Check for duplicate FQDN's in DNS pointing to the same IP Address. I've had this one bite me in the ass before.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom Kern
Sent: 22 February 2006 02:05
To: [email protected]
Subject: Re: [ActiveDir] SPN issue
yeah but what and why?
Thats the question.
Here's more of the story as i'm learning-
i only get these errors when auth'ing with an account in the source forest.
using an account in the target forest seems to work ok.
most of the servers are in the target forest now.
The workstations are spread over both.
i verified the trust and its up and working.
we have been in this state for 4 months with no issues until today and there have been no migrations in about a month of any sort.
the only thing running is the quest sync agent which sync's source to target(no deletions).
Thanks again
On 2/21/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
Something is dorked over there. I know you said nothing has changed.
It appears to me that netdom is your next option. If "netdom reset" does not
work (after a reboot) or "netdom verify" keels over, then I'm afraid you are
looking at a painful "netdom join" exercise.
Sincerely,
Dèjì Akómöláfé, MCSE+M MCSA+M MCT
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
________________________________
From: [EMAIL PROTECTED] on behalf of Tom Kern
Sent: Tue 2/21/2006 1:45 PM
To: [email protected]
Subject: Re: [ActiveDir] SPN issue
Yeah, I'm an idiot.
sorry.
That worked.
I still have the same issue though-
Kerberos errors and the "Logon Failure: The target account name is
incorrect."
Thanks
On 2/21/06, Free, Bob <[EMAIL PROTECTED]> wrote:
Your syntax looks backward....you have the hostname in front of the
SPN
-A = add arbitrary SPN
Usage: setspn -A SPN computername
setspn -A http/daserver daserver1
It will register SPN "http/daserver" for computer "daserver1"
________________________________
From: [EMAIL PROTECTED]
[mailto: [EMAIL PROTECTED]] On Behalf Of Tom Kern
Sent: Tuesday, February 21, 2006 1:26 PM
To: [email protected]
Subject: Re: [ActiveDir] SPN issue
Thank you for the advice.
I will in the future.
This is the output from setspn /A
C:\Program Files\Resource Kit>setspn -A OP5080570765
host/OP5080570765
Unable to locate account host/OP5080570765
C:\Program Files\Resource Kit>setspn -A OP5080570765
host/OP5080570765.corp.opro
ot.opco.com
Unable to locate account host/OP5080570765.corp.oproot.opco.com
The weird thing is, these accounts were migrated months ago and had
no issue till today.
There was no change made to AD by hand or by app.
Thanks
On 2/21/06, [EMAIL PROTECTED] < [EMAIL PROTECTED]> wrote:
Try the /A option.
btw, try munging your resource/domain names when you post to a
forum such as
this.
Sincerely,
Dèjì Akómöláfé, MCSE+M MCSA+M MCT
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried
about
Yesterday? -anon
________________________________
From: [EMAIL PROTECTED]
<mailto: [EMAIL PROTECTED]> on behalf of Tom Kern
Sent: Tue 2/21/2006 1:01 PM
To: [email protected]
Subject: Re: [ActiveDir] SPN issue
I get this, when I use netbios name-
C:\Program Files\Resource Kit>setspn -R OP5080570765
Failed to crack name CORP\OP5080570765 into the FQDN, (0) 1
0x2
I get this when i use FQDN-
C:\Program Files\Resource Kit>setspn -R
OP5080570765.corp.oproot.opco.com
Could not find account OP5080570765.corp.oproot.opco.com
The name is in DNS and AD.
As i said, DNS is functioning properly.
Thanks
On 2/21/06, [EMAIL PROTECTED] <[EMAIL PROTECTED] > wrote:
Try manually resetting or adding the SPN for one of the
computers and
see if
that takes care of your problem. If it does, the I'd do
the same for
the rest
or just disjoin and rejoin them to the domain if there
are not too
many of
them.
you can use setspn to do this. Like so:
setspn /R the_computer_NetBIOS_Name
OR
setspn /A host/NetBIOS_Name the_computer_NetBIOS_Name
setspn /A host/FQDN_NAme the_computer_FQDN
Sincerely,
Dèjì Akómöláfé, MCSE+M MCSA+M MCT
Microsoft MVP - Directory Services
www.readymaids.com < http://www.readymaids.com
< http://www.readymaids.com < http://www.readymaids.com> > > -
we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were
worried about
Yesterday? -anon
________________________________
From: [EMAIL PROTECTED] on behalf of
Tom Kern
Sent: Tue 2/21/2006 11:52 AM
To: activedirectory
Subject: Re: [ActiveDir] SPN issue
Ok, I came up with some more stuff-
If i use the FQDN, I can map a drive without the login
error.
I ran Ethereal will mapping a drive, both ways. With
the flat name
and fqdn.
When mapping with the flat name, I see a
"KRB5KDC_ERR_PREAUTH_FAILED(24)"
Then later, I see, "KRB5KRB_AP_ERR_MODIFIED,Error:
STATUS_MORE_PROCESSING_REQUIRED(0x0000016)"
When I use FQDN, I see-
"KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN(7)" and then it
defaults to NTLM and
lets me
in.
With a flat name, it never gets to NTLM.
I've checked the "Troubleshooting Kerberos Errors" MS
whitepaper but
I can't
find anything to help me there.
The SPN in AD of my box and the server I'm connecting
to seems find.
Both client and server are in the same Domain.
DNS is functioning.
Time is in sync.
Anyplace else I should be looking?
Thanks a lot.
On 2/21/06, Tom Kern < [EMAIL PROTECTED]
<mailto: [EMAIL PROTECTED]> >
wrote:
I'm at the end of a win2k native to win2k3
win2k3FFL/DFL
migration
using Quest Migration Manager.
I've noticed we've had many login issues where
users can map
drives
via ip but not hostname(dns is working and you can ping
by name).
Also, when connecting via a drive mapping, the
error recieved
is
"Login failure: The target name is incorrect".
Now I know when mapping via ip, you are using
NTLM as opposed
to
Kerberos when you use a hostname.
So I thought it was a duplicate SPN issue due to
the
migration.
When I fire up LDP.exe and search for SPN, I see
the pc in
question
has an SPN of the value "host\pc.Old.Domain.Name".
There is no SPN for the pc to reflect the new
Forest it has
been
migrated to.
This is sporadic and doesn't affect all migrated
pc's.
Another symptom is users not getting their home
drive
mappings(via
ADUC).
The homedir server logs this error in the
Security log-
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 537
Date: 2/21/2006
Time: 11:16:05 AM
User: NT AUTHORITY\SYSTEM
Computer: OPNJR01
Description:
Logon Failure:
Reason: An unexpected error occurred during
logon
User Name:
Domain:
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name: -
I have two questions-
1. Could the issues I'm having be a symptom of
this SPN
"problem"?
2. Has anyone faced a simillar issue when
migrating either via
Quest
ot ADMT,etc?
Thanks a lot.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
< http://www.activedir.org/ListFAQ.aspx>
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Nope.
I checked DNS with a fine tooth comb and I can't find any issues there.
On 2/22/06, Peter Johnson <[EMAIL PROTECTED]> wrote:
- Re: [ActiveDir] SPN issue Tom Kern
