by removing the machine
from the domain, rebooting, and rejoining the machine to the domain.

Okay, let's try top down then. I have some computers on the network that
fail group policy replication for users. The detail in eventviewer
indicates a failure to find the GPT.INI file on the file server using a path
that looks like this:

\\hq.corp.com\sysvol\blahblahblah\gpt.ini

I went to the command line and tested this unusual syntax, and lo and
behold: on machines where group policy works, this syntax works fine and
finds the file. On machines where group policy fails, on the command line
this syntax gets an obtuse "0 files found". So the group policy message is
certainly not misleading and is documenting a case I can easily duplicate at
the command line.

In looking at the sniffer trace, I see that the systems where group policy
fails are looking for host records for hq.corp.com, and they are failing.
Using kerbtray, I don't see any evidence of a different set of tickets on
the machines where things work versus the ones where they don't. Then
again, the kerberos ticket structure is new to me and I don't trust myself
to be a judge of whether it is all in order.

I don't understand how to view the results of the AT command invocation of
klist tickets. It wasn't going to the eventviewer. Morever, the
command was being scheduled in my user context so it wouldn't have shown
system context anyway. Every time I tried to change the user in Schedule
Tasks to SYSTEM, the task would refuse to run at all.

SETSPN frankly just perplexes me. It appears to be a pretty simplistic
utility with a very rigid input syntax expected, and I guess I don't know
what it is. From the console of the domain controller my-dc1, I tried:

setspn -L my-dc1

This gets failure message:

"ldap_search_s failed: No Such Object"

Then I tried to search for the domain itself:

setspn -L hq.corp.com

This gets another failure:

"Domain not found for account"

I tried to fully qualify the server, and I got a repeat of the domain not
found error.

I tried your syntax with -L at the end, but that just gets the command line
help and rejects the syntax.

I'm not sure if I simply typed the syntax of setspn wrong, or if I have a
genuine problem with the kerberos system.

--
Will



.

---

• References:
  • krb5kdc_err_s_principal_unknown on Windows Kerberos Domain
    • From: Will
  • RE: krb5kdc_err_s_principal_unknown on Windows Kerberos Domain
    • From: "Paul B. Hill"

• Prev by Date: RE: krb5kdc_err_s_principal_unknown on Windows Kerberos Domain
• Next by Date: Use of clock_skew option on Client side krb5.conf file
• Previous by thread: RE: krb5kdc_err_s_principal_unknown on Windows Kerberos Domain
• Next by thread: On Kerberos Application
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Accesing structures data (getting lengthy!) ... According to the syntax you ... assignment statement just won't stand out amongst all the other ... meaningless dummy variables that you have to keep track of. ... comparitively easy to pick out of a long, boring, command line history, ... (comp.soft-sys.matlab) Re: Windows could not upgrade the file..........Security update KB ... "Sky King" wrote in message ... > Robert Aldwinckle wrote: ... I would not have offered my tip about copying text from a command ... probably over a simple syntax error. ... (microsoft.public.windowsupdate) RE: Restrict logon hours ... Change Logon Times for a User Account ... Edit the user account properties by using the net user command. ... Enforce Logon Time Restrictions Using Group Policy ... (microsoft.public.win2000.group_policy) Re: What if jQuery was written in Tcl? ... Ah, to capture the namespace in which you're executing, so that ... command resolution and work correctly. ... This is common when embedding foreign languages in Tcl. ... SQL's syntax; are you suggesting a similar language-specific rule for ... (comp.lang.tcl) Re: coding a command button to change properties on another form ... Try placing your disable code in the Form2 OnOpen event. ... OpenArgs string is passed to Form2, so that Form2 can examine and act/notact upon it. ... the syntax for the FormOpen method is wrong... ... On this command button that has a macro, ... (microsoft.public.access.formscoding)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(14)