So if you get a network trace with Netmon or Wireshark which reproduces the problem and send it to me offline with the offending IPs to filter on I can look at it.
I'm looking at your problem description though and I don't see where the delegation is involved. Delegation is when a user presents a ticket to a service and then that service accesses another service on the user's behalf (by requesting a service ticket for the user without their TGT). The common example is a web server and a SQL server. User X logs in to the web app with their domain creds and then the web server (IIS) accesses the SQL server in the context of the user. The delegation here is from the web app (http/mywebsrv.mycorp.com) to SQL (mssqlsvc/sqlbox.mycorp.com:1433). Having reread your message are you stating that the storage server has the ability to present a remote NFS share as a local share on the storage server e.g. as a proxy/gateway? If so yes that sounds like a delegation problem. Capture the trace on the storage server so you can obtain all of the traffic needed. Thanks, Brian Desmond [email protected] c - 312.731.3132 -----Original Message----- From: Maglinger, Paul [mailto:[email protected]] Sent: Wednesday, June 23, 2010 7:20 AM To: NT System Admin Issues Subject: RE: Need help nailing down Kerberos errors These are the instructions that keep coming up: The SPN to which the client is attempting to delegate credentials is not in its Allowed-to-delegate-to list. Resolution 1. Use Network Monitor to determine the SPN to which the client is attempting to delegate credentials. You will need this information in a later step. - HOW??? 2. Click Start, click Run, and then open Active Directory Users and Computers by typing the following: dsa.msc 3. Right-click the user or service account that has problems authenticating, and then click Properties. 4. Click the Delegation tab. 5. The Allowed-to-delegate-to list is the list of servers shown under the heading, Services to which this account can present delegated credentials. 6. Add the SPN the client is attempting to delegate to (information from the captured data you obtained in Step 1) to the Allowed-to-delegate-to list for that client. This will tell the KDC that this client is indeed allowed to authenticate to this service. The KDC will then grant the client the appropriate ticket. -Paul -----Original Message----- From: Maglinger, Paul [mailto:[email protected]] Sent: Wednesday, June 23, 2010 9:15 AM To: NT System Admin Issues Subject: Need help nailing down Kerberos errors Some background here. We're running a Windows 2003 Server environment. We have a Windows 2003 Storage Server that is serving both the Windows servers through file shares and our HP-UX servers using NFS. We started seeing some problems with RPC and disk I/O errors when copying from the HP-UX machines. From the Windows machines, Explorer sometimes takes a long time to display directory contents on the shared directories. Because of the RPC errors, I was thinking that it was taking awhile to authenticate and timing out. While trying to troubleshoot this, I changed the primary DNS server in the network settings and that seemed to improve things quite a bit. This led me to think to look at checking out communication between the domain controllers. It was at this time that something led me to turn on logging for Kerberos. After doing that, I'm getting event ID 3 errors from source Kerberos. The error code is either 0x7 KDC_ERR_S_PRINCIPAL_UNKNOWN or 0xd KDC_ERR_BADOPTION. Googling has brought back that is caused by SPN that is not registered. There were several sites that recommended using the Network Monitor to find the offending SPN and then gave the instructions to authenticate it. Unfortunely, I am unclear on what to look for in the Network Monitor to determine the bad SPN. And it seems that a lot of the sites I went to just copied and pasted the same instructions. So to sum it up, how do I use Network Monitor to determine the SPN that needs to be authenticated? -Paul ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
