krb5kdc_err_s_principal_unknown on Windows Kerberos Domain

Richard E. Silverman res at qoxp.net
Sat Jul 8 04:50:24 EDT 2006


>>>>> "Will" == Will  <DELETE_westes at earthbroadcast.com> writes:

    Will> "Richard E. Silverman" <res at qoxp.net> wrote in message
    Will> news:m2slldfia5.fsf at darwin.oankali.net...  By example, member
    Will> server A is contacting domain controller my-dc1 in Windows
    Will> domain hq.corp.com. What I am seeing in the sniffer trace is
    Will> that the member server A asks the my-dc1 domain controller in
    Will> its role as a Kerberos ticket granter for a ticket to the domain
    Will> (i.e., krbtgt/hq.corp.com).
    >>  Is the realm in the request also correct?

    Will> I'm not a Kerberos person, so I don't understand the question.
    Will> Are you asking if the is the Windows domain name being spelled
    Will> correctly?  The answer to that would be yes.

No; the full principal name should be (I guess)
krbtgt/hq.corp.com at HQ.CORP.COM; the final part is the Kerberos "realm."
It may not be represented this way in the network trace, but there should
be a "realm" part of the data structure nearby.

    Will> The domain controller is returning
    Will> krb5kdc_err_s_principal_unknown.
    >>  That sounds as if someone deleted the "krbtgt" user from the
    >> domain.

    Will> I checked, and the krbtgt user is in the Users and Computer
    Will> application for the domain.  It shows as disabled, but a check
    Will> online confirmed that this is its only state and cannot in fact
    Will> be enabled because it is never used for interactive logins.

    Will> Any other ideas?

    Will> -- Will

-- 
  Richard Silverman
  res at qoxp.net




More information about the Kerberos mailing list