Sign in with
Sign up | Sign in
Your question

Kerberos requesting services using wrong user....

Last response: in Windows 2000/NT
Share
Anonymous
a b 8 Security
November 10, 2004 5:17:04 PM

Archived from groups: microsoft.public.win2000.security (More info?)

I logged onto my workstation (XP Pro on Win2k AD domain) earlier this week
using a different username. Now when I log into my PC with MY username, the
DC's security event log is showing that the kerberos service tickets are
being requested by the other user.

The problem is that the other user is simply a domain user, but I am a
Domain Admin. I only have the rights of a normal user now using MMC to
administer the domain. Also, when I do a net use to an $admin drive share on
another pc, I get the login dialog box with the OTHER user already in the
username field - instead of just letting me in like it always did.

How can I re-set the user that my Kerberos client is using to request
tickets and services from my PC?!?!
I have already done the following:

1. Removed the other users profile from my PC - and did a search of the
registry, and the user name is nowhere to be found except in the old
\documents and settings\profile path
2. Disabled the other user in AD - but then I get all kinds of kerberos
failures and errors on my PC and the DC's security log - MMC doesnt work at
all at that point.
3. Tried to run setspn.exe - errors finding object
4. Spent the last 6 hours searching other forums and KB's to no avail
5. Removed and re-joined my PC to the domain.

Shouldnt kerberos ONLY request tickets and services using the currently
logged on user?

Whoever knows the answer to this one is a TRUE MASTER! HELP!!

Thanks,
Mike
Anonymous
a b 8 Security
November 15, 2004 5:11:10 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Hi Mike-

What happens if you logon as a seperate account with local Administrative
privileges, rename your current problem profile and then logon as your user
account for the domain? Does the issue still occur?

This should prompt creation of a new profile for your account, which is the
initial suspect from your descrption below.

--

Tim Springston
Microsoft Corporation

This posting is provided "AS IS" with no warranties, and confers no rights.
"Mike V" <Mike V@discussions.microsoft.com> wrote in message
news:0F991627-936E-4421-A2ED-CF6942035D91@microsoft.com...
>I logged onto my workstation (XP Pro on Win2k AD domain) earlier this week
> using a different username. Now when I log into my PC with MY username,
> the
> DC's security event log is showing that the kerberos service tickets are
> being requested by the other user.
>
> The problem is that the other user is simply a domain user, but I am a
> Domain Admin. I only have the rights of a normal user now using MMC to
> administer the domain. Also, when I do a net use to an $admin drive share
> on
> another pc, I get the login dialog box with the OTHER user already in the
> username field - instead of just letting me in like it always did.
>
> How can I re-set the user that my Kerberos client is using to request
> tickets and services from my PC?!?!
> I have already done the following:
>
> 1. Removed the other users profile from my PC - and did a search of the
> registry, and the user name is nowhere to be found except in the old
> \documents and settings\profile path
> 2. Disabled the other user in AD - but then I get all kinds of kerberos
> failures and errors on my PC and the DC's security log - MMC doesnt work
> at
> all at that point.
> 3. Tried to run setspn.exe - errors finding object
> 4. Spent the last 6 hours searching other forums and KB's to no avail
> 5. Removed and re-joined my PC to the domain.
>
> Shouldnt kerberos ONLY request tickets and services using the currently
> logged on user?
>
> Whoever knows the answer to this one is a TRUE MASTER! HELP!!
>
> Thanks,
> Mike
!