Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie

Kerberos is kicking my ass

Options
  • 02-03-2009 2:43pm
    #1
    Jaoibh
    Registered Users Posts: 253 ✭✭


    I have XP clients connecting to 2003 server SP2 network, Running AD and SQL 2005 SP2 on different machines mostly VM’s.

    When I try access the server via IP address (\\192.168.192.29\c$) I can get in fine but when I try (\\starts-live\C$) if gives me access denied.

    DNS your thinking.. I thought the same thing but I can ping the server from IP and FQDN.

    My Event viewer presents me with this error.

    The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/starts-dep.start.ie. The target name used was cifs/starts-dep.start.ie. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (START.IE) is different from the client domain (START.IE), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

    So step one according to the forums I checked the DNS entry again I checked the WINS server and I made sure there was no IP address conflicts.

    The other option is a full server rebuild which I’m not going to do.

    Next step of troubleshooting was to PSGETSID I ran the command firstly on my domain controllers and they work fine but when I get to this server which is our SQL 2005 \\starts-live it prompts me Access denied.

    I have a number of PC’s that were Ghosted by Norton Ghost and I’ve since repaired all of the SID’s we thought this was the issue initially but it has worked for the last 2 years with no problems.

    Any pointers would be greatly appreciated

    Since I've been playing with it I've found that I can temporarily get access to the machine if I restart but then the kerberos key seems to change again.
    Tagged:


Comments

  • Options
    #2
    Jaoibh
    Registered Users Posts: 253 ✭✭Jaoibh


    I virtualised a Domain controller recently and it corrupted the AD database.
    This is what was causing my problems with connection
    I ran a DCPROMO on the box so its no longer a domain controller and this seems to have fixed my problems with kerberos.


Advertisement