Windows event id 4 (kerberos)
raj esh L
rrcrajesh2003 at yahoo.com
Wed Jan 20 05:32:17 EST 2010
Sorry I put wrong server details of netstat -s. Plz find now the correct one.
C:\>netstat -s
IPv4 Statistics
Packets Received = 207484084
Received Header Errors = 0
Received Address Errors = 4204
Datagrams Forwarded = 0
Unknown Protocols Received = 0
Received Packets Discarded = 0
Received Packets Delivered = 207479903
Output Requests = 203812438
Routing Discards = 0
Discarded Output Packets = 0
Output Packet No Route = 0
Reassembly Required = 4
Reassembly Successful = 2
Reassembly Failures = 0
Datagrams Successfully Fragmented = 2
Datagrams Failing Fragmentation = 0
Fragments Created = 4
ICMPv4 Statistics
Received Sent
Messages 123384 67298
Errors 0 0
Destination Unreachable 53043 285
Time Exceeded 5870 0
Parameter Problems 0 0
Source Quenches 0 0
Redirects 0 0
Echos 47557 19456
Echo Replies 16914 47557
Timestamps 0 0
Timestamp Replies 0 0
Address Masks 0 0
Address Mask Replies 0 0
TCP Statistics for IPv4
Active Opens = 182529
Passive Opens = 246806
Failed Connection Attempts = 120080
Reset Connections = 17762
Current Connections = 805
Segments Received = 206256325
Segments Sent = 199667155
Segments Retransmitted = 1662797
UDP Statistics for IPv4
Datagrams Received = 1090012
No Ports = 97063
Receive Errors = 17
Datagrams Sent = 2400610
________________________________
From: raj esh L <rrcrajesh2003 at yahoo.com>
To: Christopher D. Clausen <cclausen at acm.org>
Cc: kerberos at mit.edu
Sent: Wed, 20 January, 2010 15:49:56
Subject: Windows event id 4 (kerberos)
No samba and non-windows. All are windows servers.
U:\>setspn -l SLH-001155
Registered ServicePrincipalNames for CN=SLH-001155,OU=Laptops,OU=SLH,OU=GBR,OU=E
UR,DC=dir,DC=ucb-group,DC=com:
HOST/SLH-001155
HOST/SLH-001155.dir.ucb-group.com
U:\>setspn -l BRAPRINT001
Registered ServicePrincipalNames for CN=BRAPRINT001,OU=Servers,OU=Global,OU=BEL,
OU=EUR,DC=dir,DC=ucb-group,DC=com:
HOST/BRAPRINT001
HOST/BRAPRINT001.dir.ucb-group.com
U:\>setspn -l ATL017784
Registered ServicePrincipalNames for CN=ATL017784,OU=Laptops,OU=ATL,OU=USA,OU=AM
E,DC=dir,DC=ucb-group,DC=com:
HOST/ATL017784
HOST/ATL017784.dir.ucb-group.com
U:\>netstat -s
IPv4 Statistics
Packets Received = 38101798
Received Header Errors = 0
Received Address Errors = 42563
Datagrams Forwarded = 0
Unknown Protocols Received = 0
Received Packets Discarded = 0
Received Packets Delivered = 38059228
Output Requests = 31080179
Routing Discards = 0
Discarded Output Packets = 0
Output Packet No Route = 0
Reassembly Required = 85
Reassembly Successful = 37
Reassembly Failures = 0
Datagrams Successfully Fragmented = 9
Datagrams Failing Fragmentation = 0
Fragments Created = 18
ICMPv4 Statistics
Received Sent
Messages 227967 227817
Errors 0 13
Destination Unreachable 723 717
Time Exceeded 34 0
Parameter Problems 0 0
Source Quenches 0 0
Redirects 0 0
Echos 212083 15017
Echo Replies 15127 212070
Timestamps 0 0
Timestamp Replies 0 0
Address Masks 0 0
Address Mask Replies 0 0
TCP Statistics for IPv4
Active Opens = 143960
Passive Opens = 9560
Failed Connection Attempts = 4275
Reset Connections = 6759
Current Connections = 156
Segments Received = 36346619
Segments Sent = 29722129
Segments Retransmitted = 24512
UDP Statistics for IPv4
Datagrams Received = 1347067
No Ports = 268826
Receive Errors = 22753
Datagrams Sent = 1105790
Please let me know if any other information is required.
________________________________
From: raj esh L <rrcrajesh2003 at yahoo.com>
To: Christopher D. Clausen <cclausen at acm.org>
Cc: kerberos at mit.edu
Sent: Wed, 20 January, 2010 3:47:11
Subject: Re: Windows event id 4 (kerberos)
Than Q very much for your information and would appreciate. But
I verified SPNs and computer names - No duplication found.
These computers not updated recently and exist from long time.
Thanks once again about networking help .I would check and give you update.
i will give the setspn details also.
I spent days together to search the fix but did not find a correct solution. your help would be highly appreciable.
we get the message on every day. But we see the same event id, same description with different names 'SLH-001155' with different cifs\
First of all, I do not understand clearly about the description. if you would explain what is going here with examples of server names based on description that would be great.
________________________________
From: Christopher D. Clausen <cclausen at acm.org>
To: raj esh L <rrcrajesh2003 at yahoo.com>
Cc: kerberos at mit.edu
Sent: Wed, 20 January, 2010 3:01:30
Subject: Re: Windows event id 4 (kerberos)
Is this for an actual Windows computer? Or a non-Windows machine
running something like Samba?
-----
I see these all the time. I believe these occur on occation when a
computer account automatically updates its machine account password in
Active Directory. (This is a normal function of a computer joined to
AD.)
I'd suggest un-joining and re-joining the computer to the domain if this
is a persistent problem on this system.
If the issue persists you likely have a network connection problem.
Check netstat -s output and look for high error counts and check duplex
settings on all ends of the connection.
-----
Another thing to check is for identially named accounts (as mentioned,)
including SPNs that were set with setspn.exe or ktpass.exe. These are
hard to track down and may require specific LDAP queries to locate.
-----
Please send output of setspn -l SLH-001155
<<CDC
raj esh L <rrcrajesh2003 at yahoo.com> wrote:
> We have observed Kerberos event id4 on one member server (Print
> server )BRAPRINT001 (10.1.37.167). Please find the description below
> about the event id. Can some one please help me on it ?
>
> Event Type: Error
> Event Source: Kerberos
> Event Category: None
> Event ID: 4
> Date: 1/13/2010
> Time: 6:16:35 PM
> User: N/A
> Computer: BRAPRINT001
> Description:
> The kerberos client received a KRB_AP_ERR_MODIFIED error from the
> server SLH-001155$. The target name used was
> cifs/ATL017784.dir.ucb-group.com. This indicates that the password
> used to encrypt the kerberos service ticket is different than that on
> the target server. Commonly, this is due to identically named
> machine accounts in the target realm (DIR.UCB-GROUP.COM), and the
> client realm. Please contact your system administrator.
>
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
>
>
> ATL017784.dir.ucb-group.com [10.70.11.107]
>
> We captured network for it. Can you please help here what is going on?
>
>
> captured file is available at http://www.megaupload.com/?d=WDIG1CAT
>
>
>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
More information about the Kerberos
mailing list