Windows event id 4 (kerberos)
raj esh L
rrcrajesh2003 at yahoo.com
Wed Jan 20 11:52:41 EST 2010
Thanks for your response.
I have not tried to un-join & join. I can try this option as a last effort.
If i need to un-join, Which machine do I need to do? Is BRAPRINT001?
Time zones are correct on all servers.
I queried all the dcs event logs for eventid 11 through eventcombat.exe but none of these SPNS found.
As per the description, 3 server names (braprint001 where I get alerts and other two) are involved in this problem. I could not able to understand the description itself. Can you plz explain what it is?
I captured netmon for it at the time of problem occurred. These all names are appearing over there. But I could not understand it.
It's my humble request to verify those and make me understand.
________________________________
From: Christopher D. Clausen <cclausen at acm.org>
To: raj esh L <rrcrajesh2003 at yahoo.com>
Cc: kerberos at mit.edu
Sent: Wed, 20 January, 2010 21:15:13
Subject: Re: Windows event id 4 (kerberos)
The error list in netstat (as well as in the other email that you sent)
seems reasonable for a machine that has been up for a period of time.
Setspn output looks reasonable as well.
Have you tried just un-joining and re-joining the computer account in
question to the domain? This usually fixes the problem in my
experience, assuming there isn't some actual underlying cause (like
duplicated accounts.) You may need to delete and re-create the computer
account after un-joining.
Are the times and time zones correct on these systems? Do they
regularly syncronize to the domain controller's time?
Are there any errors in the event log on the domain controllers about
duplicate computer accounts?
Some of the suggestions here might be useful to you as well:
http://eventid.net/display.asp?eventid=4&eventno=1968&source=Kerberos&phase=1
http://eventid.net/display.asp?eventid=11&eventno=569&source=KDC&phase=1
<<CDC
raj esh L <rrcrajesh2003 at yahoo.com> wrote:
> No samba and non-windows. All are windows servers.
>
>
> U:\>setspn -l SLH-001155
> Registered ServicePrincipalNames for
> CN=SLH-001155,OU=Laptops,OU=SLH,OU=GBR,OU=E
> UR,DC=dir,DC=ucb-group,DC=com:
> HOST/SLH-001155
> HOST/SLH-001155.dir.ucb-group.com
>
> U:\>setspn -l BRAPRINT001
> Registered ServicePrincipalNames for
> CN=BRAPRINT001,OU=Servers,OU=Global,OU=BEL,
> OU=EUR,DC=dir,DC=ucb-group,DC=com:
> HOST/BRAPRINT001
> HOST/BRAPRINT001.dir.ucb-group.com
>
> U:\>setspn -l ATL017784
> Registered ServicePrincipalNames for
> CN=ATL017784,OU=Laptops,OU=ATL,OU=USA,OU=AM
> E,DC=dir,DC=ucb-group,DC=com:
> HOST/ATL017784
> HOST/ATL017784.dir.ucb-group.com
>
> U:\>netstat -s
> IPv4 Statistics
> Received Header Errors = 0
> Received Address Errors = 42563
> Unknown Protocols Received = 0
> Received Packets Discarded = 0
> Routing Discards = 0
> Discarded Output Packets = 0
> Output Packet No Route = 0
> Reassembly Failures = 0
> Datagrams Failing Fragmentation = 0
> ICMPv4 Statistics
> Errors 0 13
> TCP Statistics for IPv4
> Failed Connection Attempts = 4275
> Segments Retransmitted = 24512
> UDP Statistics for IPv4
> Receive Errors = 22753
>
>
> Please let me know if any other information is required.
>
>
>
>
> ________________________________
> From: raj esh L <rrcrajesh2003 at yahoo.com>
> To: Christopher D. Clausen <cclausen at acm.org>
> Cc: kerberos at mit.edu
> Sent: Wed, 20 January, 2010 3:47:11
> Subject: Re: Windows event id 4 (kerberos)
>
>
> Than Q very much for your information and would appreciate. But
>
> I verified SPNs and computer names - No duplication found.
>
> These computers not updated recently and exist from long time.
>
> Thanks once again about networking help .I would check and give you
> update.
>
> i will give the setspn details also.
>
> I spent days together to search the fix but did not find a correct
> solution. your help would be highly appreciable.
>
> we get the message on every day. But we see the same event id, same
> description with different names 'SLH-001155' with different cifs\
>
> First of all, I do not understand clearly about the description. if
> you would explain what is going here with examples of server names
> based on description that would be great.
>
>
> ________________________________
> From: Christopher D. Clausen <cclausen at acm.org>
> To: raj esh L <rrcrajesh2003 at yahoo.com>
> Cc: kerberos at mit.edu
> Sent: Wed, 20 January, 2010 3:01:30
> Subject: Re: Windows event id 4 (kerberos)
>
> Is this for an actual Windows computer? Or a non-Windows machine
> running something like Samba?
>
> -----
>
> I see these all the time. I believe these occur on occation when a
> computer account automatically updates its machine account password in
> Active Directory. (This is a normal function of a computer joined to
> AD.)
>
> I'd suggest un-joining and re-joining the computer to the domain if
> this
> is a persistent problem on this system.
>
> If the issue persists you likely have a network connection problem.
> Check netstat -s output and look for high error counts and check
> duplex
> settings on all ends of the connection.
>
> -----
>
> Another thing to check is for identially named accounts (as
> mentioned,)
> including SPNs that were set with setspn.exe or ktpass.exe. These are
> hard to track down and may require specific LDAP queries to locate.
>
> -----
>
> Please send output of setspn -l SLH-001155
>
> <<CDC
>
> raj esh L <rrcrajesh2003 at yahoo.com> wrote:
>> We have observed Kerberos event id4 on one member server (Print
>> server )BRAPRINT001 (10.1.37.167). Please find the description below
>> about the event id. Can some one please help me on it ?
>>
>> Event Type: Error
>> Event Source: Kerberos
>> Event Category: None
>> Event ID: 4
>> Date: 1/13/2010
>> Time: 6:16:35 PM
>> User: N/A
>> Computer: BRAPRINT001
>> Description:
>> The kerberos client received a KRB_AP_ERR_MODIFIED error from the
>> server SLH-001155$. The target name used was
>> cifs/ATL017784.dir.ucb-group.com. This indicates that the password
>> used to encrypt the kerberos service ticket is different than that on
>> the target server. Commonly, this is due to identically named
>> machine accounts in the target realm (DIR.UCB-GROUP.COM), and the
>> client realm. Please contact your system administrator.
>>
>> For more information, see Help and Support Center at
>> http://go.microsoft.com/fwlink/events.asp.
>>
>>
>> ATL017784.dir.ucb-group.com [10.70.11.107]
>>
>> We captured network for it. Can you please help here what is going
>> on?
>>
>>
>> captured file is available at http://www.megaupload.com/?d=WDIG1CAT
>>
>>
>>
>> ________________________________________________
>> Kerberos mailing list Kerberos at mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
More information about the Kerberos
mailing list