These are the instructions that keep coming up: The SPN to which the client is attempting to delegate credentials is not in its Allowed-to-delegate-to list.
Resolution 1. Use Network Monitor to determine the SPN to which the client is attempting to delegate credentials. You will need this information in a later step. - HOW??? 2. Click Start, click Run, and then open Active Directory Users and Computers by typing the following: dsa.msc 3. Right-click the user or service account that has problems authenticating, and then click Properties. 4. Click the Delegation tab. 5. The Allowed-to-delegate-to list is the list of servers shown under the heading, Services to which this account can present delegated credentials. 6. Add the SPN the client is attempting to delegate to (information from the captured data you obtained in Step 1) to the Allowed-to-delegate-to list for that client. This will tell the KDC that this client is indeed allowed to authenticate to this service. The KDC will then grant the client the appropriate ticket. -Paul -----Original Message----- From: Maglinger, Paul [mailto:[email protected]] Sent: Wednesday, June 23, 2010 9:15 AM To: NT System Admin Issues Subject: Need help nailing down Kerberos errors Some background here. We're running a Windows 2003 Server environment. We have a Windows 2003 Storage Server that is serving both the Windows servers through file shares and our HP-UX servers using NFS. We started seeing some problems with RPC and disk I/O errors when copying from the HP-UX machines. From the Windows machines, Explorer sometimes takes a long time to display directory contents on the shared directories. Because of the RPC errors, I was thinking that it was taking awhile to authenticate and timing out. While trying to troubleshoot this, I changed the primary DNS server in the network settings and that seemed to improve things quite a bit. This led me to think to look at checking out communication between the domain controllers. It was at this time that something led me to turn on logging for Kerberos. After doing that, I'm getting event ID 3 errors from source Kerberos. The error code is either 0x7 KDC_ERR_S_PRINCIPAL_UNKNOWN or 0xd KDC_ERR_BADOPTION. Googling has brought back that is caused by SPN that is not registered. There were several sites that recommended using the Network Monitor to find the offending SPN and then gave the instructions to authenticate it. Unfortunely, I am unclear on what to look for in the Network Monitor to determine the bad SPN. And it seems that a lot of the sites I went to just copied and pasted the same instructions. So to sum it up, how do I use Network Monitor to determine the SPN that needs to be authenticated? -Paul ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
