krb5kdc_err_s_principal_unknown on Windows Kerberos Domain
Richard E. Silverman
res at qoxp.net
Sat Jul 8 04:50:24 EDT 2006
>>>>> "Will" == Will <DELETE_westes at earthbroadcast.com> writes:
Will> "Richard E. Silverman" <res at qoxp.net> wrote in message
Will> news:m2slldfia5.fsf at darwin.oankali.net... By example, member
Will> server A is contacting domain controller my-dc1 in Windows
Will> domain hq.corp.com. What I am seeing in the sniffer trace is
Will> that the member server A asks the my-dc1 domain controller in
Will> its role as a Kerberos ticket granter for a ticket to the domain
Will> (i.e., krbtgt/hq.corp.com).
>> Is the realm in the request also correct?
Will> I'm not a Kerberos person, so I don't understand the question.
Will> Are you asking if the is the Windows domain name being spelled
Will> correctly? The answer to that would be yes.
No; the full principal name should be (I guess)
krbtgt/hq.corp.com at HQ.CORP.COM; the final part is the Kerberos "realm."
It may not be represented this way in the network trace, but there should
be a "realm" part of the data structure nearby.
Will> The domain controller is returning
Will> krb5kdc_err_s_principal_unknown.
>> That sounds as if someone deleted the "krbtgt" user from the
>> domain.
Will> I checked, and the krbtgt user is in the Users and Computer
Will> application for the domain. It shows as disabled, but a check
Will> online confirmed that this is its only state and cannot in fact
Will> be enabled because it is never used for interactive logins.
Will> Any other ideas?
Will> -- Will
--
Richard Silverman
res at qoxp.net
More information about the Kerberos
mailing list