Once a week kerberos failure between web and db server.

[Guest JimLad]

Hi,

 

Once a week to the second we get a Kerberos failure between our web

server and db server. This is causing us considerable problems.

Everything runs fine the rest of the week. The problem lasts from a

few seconds to a few minutes, apparently dependent on the number of

users on at the time.

 

The website is running IIS6 on Windows 2003 SP2. The db server is

running SQL Server 2000 SP4 on Windows 2003 SP1. The domain controller

is running Windows 2003 SP1.

We are using constrained delegation and protocol transition.

 

The message on the KDC/DC is (where S03 is the dc, S72 with the web

server and S10 is the db server):

 

Event Type: Failure Audit

Event Source: Security

Event Category: Account Logon

Event ID: 673

Date: 06/09/2007

Time: 17:01:56

User: NT AUTHORITY\SYSTEM

Computer: S05010003

Description:

Service Ticket Request:

User Name: S05010072$@CORP.DNSDOM.NET

User Domain: CORP.DNSDOM.NET

Service Name: MSSQLSvc/S05010010.corp.dnsdom.net:1433

Service ID: -

Ticket Options: 0x40830000

Ticket Encryption Type: -

Client Address: 10.1.1.88

Failure Code: 0xB

Logon GUID: -

Transited Services: -

 

0xB is the error code for KDC_ERR_NEVER_VALID, but I've checked the

times and timezones on the servers and there aren't any differences,

certainly not the 5 minutes necessary to cause this message.

 

A second after this message we get a successful ticket issued to the

account that sql server runs under:

 

Event Type: Success Audit

Event Source: Security

Event Category: Account Logon

Event ID: 673

Date: 06/09/2007

Time: 17:01:57

User: NT AUTHORITY\SYSTEM

Computer: S05010003

Description:

Service Ticket Request:

User Name: S05010072$@CORP.DNSDOM.NET

User Domain: CORP.DNSDOM.NET

Service Name: S05010010_SYSTEM

Service ID: CORP\S05010010_SYSTEM

Ticket Options: 0x40830000

Ticket Encryption Type: 0x17

Client Address: 10.1.1.88

Failure Code: -

Logon GUID: {385e5858-a6e2-34c7-fa6a-c495f2edacf3}

Transited Services:

HTTP/<website>.com@CORP.DNSDOM.NET

 

SPNs shown below:

 

C:\Documents and Settings\helpdesk>setspn -L s05010010_system

Registered ServicePrincipalNames for CN=XYZSystems,OU=Users\

\Groups,OU=ServiceAd

mins,DC=corp,DC=dnsdom,DC=net:

MSSQLSvc/S05010010.corp.dnsdom.net:1433

MSSQLSvc/S05010010:1433

 

C:\Documents and Settings\helpdesk>setspn -L s05010072

Registered ServicePrincipalNames for CN=S05010072,OU=Server2003,OU=PSG

Servers,D

C=corp,DC=dnsdom,DC=net:

http/<website>.com

http/demo.<website>.com

http/copy.<website>.com

HOST/S05010072.corp.dnsdom.net

HOST/S05010072

 

These are the commands that were used to create the SPNs on the db

server:

 

setspn -a MSSQLSvc/S05010010.corp.dnsdom.net:1433 S05010010_system

setspn -a MSSQLSvc/S05010010:1433 S05010010_system

 

Anyone have any idea what is wrong?

 

Cheers,

 

James