Jump to content

Kerberos SharePoint / K2 Error: 0xd KDC_ERR_BADOPTION


Der letzte Beitrag zu diesem Thema ist mehr als 180 Tage alt. Bitte erstelle einen neuen Beitrag zu Deiner Anfrage!

Recommended Posts

Hello Community,

 

I am at a customer which has some Kerberos problems in his SharePoint/K2 environment.

 

Topology:

The Customer has a one SharePoint server with all roles and K2 2003 for Workflows on it and one SQL Server 2005. Windows Server 2003, SQL Server 2005 and SharePoint 2007 are up to date.

 

Problem:

The customer wants to have Kerberos as auth. protocol and therefore we have done the following steps to enable it:

 

1. Enable Kerberos for SQL Server

setspn -A MSSQLSvc/sql01.devdemo.de:1433 devdemo\_svc_sql

Restartet SQL Server

Test it with: select auth_scheme, * from sys.dm_exec_connections

Works! 

2. Added the URL as a SPN

setspn -A HTTP/intranet.devdemo.de devdemo\_svc_app_intranet

setspn -A HTTP/intranet devdemo\_svc_app_intranet

3. Created a SPN for the Application pool Account

setspn –A….

4. Enable Kerberos in the SharePoint Web Application auth provider

5. Set Service Accounts “Account is trusted for delegation”

 

I tested with Fiddler if the User now uses Kerberos when he entered the SharePoint Site and he does so…

 

But we have still these Errors in the Event Log:

 

Event Type: Error

Event Source: Kerberos

Event Category: None

Event ID: 3

Date: 25.09.2008

Time: 09:24:34

User: N/A

Computer: W01ABBP01

Description:

A Kerberos Error Message was received:

on logon session eu\user

Client Time:

Server Time: 7:24:34.0000 9/25/2008 Z

Error Code: 0x18 KDC_ERR_PREAUTH_FAILED

Extended Error:

Client Realm:

Client Name:

Server Realm: eu

Server Name: krbtgt/eu

Target Name: krbtgt/eu@eu

Error Text:

File: e

Line: 6c0

Error Data is in record data.

 

For more information, see Help and Support Center at Events and Errors Message Center: Basic Search.

Data:

0000: 30 75 30 73 a1 03 02 01 0u0s¡...

0008: 0b a2 6c 04 6a 30 68 30 .¢l.j0h0

0010: 09 a0 03 02 01 17 a1 02 . ....¡.

0018: 04 00 30 0a a0 04 02 02 ..0. ...

0020: ff 7b a1 02 04 00 30 09 ÿ{¡...0.

0028: a0 03 02 01 80 a1 02 04 ...¡..

0030: 00 30 21 a0 03 02 01 03 .0! ....

0038: a1 1a 04 18 45 55 2e 54 ¡...EU.T

0040: 41 4b 41 54 41 43 4f 52 AKATACOR

0048: 50 2e 43 4f 4d 6d 61 6c P.COMmal

0050: 73 61 6d 61 30 21 a0 03 sama0! .

0058: 02 01 01 a1 1a 04 18 45 ...¡...E

0060: 55 2e 54 41 4b 41 54 41 U.CUSTOMER

0068: 43 4f 52 50 2e 43 4f 4d CORP.COM

0070: 6d 61 6c 73 61 6d 61 user

 

Event Type: Error

Event Source: Kerberos

Event Category: None

Event ID: 3

Date: 25.09.2008

Time: 09:22:52

User: N/A

Computer: W01ABBP01

Description:

A Kerberos Error Message was received:

on logon session

Client Time:

Server Time: 7:22:52.0000 9/25/2008 Z

Error Code: 0xd KDC_ERR_BADOPTION

Extended Error: 0xc00000bb KLIN(0)

Client Realm:

Client Name:

Server Realm: EU.TAKATACORP.COM

Server Name: host/w01abbp01.eu.customer.com

Target Name: host/w01abbp01.eu.customer.com@EU.CUSTOMER.COM

Error Text:

File: 9

Line: ae0

Error Data is in record data.

 

For more information, see Help and Support Center at Events and Errors Message Center: Basic Search.

Data:

0000: 30 15 a1 03 02 01 03 a2 0.¡....¢

0008: 0e 04 0c bb 00 00 c0 00 ...»..À.

0010: 00 00 00 03 00 00 00 .......

 

I already searched for a resolution and some Forum entry’s pointed, that this could be a problem with Cross Forest trust or some that the Client has two SPN’s. Hope that helps a little bit… Attached I have the Netdiag /v file from that server, that shows that everything is fine!?!

 

Questions:

• Does anyone have seen these errors before?

• Is there any further configuration for K2 or the Server necessary?

• How can I check if the Server does not have two SPN’s?

 

Hope someone solved this problem before…

 

Please contact me directly: andreas.haist@avanade.com

 

Thanks,

Andreas

Link to comment

Hi Andreas, welcome to the board,

 

I am not a SharePoint expert, but I think you should take a network trace to have a look on the Kerberos messages between client and SharePoint respectively SharePoint and DC. A network trace mostly gives you some hints regarding the underlaying issue.

 

Since we can see the error

Error Code: 0x18 KDC_ERR_PREAUTH_FAILED
maybe this is an authentication problem. Are you sure that the credentials you provided for the testuser are correct?

If yes, check the time on the IIS / SharePoint and the DC. Is there a time difference?

 

How can I check if the Server does not have two SPN’s?

 

See http://support.microsoft.com/kb/321044/en-US:

ldifde -f check_SPN.txt -t 3268 -d "" -l servicePrincipalName -r  (servicePrincipalName=HOST/mycomputer*)" -p subtree

 

Please contact me directly: andreas.haist@avanade.com

 

You know this is a forum and not a newsgroup, right? Or is this thread just a joke? ;)

 

Regards,

olc

Link to comment
Der letzte Beitrag zu diesem Thema ist mehr als 180 Tage alt. Bitte erstelle einen neuen Beitrag zu Deiner Anfrage!

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...