Kerberos Error Message

Archived from groups: microsoft.public.win2000.security (More info?)

Hi,

Hi Have a windows 2000 domain controllor. This server doesn't perform and
Operations master roles. I have turned on Kerberos logging as I have been
having some time sycronisation problem with some clients on the network.

I'm receiveing a kerberos error every few hours (The doesn't seem to be any
pattern as to when these errors occur). I have looked at eventID (EventID
talks about domain trusts but this is a single domain with no trusts) and
searched on google but I can't find anything about this specific error (Note
in the error code: 0x20). The error is as follows:

Event Type: Error
Event Source: Kerberos
Event Category: None
Event ID: 594
Date: 10/09/2004
Time: 02:26:05
User: N/A
Computer: DCServer1
Description:
A Kerberos Error Message was received:
on logon session InitializeSecurityContext
Client Time:
Server Time:
Error Code: 1:26:5.0000 9/10/2004 (null) 0x20
Extended Error: KRB_AP_ERR_TKT_EXPIRED
Client Realm:
Client Name:
Server Realm: MyDomainName
Server Name: krbtgt/MyDomainName
Target Name: krbtgt/MyDomainName@MyDomainName
Error Text:
File:
Line:
Error Data is in record data.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.


Does anybody know why I'm receiving this error or where I can find more
information about it.

Thanks


Paul
6 answers Last reply
More about kerberos error message
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    First check that basic dns configuration is correct as dns misconfiguration is the
    root of most domain problems. Domain controllers must point to themselves and/or the
    pdc fsmo domain controller. See the link below on AD dns FAQ.

    http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B291382

    You can also use the support tools netdiag and dcdiag to check for domain controller
    health. The both will run a battery of tests to check for proper configuration
    including kerberos and you can use the /v switch with netdiag as in " netdiag
    /test:kerberos /v ". --- Steve

    http://support.microsoft.com/default.aspx?scid=kb;en-us;321708 -- netdiag and how to
    install support tools.


    "PC" <paulm DOT c at iol DOT ie> wrote in message
    news:uVIY3ExlEHA.1244@TK2MSFTNGP15.phx.gbl...
    > Hi,
    >
    > Hi Have a windows 2000 domain controllor. This server doesn't perform and
    > Operations master roles. I have turned on Kerberos logging as I have been
    > having some time sycronisation problem with some clients on the network.
    >
    > I'm receiveing a kerberos error every few hours (The doesn't seem to be any
    > pattern as to when these errors occur). I have looked at eventID (EventID
    > talks about domain trusts but this is a single domain with no trusts) and
    > searched on google but I can't find anything about this specific error (Note
    > in the error code: 0x20). The error is as follows:
    >
    > Event Type: Error
    > Event Source: Kerberos
    > Event Category: None
    > Event ID: 594
    > Date: 10/09/2004
    > Time: 02:26:05
    > User: N/A
    > Computer: DCServer1
    > Description:
    > A Kerberos Error Message was received:
    > on logon session InitializeSecurityContext
    > Client Time:
    > Server Time:
    > Error Code: 1:26:5.0000 9/10/2004 (null) 0x20
    > Extended Error: KRB_AP_ERR_TKT_EXPIRED
    > Client Realm:
    > Client Name:
    > Server Realm: MyDomainName
    > Server Name: krbtgt/MyDomainName
    > Target Name: krbtgt/MyDomainName@MyDomainName
    > Error Text:
    > File:
    > Line:
    > Error Data is in record data.
    >
    > For more information, see Help and Support Center at
    > http://go.microsoft.com/fwlink/events.asp.
    >
    >
    > Does anybody know why I'm receiving this error or where I can find more
    > information about it.
    >
    > Thanks
    >
    >
    > Paul
    >
    >
  2. Archived from groups: microsoft.public.win2000.security (More info?)

    Paulm,

    The error you are receiving (0x20) indicated that the
    Ticket Granting Ticket has been revoked. This is usually
    related to a date / time problem, as TGT's are time
    sensitive. I noticed that in the text of the error you
    posted that your server date indicates as 10/9/2004 and
    your client date indicates as 9/9/2004. Also, there
    appears to be a difference of an hour between the two
    clocks. Perhaps you should verify that the date and time
    on both server and clients are synchronized...? I believe
    that this is the root of the issue.

    Hope this helps. Please post back with any more questions.

    Opti_mystic_69


    >-----Original Message-----
    >Hi,
    >
    >Hi Have a windows 2000 domain controllor. This server
    doesn't perform and
    >Operations master roles. I have turned on Kerberos
    logging as I have been
    >having some time sycronisation problem with some clients
    on the network.
    >
    >I'm receiveing a kerberos error every few hours (The
    doesn't seem to be any
    >pattern as to when these errors occur). I have looked at
    eventID (EventID
    >talks about domain trusts but this is a single domain
    with no trusts) and
    >searched on google but I can't find anything about this
    specific error (Note
    >in the error code: 0x20). The error is as follows:
    >
    >Event Type: Error
    >Event Source: Kerberos
    >Event Category: None
    >Event ID: 594
    >Date: 10/09/2004
    >Time: 02:26:05
    >User: N/A
    >Computer: DCServer1
    >Description:
    >A Kerberos Error Message was received:
    > on logon session InitializeSecurityContext
    > Client Time:
    > Server Time:
    > Error Code: 1:26:5.0000 9/10/2004 (null) 0x20
    > Extended Error: KRB_AP_ERR_TKT_EXPIRED
    > Client Realm:
    > Client Name:
    > Server Realm: MyDomainName
    > Server Name: krbtgt/MyDomainName
    > Target Name: krbtgt/MyDomainName@MyDomainName
    > Error Text:
    > File:
    > Line:
    > Error Data is in record data.
    >
    >For more information, see Help and Support Center at
    >http://go.microsoft.com/fwlink/events.asp.
    >
    >
    >Does anybody know why I'm receiving this error or where I
    can find more
    >information about it.
    >
    >Thanks
    >
    >
    >Paul
    >
    >
    >.
    >
  3. Archived from groups: microsoft.public.win2000.security (More info?)

    Opti_Mystic_69 is correct, sounds like a time difference.

    A good resource for troubleshooting Kerberos errors is the relatively new
    whitepaper below:

    Troubleshooting Kerberos Errors
    http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerberr.mspx

    --
    Tim Springston
    Microsoft Corporation
    This posting is provided "AS IS" with no warranties, and confers no rights.


    "opti_mystic_69" <anonymous@discussions.microsoft.com> wrote in message
    news:030901c4979c$a808d520$a501280a@phx.gbl...
    > Paulm,
    >
    > The error you are receiving (0x20) indicated that the
    > Ticket Granting Ticket has been revoked. This is usually
    > related to a date / time problem, as TGT's are time
    > sensitive. I noticed that in the text of the error you
    > posted that your server date indicates as 10/9/2004 and
    > your client date indicates as 9/9/2004. Also, there
    > appears to be a difference of an hour between the two
    > clocks. Perhaps you should verify that the date and time
    > on both server and clients are synchronized...? I believe
    > that this is the root of the issue.
    >
    > Hope this helps. Please post back with any more questions.
    >
    > Opti_mystic_69
    >
    >
    >>-----Original Message-----
    >>Hi,
    >>
    >>Hi Have a windows 2000 domain controllor. This server
    > doesn't perform and
    >>Operations master roles. I have turned on Kerberos
    > logging as I have been
    >>having some time sycronisation problem with some clients
    > on the network.
    >>
    >>I'm receiveing a kerberos error every few hours (The
    > doesn't seem to be any
    >>pattern as to when these errors occur). I have looked at
    > eventID (EventID
    >>talks about domain trusts but this is a single domain
    > with no trusts) and
    >>searched on google but I can't find anything about this
    > specific error (Note
    >>in the error code: 0x20). The error is as follows:
    >>
    >>Event Type: Error
    >>Event Source: Kerberos
    >>Event Category: None
    >>Event ID: 594
    >>Date: 10/09/2004
    >>Time: 02:26:05
    >>User: N/A
    >>Computer: DCServer1
    >>Description:
    >>A Kerberos Error Message was received:
    >> on logon session InitializeSecurityContext
    >> Client Time:
    >> Server Time:
    >> Error Code: 1:26:5.0000 9/10/2004 (null) 0x20
    >> Extended Error: KRB_AP_ERR_TKT_EXPIRED
    >> Client Realm:
    >> Client Name:
    >> Server Realm: MyDomainName
    >> Server Name: krbtgt/MyDomainName
    >> Target Name: krbtgt/MyDomainName@MyDomainName
    >> Error Text:
    >> File:
    >> Line:
    >> Error Data is in record data.
    >>
    >>For more information, see Help and Support Center at
    >>http://go.microsoft.com/fwlink/events.asp.
    >>
    >>
    >>Does anybody know why I'm receiving this error or where I
    > can find more
    >>information about it.
    >>
    >>Thanks
    >>
    >>
    >>Paul
    >>
    >>
    >>.
    >>
  4. Archived from groups: microsoft.public.win2000.security (More info?)

    Thanks for the replies.

    I think you are correct with regards to the time issue but I'm not sure how
    to resolve this. Opti_Mystic_69 mention about what appears to be a
    discrepency between the clinet and server times in my original post. It
    would appear from my post that there is a discrepency but when I check the
    servers there is no apparent discrepancies. All servers report the correct
    time and date.

    To back track, I have an on going problem where some clients receive an
    error when logging on that there is a time discrepancy. This occurs although
    I know for certain there is no time difference between client and server. I
    order to enable authentication I have to restart the KDC on one of my DC
    (This is one of 2 DC's but it doesn't host any fsmo roles.) Immediatly I
    restart the KDC on this DC the user can logon.

    This happens on only a few machines but nothing seems to work to fix it. I
    have tried removing and rejoining the clients. Net diag tests on kerberos
    and DNS seem fine.

    Is there someway I could find out why I'm getting time discrepancy errors
    and Time related Kerberos errors when there doesn't seem to be any
    difference in time on the network?

    Again thanks for your help

    Paul


    "Tim Springston [MS]" <tspring@online.microsoft.com> wrote in message
    news:OaCvPMTmEHA.416@TK2MSFTNGP10.phx.gbl...
    > Opti_Mystic_69 is correct, sounds like a time difference.
    >
    > A good resource for troubleshooting Kerberos errors is the relatively new
    > whitepaper below:
    >
    > Troubleshooting Kerberos Errors
    >
    http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerberr.mspx
    >
    > --
    > Tim Springston
    > Microsoft Corporation
    > This posting is provided "AS IS" with no warranties, and confers no
    rights.
    >
    >
    > "opti_mystic_69" <anonymous@discussions.microsoft.com> wrote in message
    > news:030901c4979c$a808d520$a501280a@phx.gbl...
    > > Paulm,
    > >
    > > The error you are receiving (0x20) indicated that the
    > > Ticket Granting Ticket has been revoked. This is usually
    > > related to a date / time problem, as TGT's are time
    > > sensitive. I noticed that in the text of the error you
    > > posted that your server date indicates as 10/9/2004 and
    > > your client date indicates as 9/9/2004. Also, there
    > > appears to be a difference of an hour between the two
    > > clocks. Perhaps you should verify that the date and time
    > > on both server and clients are synchronized...? I believe
    > > that this is the root of the issue.
    > >
    > > Hope this helps. Please post back with any more questions.
    > >
    > > Opti_mystic_69
    > >
    > >
    > >>-----Original Message-----
    > >>Hi,
    > >>
    > >>Hi Have a windows 2000 domain controllor. This server
    > > doesn't perform and
    > >>Operations master roles. I have turned on Kerberos
    > > logging as I have been
    > >>having some time sycronisation problem with some clients
    > > on the network.
    > >>
    > >>I'm receiveing a kerberos error every few hours (The
    > > doesn't seem to be any
    > >>pattern as to when these errors occur). I have looked at
    > > eventID (EventID
    > >>talks about domain trusts but this is a single domain
    > > with no trusts) and
    > >>searched on google but I can't find anything about this
    > > specific error (Note
    > >>in the error code: 0x20). The error is as follows:
    > >>
    > >>Event Type: Error
    > >>Event Source: Kerberos
    > >>Event Category: None
    > >>Event ID: 594
    > >>Date: 10/09/2004
    > >>Time: 02:26:05
    > >>User: N/A
    > >>Computer: DCServer1
    > >>Description:
    > >>A Kerberos Error Message was received:
    > >> on logon session InitializeSecurityContext
    > >> Client Time:
    > >> Server Time:
    > >> Error Code: 1:26:5.0000 9/10/2004 (null) 0x20
    > >> Extended Error: KRB_AP_ERR_TKT_EXPIRED
    > >> Client Realm:
    > >> Client Name:
    > >> Server Realm: MyDomainName
    > >> Server Name: krbtgt/MyDomainName
    > >> Target Name: krbtgt/MyDomainName@MyDomainName
    > >> Error Text:
    > >> File:
    > >> Line:
    > >> Error Data is in record data.
    > >>
    > >>For more information, see Help and Support Center at
    > >>http://go.microsoft.com/fwlink/events.asp.
    > >>
    > >>
    > >>Does anybody know why I'm receiving this error or where I
    > > can find more
    > >>information about it.
    > >>
    > >>Thanks
    > >>
    > >>
    > >>Paul
    > >>
    > >>
    > >>.
    > >>
    >
    >
  5. Archived from groups: microsoft.public.win2000.security (More info?)

    Here ya go...we sync with the USNO and it works good.


    Troubleshooting Windows Time Service Problems
    http://tinyurl.com/5mqal

    Provides troubleshooting information about Windows Time
    service
    http://tinyurl.com/669p6

    Microsoft - Windows Time service
    http://tinyurl.com/5lyvq

    >-----Original Message-----
    >Thanks for the replies.
    >
    >I think you are correct with regards to the time issue
    but I'm not sure how
    >to resolve this. Opti_Mystic_69 mention about what
    appears to be a
    >discrepency between the clinet and server times in my
    original post. It
    >would appear from my post that there is a discrepency but
    when I check the
    >servers there is no apparent discrepancies. All servers
    report the correct
    >time and date.
    >
    >To back track, I have an on going problem where some
    clients receive an
    >error when logging on that there is a time discrepancy.
    This occurs although
    >I know for certain there is no time difference between
    client and server. I
    >order to enable authentication I have to restart the KDC
    on one of my DC
    >(This is one of 2 DC's but it doesn't host any fsmo
    roles.) Immediatly I
    >restart the KDC on this DC the user can logon.
    >
    >This happens on only a few machines but nothing seems to
    work to fix it. I
    >have tried removing and rejoining the clients. Net diag
    tests on kerberos
    >and DNS seem fine.
    >
    >Is there someway I could find out why I'm getting time
    discrepancy errors
    >and Time related Kerberos errors when there doesn't seem
    to be any
    >difference in time on the network?
    >
    >Again thanks for your help
    >
    >Paul
    >
    >
    >
    >"Tim Springston [MS]" <tspring@online.microsoft.com>
    wrote in message
    >news:OaCvPMTmEHA.416@TK2MSFTNGP10.phx.gbl...
    >> Opti_Mystic_69 is correct, sounds like a time
    difference.
    >>
    >> A good resource for troubleshooting Kerberos errors is
    the relatively new
    >> whitepaper below:
    >>
    >> Troubleshooting Kerberos Errors
    >>
    >http://www.microsoft.com/technet/prodtechnol/windowsserver
    2003/technologies/security/tkerberr.mspx
    >>
    >> --
    >> Tim Springston
    >> Microsoft Corporation
    >> This posting is provided "AS IS" with no warranties,
    and confers no
    >rights.
    >>
    >>
    >> "opti_mystic_69" <anonymous@discussions.microsoft.com>
    wrote in message
    >> news:030901c4979c$a808d520$a501280a@phx.gbl...
    >> > Paulm,
    >> >
    >> > The error you are receiving (0x20) indicated that the
    >> > Ticket Granting Ticket has been revoked. This is
    usually
    >> > related to a date / time problem, as TGT's are time
    >> > sensitive. I noticed that in the text of the error you
    >> > posted that your server date indicates as 10/9/2004
    and
    >> > your client date indicates as 9/9/2004. Also, there
    >> > appears to be a difference of an hour between the two
    >> > clocks. Perhaps you should verify that the date and
    time
    >> > on both server and clients are synchronized...? I
    believe
    >> > that this is the root of the issue.
    >> >
    >> > Hope this helps. Please post back with any more
    questions.
    >> >
    >> > Opti_mystic_69
    >> >
    >> >
    >> >>-----Original Message-----
    >> >>Hi,
    >> >>
    >> >>Hi Have a windows 2000 domain controllor. This server
    >> > doesn't perform and
    >> >>Operations master roles. I have turned on Kerberos
    >> > logging as I have been
    >> >>having some time sycronisation problem with some
    clients
    >> > on the network.
    >> >>
    >> >>I'm receiveing a kerberos error every few hours (The
    >> > doesn't seem to be any
    >> >>pattern as to when these errors occur). I have looked
    at
    >> > eventID (EventID
    >> >>talks about domain trusts but this is a single domain
    >> > with no trusts) and
    >> >>searched on google but I can't find anything about
    this
    >> > specific error (Note
    >> >>in the error code: 0x20). The error is as follows:
    >> >>
    >> >>Event Type: Error
    >> >>Event Source: Kerberos
    >> >>Event Category: None
    >> >>Event ID: 594
    >> >>Date: 10/09/2004
    >> >>Time: 02:26:05
    >> >>User: N/A
    >> >>Computer: DCServer1
    >> >>Description:
    >> >>A Kerberos Error Message was received:
    >> >> on logon session InitializeSecurityContext
    >> >> Client Time:
    >> >> Server Time:
    >> >> Error Code: 1:26:5.0000 9/10/2004 (null) 0x20
    >> >> Extended Error: KRB_AP_ERR_TKT_EXPIRED
    >> >> Client Realm:
    >> >> Client Name:
    >> >> Server Realm: MyDomainName
    >> >> Server Name: krbtgt/MyDomainName
    >> >> Target Name: krbtgt/MyDomainName@MyDomainName
    >> >> Error Text:
    >> >> File:
    >> >> Line:
    >> >> Error Data is in record data.
    >> >>
    >> >>For more information, see Help and Support Center at
    >> >>http://go.microsoft.com/fwlink/events.asp.
    >> >>
    >> >>
    >> >>Does anybody know why I'm receiving this error or
    where I
    >> > can find more
    >> >>information about it.
    >> >>
    >> >>Thanks
    >> >>
    >> >>
    >> >>Paul
    >> >>
    >> >>
    >> >>.
    >> >>
    >>
    >>
    >
    >
    >.
    >
  6. Archived from groups: microsoft.public.win2000.security (More info?)

    Is the Windows Time Service (a.k.a W32Time) started and set to automatic on
    the domain controller which you reboot to alleviate the problem?

    --
    Tim Springston
    Microsoft Corporation
    This posting is provided "AS IS" with no warranties, and confers no rights.


    "PC" <paulm DOT c at iol DOT ie> wrote in message
    news:eD41dIYmEHA.3452@TK2MSFTNGP15.phx.gbl...
    > Thanks for the replies.
    >
    > I think you are correct with regards to the time issue but I'm not sure
    > how
    > to resolve this. Opti_Mystic_69 mention about what appears to be a
    > discrepency between the clinet and server times in my original post. It
    > would appear from my post that there is a discrepency but when I check the
    > servers there is no apparent discrepancies. All servers report the correct
    > time and date.
    >
    > To back track, I have an on going problem where some clients receive an
    > error when logging on that there is a time discrepancy. This occurs
    > although
    > I know for certain there is no time difference between client and server.
    > I
    > order to enable authentication I have to restart the KDC on one of my DC
    > (This is one of 2 DC's but it doesn't host any fsmo roles.) Immediatly I
    > restart the KDC on this DC the user can logon.
    >
    > This happens on only a few machines but nothing seems to work to fix it. I
    > have tried removing and rejoining the clients. Net diag tests on kerberos
    > and DNS seem fine.
    >
    > Is there someway I could find out why I'm getting time discrepancy errors
    > and Time related Kerberos errors when there doesn't seem to be any
    > difference in time on the network?
    >
    > Again thanks for your help
    >
    > Paul
    >
    >
    >
    > "Tim Springston [MS]" <tspring@online.microsoft.com> wrote in message
    > news:OaCvPMTmEHA.416@TK2MSFTNGP10.phx.gbl...
    >> Opti_Mystic_69 is correct, sounds like a time difference.
    >>
    >> A good resource for troubleshooting Kerberos errors is the relatively new
    >> whitepaper below:
    >>
    >> Troubleshooting Kerberos Errors
    >>
    > http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerberr.mspx
    >>
    >> --
    >> Tim Springston
    >> Microsoft Corporation
    >> This posting is provided "AS IS" with no warranties, and confers no
    > rights.
    >>
    >>
    >> "opti_mystic_69" <anonymous@discussions.microsoft.com> wrote in message
    >> news:030901c4979c$a808d520$a501280a@phx.gbl...
    >> > Paulm,
    >> >
    >> > The error you are receiving (0x20) indicated that the
    >> > Ticket Granting Ticket has been revoked. This is usually
    >> > related to a date / time problem, as TGT's are time
    >> > sensitive. I noticed that in the text of the error you
    >> > posted that your server date indicates as 10/9/2004 and
    >> > your client date indicates as 9/9/2004. Also, there
    >> > appears to be a difference of an hour between the two
    >> > clocks. Perhaps you should verify that the date and time
    >> > on both server and clients are synchronized...? I believe
    >> > that this is the root of the issue.
    >> >
    >> > Hope this helps. Please post back with any more questions.
    >> >
    >> > Opti_mystic_69
    >> >
    >> >
    >> >>-----Original Message-----
    >> >>Hi,
    >> >>
    >> >>Hi Have a windows 2000 domain controllor. This server
    >> > doesn't perform and
    >> >>Operations master roles. I have turned on Kerberos
    >> > logging as I have been
    >> >>having some time sycronisation problem with some clients
    >> > on the network.
    >> >>
    >> >>I'm receiveing a kerberos error every few hours (The
    >> > doesn't seem to be any
    >> >>pattern as to when these errors occur). I have looked at
    >> > eventID (EventID
    >> >>talks about domain trusts but this is a single domain
    >> > with no trusts) and
    >> >>searched on google but I can't find anything about this
    >> > specific error (Note
    >> >>in the error code: 0x20). The error is as follows:
    >> >>
    >> >>Event Type: Error
    >> >>Event Source: Kerberos
    >> >>Event Category: None
    >> >>Event ID: 594
    >> >>Date: 10/09/2004
    >> >>Time: 02:26:05
    >> >>User: N/A
    >> >>Computer: DCServer1
    >> >>Description:
    >> >>A Kerberos Error Message was received:
    >> >> on logon session InitializeSecurityContext
    >> >> Client Time:
    >> >> Server Time:
    >> >> Error Code: 1:26:5.0000 9/10/2004 (null) 0x20
    >> >> Extended Error: KRB_AP_ERR_TKT_EXPIRED
    >> >> Client Realm:
    >> >> Client Name:
    >> >> Server Realm: MyDomainName
    >> >> Server Name: krbtgt/MyDomainName
    >> >> Target Name: krbtgt/MyDomainName@MyDomainName
    >> >> Error Text:
    >> >> File:
    >> >> Line:
    >> >> Error Data is in record data.
    >> >>
    >> >>For more information, see Help and Support Center at
    >> >>http://go.microsoft.com/fwlink/events.asp.
    >> >>
    >> >>
    >> >>Does anybody know why I'm receiving this error or where I
    >> > can find more
    >> >>information about it.
    >> >>
    >> >>Thanks
    >> >>
    >> >>
    >> >>Paul
    >> >>
    >> >>
    >> >>.
    >> >>
    >>
    >>
    >
    >
Ask a new question

Read More

Windows