Event ID 3 Kerberos

Discussion:

Event ID 3 Kerberos

(too old to reply)

TomJerzey

2008-06-04 19:16:00 UTC

I get this error on one of my dc's. I get an error every 5 to 10 minutes in
the system log. Can not seem to find any additional information. Thanks for
your help.

Event Type: Error
Event Source: Kerberos
Event Category: None
Event ID: 3
Date: 6/2/2008
Time: 5:17:26 AM
User: N/A
Computer: Domain Controller
Description:
A Kerberos Error Message was received:
on logon session
Client Time:
Server Time: 9:17:26.0000 6/2/2008 Z
Error Code: 0xd KDC_ERR_BADOPTION
Extended Error: 0xc00000bb KLIN(0)
Client Realm:
Client Name:
Server Realm: Domain Name
Server Name: host/domain controller.domain name
Target Name: host/domaincontroller.comain ***@domain name
Error Text:
File: 9
Line: ae0
Error Data is in record data.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 30 15 a1 03 02 01 03 a2 0.??....c
0008: 0e 04 0c bb 00 00 c0 00 ...??..??.
0010: 00 00 00 03 00 00 00 .......

Meinolf Weber

2008-06-04 19:28:25 UTC

Permalink

Hello TomJerzey,

See if this helps:
http://www.eventid.net/display.asp?eventid=3&eventno=3536&source=Kerberos&phase=1

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

Post by TomJerzey
I get this error on one of my dc's. I get an error every 5 to 10
minutes in the system log. Can not seem to find any additional
information. Thanks for your help.
Event Type: Error
Event Source: Kerberos
Event Category: None
Event ID: 3
Date: 6/2/2008
Time: 5:17:26 AM
User: N/A
Computer: Domain Controller
on logon session
Server Time: 9:17:26.0000 6/2/2008 Z
Error Code: 0xd KDC_ERR_BADOPTION
Extended Error: 0xc00000bb KLIN(0)
Server Realm: Domain Name
Server Name: host/domain controller.domain name
File: 9
Line: ae0
Error Data is in record data.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
0000: 30 15 a1 03 02 01 03 a2 0.??....c
0008: 0e 04 0c bb 00 00 c0 00 ...??..??.
0010: 00 00 00 03 00 00 00 .......

TomJerzey

2008-06-04 20:15:01 UTC

Permalink

Thanks, but I checked that out, and none of their posts seems to apply to me.
Is there other queswtions you would ask of me?

Post by Meinolf Weber
Hello TomJerzey,
http://www.eventid.net/display.asp?eventid=3&eventno=3536&source=Kerberos&phase=1
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

Ruchi Manuja

2008-06-05 08:03:01 UTC

Permalink

Hello

Possible Causes and Resolutions:
• Impending expiration of a TGT.

Resolution

Confirm the cause by verifying the expiration time on the TGT. To do this,
use the Kerberos List parameter tgt. If you confirm that this is the cause,
you need do nothing more, because the TGT will be automatically renewed or a
new one will be requested if needed. For example, Windows XP and Windows
Server 2003 will recover from this automatically.

• The SPN to which the client is attempting to delegate credentials is not
in its Allowed-to-delegate-to list.

Resolution

1.
Use Network Monitor to determine the SPN to which the client is attempting
to delegate credentials. You will need this information in a later step.

2.
Click Start, click Run, and then open Active Directory Users and Computers
by typing the following:

dsa.msc

3.
Right-click the user or service account that has problems authenticating,
and then click Properties.

4.
Click the Delegation tab.

5.
The Allowed-to-delegate-to list is the list of servers shown under the
heading, Services to which this account can present delegated credentials.

6.
Add the SPN the client is attempting to delegate to (information from the
captured data you obtained in Step 1) to the Allowed-to-delegate-to list for
that client. This will tell the KDC that this client is indeed allowed to
authenticate to this service. The KDC will then grant the client the
appropriate ticket.

For information about setting up service accounts for delegation, see “HOW
TO: Configure Computer Accounts and User Accounts So That They Are Trusted
for Delegation in Windows Server 2003 Enterprise Edition” in the Microsoft
Knowledge Base at http://go.microsoft.com/fwlink/?LinkId=23067.

• The server does not support constrained delegation or protocol transition.
(Windows 2000 does not support constrained delegation or protocol transition.)

Reference:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerberr.mspx#EIB

I hope the above helps.
Thanks

Post by TomJerzey
I get this error on one of my dc's. I get an error every 5 to 10 minutes in
the system log. Can not seem to find any additional information. Thanks for
your help.
Event Type: Error
Event Source: Kerberos
Event Category: None
Event ID: 3
Date: 6/2/2008
Time: 5:17:26 AM
User: N/A
Computer: Domain Controller
on logon session
Server Time: 9:17:26.0000 6/2/2008 Z
Error Code: 0xd KDC_ERR_BADOPTION
Extended Error: 0xc00000bb KLIN(0)
Server Realm: Domain Name
Server Name: host/domain controller.domain name
File: 9
Line: ae0
Error Data is in record data.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
0000: 30 15 a1 03 02 01 03 a2 0.??....c
0008: 0e 04 0c bb 00 00 c0 00 ...??..??.
0010: 00 00 00 03 00 00 00 .......