We've got a lot of Kerberos auth used in our environment that mostly seems to work, but a few errors still pop up when we turn on Kerberos error logging. The two that bother me the most are both KDC_ERR_S_PRINCIPAL_UNKNOWN which according to http://technet.microsoft.com/en-us/library/cc772897(WS.10).aspx is that the SERVER is not in the Kerberos db. Assume a domain of corp.lan, the two error messages are for servername: app.corp.lan and dc1.corp.lan. Now when I do a setspn -l app , I get plenty of spn's , but none for app.corp.lan. Same for dc1, setspn -l dc1 returns 15+ records, setspn -l dc1.corp.lan retruns an error. Is this a 'real' error we should be trying to track down and fix or is that just some odd app doing bad Kerb requests?
Asked
Active
Viewed 8,388 times
2
-
I have the same curiosity. – Gabriel Guimarães Oct 06 '10 at 16:53
-
1Pure Windows environment? error log appears in Event log of Windows? and if yes, have you tried dcdiag, netdiag? – Tanarri Oct 11 '10 at 17:36
-
Pure windows environment, error log appears in windows due to kerberos logging being turned on. dcdiag & netdiag haven't been tried as the error appears too infrequently. – chris.w.mclean Nov 16 '10 at 21:28
1 Answers
1
You need to check on the error messages for what service these SPN's are not registered.
It means that kerberos Auth will fail for these services. Maybe there's a NTLM second option, maybe not. You should check this per service returning an error.
I've noticed that sometimes the error message doesn't show the kerberos service that the ticket is being requested for, so you could use Ethereal to check this out. I wish there was some sort of querying (like sql) onto event viewer.
If its all working I usually don't bother, but you could find something bellow the carpet later if you ever need using something that is broken and you never knew.
Gabriel Guimarães
- 425
- 5
- 18