Windows Server 2003 Security Infrastructures
This nuts and bolts guide is a must-read for anyone wants to know about Windows Server 2003 security and leverage the operating systems' security infrastructure.
TABLE OF CONTENTS Windows Server 2003 Security Infrastructures
5.6: Kerberos and authentication troubleshooting
5.6 Kerberos and authentication troubleshooting
In the next two sections, we will explore some basic Kerberos and Windows Server 2003 authentication troubleshooting tools. An indispensable tool for every administrator is the Event Viewer. The next section will list some common Kerberos error messages as they appear in the Event Viewer. The following side note explains how to enable advanced Kerberos event logging.
5.6.1 Kerberos error messages
In Windows Server 2003, Microsoft included some Kerberos-specific event IDs. They are listed in Table 5.11. If you want to go even more in detail, Table 5.12 shows the Kerberos-related error messages as they appear in the Windows Event Viewer. Both can give interesting hints when troubleshooting Kerberos authentication problems.
| Event ID | Meaning |
|---|---|
| 672 | An authentication service (AS) ticket was successfully issued and validated. |
| 673 | A ticket granting service (TGS) ticket was granted. |
| 674 | A security principal renewed an AS ticket or TGS ticket. |
| 675 | Kerberos preauthentication failed. This event is generated on a key distribution center (KDC) when a user types in an incorrect password. |
| Code | Short Meaning | Error Explanation |
|---|---|---|
| 0x6 | Client Principal unknown | The KDC could not translate the client principal name from the KDC request into an account in the Active Directory. To troubleshoot this error, check whether the client account exists in AD, whether it has not expired, and whether AD replication is functioning correctly. |
| 0x7 | Server Principal unknown | The KDC could not translate the server... |
Copyright Hewlett-Packard Development Co., L.P. 2004 under license agreement with Books24x7
