krb5kdc_err_s_principal_unknown on Windows Kerberos Domain
Richard E. Silverman
res at qoxp.net
Fri Jul 7 13:15:30 EDT 2006
>>>>> "Will" == Will <westes-usc at noemail.nospam> writes:
Will> I may be having problems with Kerberos on a Windows 2000 domain
Will> controller, used with a Windows 2000 or Windows 2003 member
Will> server. I would appreciate some help in understanding this
Will> situation from experienced Kerberos admins who happen to also
Will> have deep Windows experience.
Will> A sniffer trace of our Windows domain member servers shows the
Will> member servers are succeeding in getting tickets from the domain
Will> controller for the domain controller's host ticket, but failing
Will> to get tickets for the domain itself.
Will> By example, member server A is contacting domain controller
Will> my-dc1 in Windows domain hq.corp.com. What I am seeing in the
Will> sniffer trace is that the member server A asks the my-dc1 domain
Will> controller in its role as a Kerberos ticket granter for a ticket
Will> to the domain (i.e., krbtgt/hq.corp.com).
Is the realm in the request also correct?
Will> The domain controller is returning krb5kdc_err_s_principal_unknown.
That sounds as if someone deleted the "krbtgt" user from the domain.
--
Richard Silverman
res at qoxp.net
More information about the Kerberos
mailing list