krb5kdc_err_s_principal_unknown on Windows Kerberos Domain

Paul B. Hill pbh at MIT.EDU
Sun Jul 9 08:43:26 EDT 2006 

Hi Will,

Instead of diving down into the network traces, can you describe the
problems that you are seeing from a user's perspective? This thread sounds
like you are getting lost in the details instead of solving the problem.

Install the Microsoft Resource Kit on the member server and/or workstation
that you are trying to troubleshoot. Run the Microsoft klist.exe from the
command line with the parameter "tickets". This will show the tickets that
you, the logged in user, has on the machine. If you want to see what tickets
the local machine account has use the "at" command to run "klist tickets"
(e.g. a minute from invoking the "at" command.)

To see the list of service principal names issued to a computer use "setspn
<computername> -l". The program communicates with the DCs so you can check
the SPNs for any computer from any workstation or server in the domain.

For standard Microsoft applications you should not have to create any SPNs
manually, using Setspn. Once in a while you may find that the DC indicates
that an SPN exits for a member machine, but you really can't use Kerberos to
authenticate to the machine. This is usually fixed by removing the machine
from the domain, rebooting, and rejoining the machine to the domain. 

Better yet, please read
<http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies
/security/tkerberr.mspx>. If that doesn't help, you should at least have
enough information to ask a very pointed question that subscribers to the
public list may be able to help you resolve.

Good luck.

Paul


-----Original Message-----
From: kerberos-bounces at MIT.EDU [mailto:kerberos-bounces at MIT.EDU] On Behalf
Of Will
Sent: Friday, July 07, 2006 3:16 AM
To: kerberos at mit.edu
Subject: krb5kdc_err_s_principal_unknown on Windows Kerberos Domain

I may be having problems with Kerberos on a Windows 2000 domain controller,
used with a Windows 2000 or Windows 2003 member server.   I would appreciate
some help in understanding this situation from experienced Kerberos admins
who happen to also have deep Windows experience.

A sniffer trace of our Windows domain member servers shows the member
servers are succeeding in getting tickets from the domain controller for the
domain controller's host ticket, but failing to get tickets for the domain
itself.

By example, member server A is contacting domain controller my-dc1 in
Windows domain hq.corp.com. What I am seeing in the sniffer trace is that
the member server A asks the my-dc1 domain controller in its role as a
Kerberos ticket granter for a ticket to the domain (i.e.,
krbtgt/hq.corp.com). The domain controller is returning
krb5kdc_err_s_principal_unknown.   The following line in the trace shows the
same member server A asking my-dc1 for the Kerberos ticket for the domain
controller krbtgt/my-dc1 and this member server A does obtain.

First, I want to understand what does this failure mean?   I saw many
sniffer traces posted on Google that show the same sequence for other
Windows domains, so apparently it's a common case.

Second, how do I correct this problem?   Someone else told me to create an
SPN for the domain with SetSPN, but I would like to a) get help determining
if we already have such an SPN, b) I would like to understand better what it
is I am creating when I create an SPN, how an SPN is used by member servers,
and what are the effects we are suffering if we don't have an SPN.

Any other ideas on what is causing the krb5kdc_err_s_principal_unknown error
are appreciated.

-- 
Will


________________________________________________
Kerberos mailing list           Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

More information about the Kerberos mailing list