Archived from groups: microsoft.public.win2000.security (
More info?)
Michiko,
Thanks for the information. I will check out the resources you indicated.
We are not trying to do constrained delegation, we are using win 2003 server.
"Michiko Short [MSFT]" wrote:
> Robert,
>
> Event 673 is the Service Ticket Request event (for more info see the event
> resource below or Kerb Authn Tech Ref Tools & Settings). Looks like you have
> a failure code 0xD - KDC_ERR_BADOPTION: KDC cannot accommodate requested
> option (See TS Kerb Err WP for details). This is an error that typically
> does not cause you any problems since if the TGT is about to expire your
> system will request a new one. However, if you are trying to use constrained
> delegation in Windows 2000 then you should rethink your scenario since
> Windows 2000 does not support constrained delegation. If you want
> constrained delegation then you need to use Windows Server 2003 Active
> Directory (domain).
>
> Does that answer your question?
>
> Resources:
>
> Kerberos Authentication in Windows Server 2003 web page has lots of Kerberos
> Authentication resources:
>
http://www.microsoft.com/kerberos
>
> Troubleshooting Kerberos Errors whitepaper:
>
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerberr.mspx
>
> Our resource Windows Server 2003 Events and Errors is off the TechNet Menu
> under Troubleshooting & Support as the Events and Errors Message Center. It
> has the following URL:
>
http://www.microsoft.com/technet/support/ee/search.aspx?DisplayName=Windows%20Server%202003&ProdName=Windows%20Operating%20System&MajorMinor=5.2&LCID=1033
>
> Below is the entry for your error:
>
http://www.microsoft.com/technet/support/ee/result.aspx?EvtSrc=Security&EvtID=673&ProdName=Windows+Operating+System&LCID=1033&ProdVer=5.2
>
> --
> Michiko Short [MSFT]
>
> This posting is provided "AS IS" with no warranties, and confers no rights.
> Please do not send e-mail directly to this alias. This alias is for
> newsgroup purposes only.
>
> "Robert J" <RobertJ@discussions.microsoft.com> wrote in message
> news:3A2A7DEF-0438-46B7-8795-5721CB7A336F@microsoft.com...
> > We have 2 2003 domain controllers, both are recording a logon failure, id
> > 673
> > with the following data
> >
> > User: NT Authority/system
> > service name: host/myserver.domain name
> > Ticket options 0X40830000
> > Client address 127.0.0.1
> > Failure code 0XD
> >
> > I haven't found any help in the knowledge base. Any help would be
> > appreciated.
> >
> > Thanks, Robert
>
>
>