Windows event id 4 (kerberos)

raj esh L rrcrajesh2003 at yahoo.com
Wed Jan 20 05:32:17 EST 2010


Sorry I put wrong server details of netstat -s.  Plz find now the correct one. 


C:\>netstat -s
IPv4 Statistics
  Packets Received                   = 207484084
  Received Header Errors             = 0
  Received Address Errors            = 4204
  Datagrams Forwarded                = 0
  Unknown Protocols Received         = 0
  Received Packets Discarded         = 0
  Received Packets Delivered         = 207479903
  Output Requests                    = 203812438
  Routing Discards                   = 0
  Discarded Output Packets           = 0
  Output Packet No Route             = 0
  Reassembly Required                = 4
  Reassembly Successful              = 2
  Reassembly Failures                = 0
  Datagrams Successfully Fragmented  = 2
  Datagrams Failing Fragmentation    = 0
  Fragments Created                  = 4
ICMPv4 Statistics
                            Received    Sent
  Messages                  123384      67298
  Errors                    0           0
  Destination Unreachable   53043       285
  Time Exceeded             5870        0
  Parameter Problems        0           0
  Source Quenches           0           0
  Redirects                 0           0
  Echos                     47557       19456
  Echo Replies              16914       47557
  Timestamps                0           0
  Timestamp Replies         0           0
  Address Masks             0           0
  Address Mask Replies      0           0
TCP Statistics for IPv4
  Active Opens                        = 182529
  Passive Opens                       = 246806
  Failed Connection Attempts          = 120080
  Reset Connections                   = 17762
  Current Connections                 = 805
  Segments Received                   = 206256325
  Segments Sent                       = 199667155
  Segments Retransmitted              = 1662797
UDP Statistics for IPv4
  Datagrams Received    = 1090012
  No Ports              = 97063
  Receive Errors        = 17
  Datagrams Sent        = 2400610






________________________________
From: raj esh L <rrcrajesh2003 at yahoo.com>
To: Christopher D. Clausen <cclausen at acm.org>
Cc: kerberos at mit.edu
Sent: Wed, 20 January, 2010 15:49:56
Subject: Windows event id 4 (kerberos)


No samba and non-windows. All are windows servers.
 

U:\>setspn -l SLH-001155
Registered ServicePrincipalNames for CN=SLH-001155,OU=Laptops,OU=SLH,OU=GBR,OU=E
UR,DC=dir,DC=ucb-group,DC=com:
    HOST/SLH-001155
    HOST/SLH-001155.dir.ucb-group.com
 
U:\>setspn -l BRAPRINT001
Registered ServicePrincipalNames for CN=BRAPRINT001,OU=Servers,OU=Global,OU=BEL,
OU=EUR,DC=dir,DC=ucb-group,DC=com:
    HOST/BRAPRINT001
    HOST/BRAPRINT001.dir.ucb-group.com
 
U:\>setspn -l ATL017784
Registered ServicePrincipalNames for CN=ATL017784,OU=Laptops,OU=ATL,OU=USA,OU=AM
E,DC=dir,DC=ucb-group,DC=com:
    HOST/ATL017784
    HOST/ATL017784.dir.ucb-group.com
 
U:\>netstat -s
IPv4 Statistics
  Packets Received                   = 38101798
  Received Header Errors             = 0
  Received Address Errors            = 42563
  Datagrams Forwarded                = 0
  Unknown Protocols Received         = 0
  Received Packets Discarded         = 0
  Received Packets Delivered         = 38059228
  Output Requests                    = 31080179
  Routing Discards                   = 0
  Discarded Output Packets           = 0
  Output Packet No Route             = 0
  Reassembly Required                = 85
  Reassembly Successful              = 37
  Reassembly Failures                = 0
  Datagrams Successfully Fragmented  = 9
  Datagrams Failing Fragmentation    = 0
  Fragments Created                  = 18
ICMPv4 Statistics
                            Received    Sent
  Messages                  227967      227817
  Errors                    0           13
  Destination Unreachable   723         717
  Time Exceeded             34          0
  Parameter Problems        0           0
  Source Quenches           0           0
  Redirects                 0           0
  Echos                     212083      15017
  Echo Replies              15127       212070
  Timestamps                0           0
  Timestamp Replies         0           0
  Address Masks             0           0
  Address Mask Replies      0           0
TCP Statistics for IPv4
  Active Opens                        = 143960
  Passive Opens                       = 9560
  Failed Connection Attempts          = 4275
  Reset Connections                   = 6759
  Current Connections                 = 156
  Segments Received                   = 36346619
  Segments Sent                       = 29722129
  Segments Retransmitted              = 24512
UDP Statistics for IPv4
  Datagrams Received    = 1347067
  No Ports              = 268826
  Receive Errors        = 22753
  Datagrams Sent        = 1105790


Please let me know if any other information is required.




________________________________
From: raj esh L <rrcrajesh2003 at yahoo.com>
To: Christopher D. Clausen <cclausen at acm.org>
Cc: kerberos at mit.edu
Sent: Wed, 20 January, 2010 3:47:11
Subject: Re: Windows event id 4 (kerberos)


Than Q very much for your information and would appreciate. But

I verified SPNs and computer names - No duplication found.

These computers not updated recently and exist from long time.

Thanks once again about networking help .I would check and give you update.

i will give the setspn details also. 

I spent days together to search the fix but did not find a correct solution. your help would be highly appreciable. 

we get the message on every day. But we see the same event id, same description with different names  'SLH-001155' with different cifs\

First of all, I do not understand clearly  about the description. if you would explain what is going here with examples of server names based on description that would be great. 


________________________________
From: Christopher D. Clausen <cclausen at acm.org>
To: raj esh L <rrcrajesh2003 at yahoo.com>
Cc: kerberos at mit.edu
Sent: Wed, 20 January, 2010 3:01:30
Subject: Re: Windows event id 4 (kerberos)

Is this for an actual Windows computer?  Or a non-Windows machine 
running something like Samba?

-----

I see these all the time.  I believe these occur on occation when a 
computer account automatically updates its machine account password in 
Active Directory.  (This is a normal function of a computer joined to 
AD.)

I'd suggest un-joining and re-joining the computer to the domain if this 
is a persistent problem on this system.

If the issue persists you likely have a network connection problem. 
Check netstat -s output and look for high error counts and check duplex 
settings on all ends of the connection.

-----

Another thing to check is for identially named accounts (as mentioned,) 
including SPNs that were set with setspn.exe or ktpass.exe.  These are 
hard to track down and may require specific LDAP queries to locate.

-----

Please send output of setspn -l SLH-001155

<<CDC

raj esh L <rrcrajesh2003 at yahoo.com> wrote:
> We have observed Kerberos event id4 on one member server (Print
> server )BRAPRINT001 (10.1.37.167). Please find the description below
> about the event id. Can some one please help me on it ?
>
> Event Type:            Error
> Event Source:          Kerberos
> Event Category:      None
> Event ID:                4
> Date:                      1/13/2010
> Time:                      6:16:35 PM
> User:                      N/A
> Computer:              BRAPRINT001
> Description:
> The kerberos client received a KRB_AP_ERR_MODIFIED error from the
> server SLH-001155$.  The target name used was
> cifs/ATL017784.dir.ucb-group.com. This indicates that the password
> used to encrypt the kerberos service ticket is different than that on
> the target server. Commonly, this is due to identically named
> machine accounts in the target realm (DIR.UCB-GROUP.COM), and the
> client realm.  Please contact your system administrator.
>
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
>
>
> ATL017784.dir.ucb-group.com [10.70.11.107]
>
> We captured network for it. Can you please help here what is going on?
>
>
> captured file is available at http://www.megaupload.com/?d=WDIG1CAT
>
>
>
> ________________________________________________
> Kerberos mailing list          Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos 


      


More information about the Kerberos mailing list