Sign in with
Sign up | Sign in
Your question

Kerberos Error Message

Tags:
Last response: in Windows 2000/NT
Share
September 10, 2004 1:36:04 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Hi,

Hi Have a windows 2000 domain controllor. This server doesn't perform and
Operations master roles. I have turned on Kerberos logging as I have been
having some time sycronisation problem with some clients on the network.

I'm receiveing a kerberos error every few hours (The doesn't seem to be any
pattern as to when these errors occur). I have looked at eventID (EventID
talks about domain trusts but this is a single domain with no trusts) and
searched on google but I can't find anything about this specific error (Note
in the error code: 0x20). The error is as follows:

Event Type: Error
Event Source: Kerberos
Event Category: None
Event ID: 594
Date: 10/09/2004
Time: 02:26:05
User: N/A
Computer: DCServer1
Description:
A Kerberos Error Message was received:
on logon session InitializeSecurityContext
Client Time:
Server Time:
Error Code: 1:26:5.0000 9/10/2004 (null) 0x20
Extended Error: KRB_AP_ERR_TKT_EXPIRED
Client Realm:
Client Name:
Server Realm: MyDomainName
Server Name: krbtgt/MyDomainName
Target Name: krbtgt/MyDomainName@MyDomainName
Error Text:
File:
Line:
Error Data is in record data.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.


Does anybody know why I'm receiving this error or where I can find more
information about it.

Thanks


Paul

More about : kerberos error message

Anonymous
September 10, 2004 8:52:18 PM

Archived from groups: microsoft.public.win2000.security (More info?)

First check that basic dns configuration is correct as dns misconfiguration is the
root of most domain problems. Domain controllers must point to themselves and/or the
pdc fsmo domain controller. See the link below on AD dns FAQ.

http://support.microsoft.com/default.aspx?scid=kb%3Ben-...

You can also use the support tools netdiag and dcdiag to check for domain controller
health. The both will run a battery of tests to check for proper configuration
including kerberos and you can use the /v switch with netdiag as in " netdiag
/test:kerberos /v ". --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;321708 -- netdiag and how to
install support tools.


"PC" <paulm DOT c at iol DOT ie> wrote in message
news:uVIY3ExlEHA.1244@TK2MSFTNGP15.phx.gbl...
> Hi,
>
> Hi Have a windows 2000 domain controllor. This server doesn't perform and
> Operations master roles. I have turned on Kerberos logging as I have been
> having some time sycronisation problem with some clients on the network.
>
> I'm receiveing a kerberos error every few hours (The doesn't seem to be any
> pattern as to when these errors occur). I have looked at eventID (EventID
> talks about domain trusts but this is a single domain with no trusts) and
> searched on google but I can't find anything about this specific error (Note
> in the error code: 0x20). The error is as follows:
>
> Event Type: Error
> Event Source: Kerberos
> Event Category: None
> Event ID: 594
> Date: 10/09/2004
> Time: 02:26:05
> User: N/A
> Computer: DCServer1
> Description:
> A Kerberos Error Message was received:
> on logon session InitializeSecurityContext
> Client Time:
> Server Time:
> Error Code: 1:26:5.0000 9/10/2004 (null) 0x20
> Extended Error: KRB_AP_ERR_TKT_EXPIRED
> Client Realm:
> Client Name:
> Server Realm: MyDomainName
> Server Name: krbtgt/MyDomainName
> Target Name: krbtgt/MyDomainName@MyDomainName
> Error Text:
> File:
> Line:
> Error Data is in record data.
>
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
>
>
> Does anybody know why I'm receiving this error or where I can find more
> information about it.
>
> Thanks
>
>
> Paul
>
>
Anonymous
September 10, 2004 10:14:16 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Paulm,

The error you are receiving (0x20) indicated that the
Ticket Granting Ticket has been revoked. This is usually
related to a date / time problem, as TGT's are time
sensitive. I noticed that in the text of the error you
posted that your server date indicates as 10/9/2004 and
your client date indicates as 9/9/2004. Also, there
appears to be a difference of an hour between the two
clocks. Perhaps you should verify that the date and time
on both server and clients are synchronized...? I believe
that this is the root of the issue.

Hope this helps. Please post back with any more questions.

Opti_mystic_69


>-----Original Message-----
>Hi,
>
>Hi Have a windows 2000 domain controllor. This server
doesn't perform and
>Operations master roles. I have turned on Kerberos
logging as I have been
>having some time sycronisation problem with some clients
on the network.
>
>I'm receiveing a kerberos error every few hours (The
doesn't seem to be any
>pattern as to when these errors occur). I have looked at
eventID (EventID
>talks about domain trusts but this is a single domain
with no trusts) and
>searched on google but I can't find anything about this
specific error (Note
>in the error code: 0x20). The error is as follows:
>
>Event Type: Error
>Event Source: Kerberos
>Event Category: None
>Event ID: 594
>Date: 10/09/2004
>Time: 02:26:05
>User: N/A
>Computer: DCServer1
>Description:
>A Kerberos Error Message was received:
> on logon session InitializeSecurityContext
> Client Time:
> Server Time:
> Error Code: 1:26:5.0000 9/10/2004 (null) 0x20
> Extended Error: KRB_AP_ERR_TKT_EXPIRED
> Client Realm:
> Client Name:
> Server Realm: MyDomainName
> Server Name: krbtgt/MyDomainName
> Target Name: krbtgt/MyDomainName@MyDomainName
> Error Text:
> File:
> Line:
> Error Data is in record data.
>
>For more information, see Help and Support Center at
>http://go.microsoft.com/fwlink/events.asp.
>
>
>Does anybody know why I'm receiving this error or where I
can find more
>information about it.
>
>Thanks
>
>
>Paul
>
>
>.
>
Related resources
Anonymous
September 13, 2004 12:43:24 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Opti_Mystic_69 is correct, sounds like a time difference.

A good resource for troubleshooting Kerberos errors is the relatively new
whitepaper below:

Troubleshooting Kerberos Errors
http://www.microsoft.com/technet/prodtechnol/windowsser...

--
Tim Springston
Microsoft Corporation
This posting is provided "AS IS" with no warranties, and confers no rights.


"opti_mystic_69" <anonymous@discussions.microsoft.com> wrote in message
news:030901c4979c$a808d520$a501280a@phx.gbl...
> Paulm,
>
> The error you are receiving (0x20) indicated that the
> Ticket Granting Ticket has been revoked. This is usually
> related to a date / time problem, as TGT's are time
> sensitive. I noticed that in the text of the error you
> posted that your server date indicates as 10/9/2004 and
> your client date indicates as 9/9/2004. Also, there
> appears to be a difference of an hour between the two
> clocks. Perhaps you should verify that the date and time
> on both server and clients are synchronized...? I believe
> that this is the root of the issue.
>
> Hope this helps. Please post back with any more questions.
>
> Opti_mystic_69
>
>
>>-----Original Message-----
>>Hi,
>>
>>Hi Have a windows 2000 domain controllor. This server
> doesn't perform and
>>Operations master roles. I have turned on Kerberos
> logging as I have been
>>having some time sycronisation problem with some clients
> on the network.
>>
>>I'm receiveing a kerberos error every few hours (The
> doesn't seem to be any
>>pattern as to when these errors occur). I have looked at
> eventID (EventID
>>talks about domain trusts but this is a single domain
> with no trusts) and
>>searched on google but I can't find anything about this
> specific error (Note
>>in the error code: 0x20). The error is as follows:
>>
>>Event Type: Error
>>Event Source: Kerberos
>>Event Category: None
>>Event ID: 594
>>Date: 10/09/2004
>>Time: 02:26:05
>>User: N/A
>>Computer: DCServer1
>>Description:
>>A Kerberos Error Message was received:
>> on logon session InitializeSecurityContext
>> Client Time:
>> Server Time:
>> Error Code: 1:26:5.0000 9/10/2004 (null) 0x20
>> Extended Error: KRB_AP_ERR_TKT_EXPIRED
>> Client Realm:
>> Client Name:
>> Server Realm: MyDomainName
>> Server Name: krbtgt/MyDomainName
>> Target Name: krbtgt/MyDomainName@MyDomainName
>> Error Text:
>> File:
>> Line:
>> Error Data is in record data.
>>
>>For more information, see Help and Support Center at
>>http://go.microsoft.com/fwlink/events.asp.
>>
>>
>>Does anybody know why I'm receiving this error or where I
> can find more
>>information about it.
>>
>>Thanks
>>
>>
>>Paul
>>
>>
>>.
>>
September 13, 2004 4:09:16 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Thanks for the replies.

I think you are correct with regards to the time issue but I'm not sure how
to resolve this. Opti_Mystic_69 mention about what appears to be a
discrepency between the clinet and server times in my original post. It
would appear from my post that there is a discrepency but when I check the
servers there is no apparent discrepancies. All servers report the correct
time and date.

To back track, I have an on going problem where some clients receive an
error when logging on that there is a time discrepancy. This occurs although
I know for certain there is no time difference between client and server. I
order to enable authentication I have to restart the KDC on one of my DC
(This is one of 2 DC's but it doesn't host any fsmo roles.) Immediatly I
restart the KDC on this DC the user can logon.

This happens on only a few machines but nothing seems to work to fix it. I
have tried removing and rejoining the clients. Net diag tests on kerberos
and DNS seem fine.

Is there someway I could find out why I'm getting time discrepancy errors
and Time related Kerberos errors when there doesn't seem to be any
difference in time on the network?

Again thanks for your help

Paul



"Tim Springston [MS]" <tspring@online.microsoft.com> wrote in message
news:o aCvPMTmEHA.416@TK2MSFTNGP10.phx.gbl...
> Opti_Mystic_69 is correct, sounds like a time difference.
>
> A good resource for troubleshooting Kerberos errors is the relatively new
> whitepaper below:
>
> Troubleshooting Kerberos Errors
>
http://www.microsoft.com/technet/prodtechnol/windowsser...
>
> --
> Tim Springston
> Microsoft Corporation
> This posting is provided "AS IS" with no warranties, and confers no
rights.
>
>
> "opti_mystic_69" <anonymous@discussions.microsoft.com> wrote in message
> news:030901c4979c$a808d520$a501280a@phx.gbl...
> > Paulm,
> >
> > The error you are receiving (0x20) indicated that the
> > Ticket Granting Ticket has been revoked. This is usually
> > related to a date / time problem, as TGT's are time
> > sensitive. I noticed that in the text of the error you
> > posted that your server date indicates as 10/9/2004 and
> > your client date indicates as 9/9/2004. Also, there
> > appears to be a difference of an hour between the two
> > clocks. Perhaps you should verify that the date and time
> > on both server and clients are synchronized...? I believe
> > that this is the root of the issue.
> >
> > Hope this helps. Please post back with any more questions.
> >
> > Opti_mystic_69
> >
> >
> >>-----Original Message-----
> >>Hi,
> >>
> >>Hi Have a windows 2000 domain controllor. This server
> > doesn't perform and
> >>Operations master roles. I have turned on Kerberos
> > logging as I have been
> >>having some time sycronisation problem with some clients
> > on the network.
> >>
> >>I'm receiveing a kerberos error every few hours (The
> > doesn't seem to be any
> >>pattern as to when these errors occur). I have looked at
> > eventID (EventID
> >>talks about domain trusts but this is a single domain
> > with no trusts) and
> >>searched on google but I can't find anything about this
> > specific error (Note
> >>in the error code: 0x20). The error is as follows:
> >>
> >>Event Type: Error
> >>Event Source: Kerberos
> >>Event Category: None
> >>Event ID: 594
> >>Date: 10/09/2004
> >>Time: 02:26:05
> >>User: N/A
> >>Computer: DCServer1
> >>Description:
> >>A Kerberos Error Message was received:
> >> on logon session InitializeSecurityContext
> >> Client Time:
> >> Server Time:
> >> Error Code: 1:26:5.0000 9/10/2004 (null) 0x20
> >> Extended Error: KRB_AP_ERR_TKT_EXPIRED
> >> Client Realm:
> >> Client Name:
> >> Server Realm: MyDomainName
> >> Server Name: krbtgt/MyDomainName
> >> Target Name: krbtgt/MyDomainName@MyDomainName
> >> Error Text:
> >> File:
> >> Line:
> >> Error Data is in record data.
> >>
> >>For more information, see Help and Support Center at
> >>http://go.microsoft.com/fwlink/events.asp.
> >>
> >>
> >>Does anybody know why I'm receiving this error or where I
> > can find more
> >>information about it.
> >>
> >>Thanks
> >>
> >>
> >>Paul
> >>
> >>
> >>.
> >>
>
>
Anonymous
September 13, 2004 4:09:17 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Here ya go...we sync with the USNO and it works good.


Troubleshooting Windows Time Service Problems
http://tinyurl.com/5mqal

Provides troubleshooting information about Windows Time
service
http://tinyurl.com/669p6

Microsoft - Windows Time service
http://tinyurl.com/5lyvq

>-----Original Message-----
>Thanks for the replies.
>
>I think you are correct with regards to the time issue
but I'm not sure how
>to resolve this. Opti_Mystic_69 mention about what
appears to be a
>discrepency between the clinet and server times in my
original post. It
>would appear from my post that there is a discrepency but
when I check the
>servers there is no apparent discrepancies. All servers
report the correct
>time and date.
>
>To back track, I have an on going problem where some
clients receive an
>error when logging on that there is a time discrepancy.
This occurs although
>I know for certain there is no time difference between
client and server. I
>order to enable authentication I have to restart the KDC
on one of my DC
>(This is one of 2 DC's but it doesn't host any fsmo
roles.) Immediatly I
>restart the KDC on this DC the user can logon.
>
>This happens on only a few machines but nothing seems to
work to fix it. I
>have tried removing and rejoining the clients. Net diag
tests on kerberos
>and DNS seem fine.
>
>Is there someway I could find out why I'm getting time
discrepancy errors
>and Time related Kerberos errors when there doesn't seem
to be any
>difference in time on the network?
>
>Again thanks for your help
>
>Paul
>
>
>
>"Tim Springston [MS]" <tspring@online.microsoft.com>
wrote in message
>news:o aCvPMTmEHA.416@TK2MSFTNGP10.phx.gbl...
>> Opti_Mystic_69 is correct, sounds like a time
difference.
>>
>> A good resource for troubleshooting Kerberos errors is
the relatively new
>> whitepaper below:
>>
>> Troubleshooting Kerberos Errors
>>
>http://www.microsoft.com/technet/prodtechnol/windowsser...
2003/technologies/security/tkerberr.mspx
>>
>> --
>> Tim Springston
>> Microsoft Corporation
>> This posting is provided "AS IS" with no warranties,
and confers no
>rights.
>>
>>
>> "opti_mystic_69" <anonymous@discussions.microsoft.com>
wrote in message
>> news:030901c4979c$a808d520$a501280a@phx.gbl...
>> > Paulm,
>> >
>> > The error you are receiving (0x20) indicated that the
>> > Ticket Granting Ticket has been revoked. This is
usually
>> > related to a date / time problem, as TGT's are time
>> > sensitive. I noticed that in the text of the error you
>> > posted that your server date indicates as 10/9/2004
and
>> > your client date indicates as 9/9/2004. Also, there
>> > appears to be a difference of an hour between the two
>> > clocks. Perhaps you should verify that the date and
time
>> > on both server and clients are synchronized...? I
believe
>> > that this is the root of the issue.
>> >
>> > Hope this helps. Please post back with any more
questions.
>> >
>> > Opti_mystic_69
>> >
>> >
>> >>-----Original Message-----
>> >>Hi,
>> >>
>> >>Hi Have a windows 2000 domain controllor. This server
>> > doesn't perform and
>> >>Operations master roles. I have turned on Kerberos
>> > logging as I have been
>> >>having some time sycronisation problem with some
clients
>> > on the network.
>> >>
>> >>I'm receiveing a kerberos error every few hours (The
>> > doesn't seem to be any
>> >>pattern as to when these errors occur). I have looked
at
>> > eventID (EventID
>> >>talks about domain trusts but this is a single domain
>> > with no trusts) and
>> >>searched on google but I can't find anything about
this
>> > specific error (Note
>> >>in the error code: 0x20). The error is as follows:
>> >>
>> >>Event Type: Error
>> >>Event Source: Kerberos
>> >>Event Category: None
>> >>Event ID: 594
>> >>Date: 10/09/2004
>> >>Time: 02:26:05
>> >>User: N/A
>> >>Computer: DCServer1
>> >>Description:
>> >>A Kerberos Error Message was received:
>> >> on logon session InitializeSecurityContext
>> >> Client Time:
>> >> Server Time:
>> >> Error Code: 1:26:5.0000 9/10/2004 (null) 0x20
>> >> Extended Error: KRB_AP_ERR_TKT_EXPIRED
>> >> Client Realm:
>> >> Client Name:
>> >> Server Realm: MyDomainName
>> >> Server Name: krbtgt/MyDomainName
>> >> Target Name: krbtgt/MyDomainName@MyDomainName
>> >> Error Text:
>> >> File:
>> >> Line:
>> >> Error Data is in record data.
>> >>
>> >>For more information, see Help and Support Center at
>> >>http://go.microsoft.com/fwlink/events.asp.
>> >>
>> >>
>> >>Does anybody know why I'm receiving this error or
where I
>> > can find more
>> >>information about it.
>> >>
>> >>Thanks
>> >>
>> >>
>> >>Paul
>> >>
>> >>
>> >>.
>> >>
>>
>>
>
>
>.
>
Anonymous
September 13, 2004 4:09:17 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Is the Windows Time Service (a.k.a W32Time) started and set to automatic on
the domain controller which you reboot to alleviate the problem?

--
Tim Springston
Microsoft Corporation
This posting is provided "AS IS" with no warranties, and confers no rights.


"PC" <paulm DOT c at iol DOT ie> wrote in message
news:eD41dIYmEHA.3452@TK2MSFTNGP15.phx.gbl...
> Thanks for the replies.
>
> I think you are correct with regards to the time issue but I'm not sure
> how
> to resolve this. Opti_Mystic_69 mention about what appears to be a
> discrepency between the clinet and server times in my original post. It
> would appear from my post that there is a discrepency but when I check the
> servers there is no apparent discrepancies. All servers report the correct
> time and date.
>
> To back track, I have an on going problem where some clients receive an
> error when logging on that there is a time discrepancy. This occurs
> although
> I know for certain there is no time difference between client and server.
> I
> order to enable authentication I have to restart the KDC on one of my DC
> (This is one of 2 DC's but it doesn't host any fsmo roles.) Immediatly I
> restart the KDC on this DC the user can logon.
>
> This happens on only a few machines but nothing seems to work to fix it. I
> have tried removing and rejoining the clients. Net diag tests on kerberos
> and DNS seem fine.
>
> Is there someway I could find out why I'm getting time discrepancy errors
> and Time related Kerberos errors when there doesn't seem to be any
> difference in time on the network?
>
> Again thanks for your help
>
> Paul
>
>
>
> "Tim Springston [MS]" <tspring@online.microsoft.com> wrote in message
> news:o aCvPMTmEHA.416@TK2MSFTNGP10.phx.gbl...
>> Opti_Mystic_69 is correct, sounds like a time difference.
>>
>> A good resource for troubleshooting Kerberos errors is the relatively new
>> whitepaper below:
>>
>> Troubleshooting Kerberos Errors
>>
> http://www.microsoft.com/technet/prodtechnol/windowsser...
>>
>> --
>> Tim Springston
>> Microsoft Corporation
>> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>>
>>
>> "opti_mystic_69" <anonymous@discussions.microsoft.com> wrote in message
>> news:030901c4979c$a808d520$a501280a@phx.gbl...
>> > Paulm,
>> >
>> > The error you are receiving (0x20) indicated that the
>> > Ticket Granting Ticket has been revoked. This is usually
>> > related to a date / time problem, as TGT's are time
>> > sensitive. I noticed that in the text of the error you
>> > posted that your server date indicates as 10/9/2004 and
>> > your client date indicates as 9/9/2004. Also, there
>> > appears to be a difference of an hour between the two
>> > clocks. Perhaps you should verify that the date and time
>> > on both server and clients are synchronized...? I believe
>> > that this is the root of the issue.
>> >
>> > Hope this helps. Please post back with any more questions.
>> >
>> > Opti_mystic_69
>> >
>> >
>> >>-----Original Message-----
>> >>Hi,
>> >>
>> >>Hi Have a windows 2000 domain controllor. This server
>> > doesn't perform and
>> >>Operations master roles. I have turned on Kerberos
>> > logging as I have been
>> >>having some time sycronisation problem with some clients
>> > on the network.
>> >>
>> >>I'm receiveing a kerberos error every few hours (The
>> > doesn't seem to be any
>> >>pattern as to when these errors occur). I have looked at
>> > eventID (EventID
>> >>talks about domain trusts but this is a single domain
>> > with no trusts) and
>> >>searched on google but I can't find anything about this
>> > specific error (Note
>> >>in the error code: 0x20). The error is as follows:
>> >>
>> >>Event Type: Error
>> >>Event Source: Kerberos
>> >>Event Category: None
>> >>Event ID: 594
>> >>Date: 10/09/2004
>> >>Time: 02:26:05
>> >>User: N/A
>> >>Computer: DCServer1
>> >>Description:
>> >>A Kerberos Error Message was received:
>> >> on logon session InitializeSecurityContext
>> >> Client Time:
>> >> Server Time:
>> >> Error Code: 1:26:5.0000 9/10/2004 (null) 0x20
>> >> Extended Error: KRB_AP_ERR_TKT_EXPIRED
>> >> Client Realm:
>> >> Client Name:
>> >> Server Realm: MyDomainName
>> >> Server Name: krbtgt/MyDomainName
>> >> Target Name: krbtgt/MyDomainName@MyDomainName
>> >> Error Text:
>> >> File:
>> >> Line:
>> >> Error Data is in record data.
>> >>
>> >>For more information, see Help and Support Center at
>> >>http://go.microsoft.com/fwlink/events.asp.
>> >>
>> >>
>> >>Does anybody know why I'm receiving this error or where I
>> > can find more
>> >>information about it.
>> >>
>> >>Thanks
>> >>
>> >>
>> >>Paul
>> >>
>> >>
>> >>.
>> >>
>>
>>
>
>
!