Once a week kerberos failure between web and db server.
JimLad
jamesdbirch at yahoo.co.uk
Fri Sep 7 09:45:10 EDT 2007
Hi,
Once a week to the second we get a Kerberos failure between our web
server and db server. This is causing us considerable problems.
Everything runs fine the rest of the week. The problem lasts from a
few seconds to a few minutes, apparently dependent on the number of
users on at the time.
The website is running IIS6 on Windows 2003 SP2. The db server is
running SQL Server 2000 SP4 on Windows 2003 SP1. The domain controller
is running Windows 2003 SP1.
We are using constrained delegation and protocol transition.
The message on the KDC/DC is (where S03 is the dc, S72 with the web
server and S10 is the db server):
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 673
Date: 06/09/2007
Time: 17:01:56
User: NT AUTHORITY\SYSTEM
Computer: S05010003
Description:
Service Ticket Request:
User Name: S05010072$@CORP.DNSDOM.NET
User Domain: CORP.DNSDOM.NET
Service Name: MSSQLSvc/S05010010.corp.dnsdom.net:1433
Service ID: -
Ticket Options: 0x40830000
Ticket Encryption Type: -
Client Address: 10.1.1.88
Failure Code: 0xB
Logon GUID: -
Transited Services: -
0xB is the error code for KDC_ERR_NEVER_VALID, but I've checked the
times and timezones on the servers and there aren't any differences,
certainly not the 5 minutes necessary to cause this message.
A second after this message we get a successful ticket issued to the
account that sql server runs under:
Event Type: Success Audit
Event Source: Security
Event Category: Account Logon
Event ID: 673
Date: 06/09/2007
Time: 17:01:57
User: NT AUTHORITY\SYSTEM
Computer: S05010003
Description:
Service Ticket Request:
User Name: S05010072$@CORP.DNSDOM.NET
User Domain: CORP.DNSDOM.NET
Service Name: S05010010_SYSTEM
Service ID: CORP\S05010010_SYSTEM
Ticket Options: 0x40830000
Ticket Encryption Type: 0x17
Client Address: 10.1.1.88
Failure Code: -
Logon GUID: {385e5858-a6e2-34c7-fa6a-c495f2edacf3}
Transited Services:
HTTP/<website>.com at CORP.DNSDOM.NET
SPNs shown below:
C:\Documents and Settings\helpdesk>setspn -L s05010010_system
Registered ServicePrincipalNames for CN=XYZSystems,OU=Users\
\Groups,OU=ServiceAd
mins,DC=corp,DC=dnsdom,DC=net:
MSSQLSvc/S05010010.corp.dnsdom.net:1433
MSSQLSvc/S05010010:1433
C:\Documents and Settings\helpdesk>setspn -L s05010072
Registered ServicePrincipalNames for CN=S05010072,OU=Server2003,OU=PSG
Servers,D
C=corp,DC=dnsdom,DC=net:
http/<website>.com
http/demo.<website>.com
http/copy.<website>.com
HOST/S05010072.corp.dnsdom.net
HOST/S05010072
These are the commands that were used to create the SPNs on the db
server:
setspn -a MSSQLSvc/S05010010.corp.dnsdom.net:1433 S05010010_system
setspn -a MSSQLSvc/S05010010:1433 S05010010_system
Anyone have any idea what is wrong?
Cheers,
James
More information about the Kerberos
mailing list