Guest JimLad Posted September 7, 2007 Posted September 7, 2007 Hi, Once a week to the second we get a Kerberos failure between our web server and db server. This is causing us considerable problems. Everything runs fine the rest of the week. The problem lasts from a few seconds to a few minutes, apparently dependent on the number of users on at the time. The website is running IIS6 on Windows 2003 SP2. The db server is running SQL Server 2000 SP4 on Windows 2003 SP1. The domain controller is running Windows 2003 SP1. We are using constrained delegation and protocol transition. The message on the KDC/DC is (where S03 is the dc, S72 with the web server and S10 is the db server): Event Type: Failure Audit Event Source: Security Event Category: Account Logon Event ID: 673 Date: 06/09/2007 Time: 17:01:56 User: NT AUTHORITY\SYSTEM Computer: S05010003 Description: Service Ticket Request: User Name: S05010072$@CORP.DNSDOM.NET User Domain: CORP.DNSDOM.NET Service Name: MSSQLSvc/S05010010.corp.dnsdom.net:1433 Service ID: - Ticket Options: 0x40830000 Ticket Encryption Type: - Client Address: 10.1.1.88 Failure Code: 0xB Logon GUID: - Transited Services: - 0xB is the error code for KDC_ERR_NEVER_VALID, but I've checked the times and timezones on the servers and there aren't any differences, certainly not the 5 minutes necessary to cause this message. A second after this message we get a successful ticket issued to the account that sql server runs under: Event Type: Success Audit Event Source: Security Event Category: Account Logon Event ID: 673 Date: 06/09/2007 Time: 17:01:57 User: NT AUTHORITY\SYSTEM Computer: S05010003 Description: Service Ticket Request: User Name: S05010072$@CORP.DNSDOM.NET User Domain: CORP.DNSDOM.NET Service Name: S05010010_SYSTEM Service ID: CORP\S05010010_SYSTEM Ticket Options: 0x40830000 Ticket Encryption Type: 0x17 Client Address: 10.1.1.88 Failure Code: - Logon GUID: {385e5858-a6e2-34c7-fa6a-c495f2edacf3} Transited Services: HTTP/<website>.com@CORP.DNSDOM.NET SPNs shown below: C:\Documents and Settings\helpdesk>setspn -L s05010010_system Registered ServicePrincipalNames for CN=XYZSystems,OU=Users\ \Groups,OU=ServiceAd mins,DC=corp,DC=dnsdom,DC=net: MSSQLSvc/S05010010.corp.dnsdom.net:1433 MSSQLSvc/S05010010:1433 C:\Documents and Settings\helpdesk>setspn -L s05010072 Registered ServicePrincipalNames for CN=S05010072,OU=Server2003,OU=PSG Servers,D C=corp,DC=dnsdom,DC=net: http/<website>.com http/demo.<website>.com http/copy.<website>.com HOST/S05010072.corp.dnsdom.net HOST/S05010072 These are the commands that were used to create the SPNs on the db server: setspn -a MSSQLSvc/S05010010.corp.dnsdom.net:1433 S05010010_system setspn -a MSSQLSvc/S05010010:1433 S05010010_system Anyone have any idea what is wrong? Cheers, James
Recommended Posts