krb5kdc_err_s_principal_unknown on Windows Kerberos Domain

Richard E. Silverman res at qoxp.net
Fri Jul 7 13:15:30 EDT 2006


>>>>> "Will" == Will  <westes-usc at noemail.nospam> writes:

    Will> I may be having problems with Kerberos on a Windows 2000 domain
    Will> controller, used with a Windows 2000 or Windows 2003 member
    Will> server.  I would appreciate some help in understanding this
    Will> situation from experienced Kerberos admins who happen to also
    Will> have deep Windows experience.

    Will> A sniffer trace of our Windows domain member servers shows the
    Will> member servers are succeeding in getting tickets from the domain
    Will> controller for the domain controller's host ticket, but failing
    Will> to get tickets for the domain itself.

    Will> By example, member server A is contacting domain controller
    Will> my-dc1 in Windows domain hq.corp.com. What I am seeing in the
    Will> sniffer trace is that the member server A asks the my-dc1 domain
    Will> controller in its role as a Kerberos ticket granter for a ticket
    Will> to the domain (i.e., krbtgt/hq.corp.com).

Is the realm in the request also correct?

    Will> The domain controller is returning krb5kdc_err_s_principal_unknown.  

That sounds as if someone deleted the "krbtgt" user from the domain.

-- 
  Richard Silverman
  res at qoxp.net




More information about the Kerberos mailing list