Our Kerberos authentication is broken on a domain level. There are a lot of Kerberos errors everywhere and all applications on IIS that where using Integrated Windows Authentication will not accept any username and instead return a HTTP Error 401.1. I'm thinking this has something to do with Service Principal Names but I really know nothing about this. After a bit of research I think it is one of 3 problems, but still have no idea how identify and correct this:
1) No Service Principal Name defined
2) The Service Principal Name is not unique in the forest
3) The Service Principal Name is NOT added to the correct account
Errors are listed bellow for the Domain controller, intranet server and client (kerberos logging enabled) Because there are so many errors I have just given you the code in most cases, if you want more information on a error then that can easily be arranged.
Domain Controller (Windows Server 2003 R2 Enterprise Edition SP2, 2003 AD schema)
KDC_ERR_BADOPTION
KDC_ERR_PREAUTH_FAILED
KDC_ERR_BADOPTION
KDC_ERR_S_PRINCIPAL_UNKNOWN
KRB_AP_ERR_MODIFIED
Client (when trying to access our intranet server) (Windows XP Professional SP3)
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/aqweb.aq.ComapnyNameRemoved.co.uk. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named machine accounts in the target realm (AQ.COMAPNYNAMEREMOVED.CO.UK), and the client realm. Please contact your system administrator.
Internet Server (Windows Server 2003 Standard Edition SP1)
KRB_ERR_RESPONSE_TOO_BIG (for krbtgt, cifs & ldap)
Authentication & Access Control Diagnostics 1.0 (Kerberos Configuration)
AQ-AD (domain server)
Wrong credentials for AppPoolIdentity
Service principal name (SPN) for user 'AQ\Admin' not found in Active Directory
Service principal name (SPN) for user 'aq\administrator' not found in Active Directory
AQWEB (intranet server)
Wrong credentials for AppPoolIdentity
Service principal name (SPN) for user 'AQ\Administrator' not found in Active Directory
Any help would be much appreciated as this has turned into a very urgent issue.
1) No Service Principal Name defined
2) The Service Principal Name is not unique in the forest
3) The Service Principal Name is NOT added to the correct account
Errors are listed bellow for the Domain controller, intranet server and client (kerberos logging enabled) Because there are so many errors I have just given you the code in most cases, if you want more information on a error then that can easily be arranged.
Domain Controller (Windows Server 2003 R2 Enterprise Edition SP2, 2003 AD schema)
KDC_ERR_BADOPTION
KDC_ERR_PREAUTH_FAILED
KDC_ERR_BADOPTION
KDC_ERR_S_PRINCIPAL_UNKNOWN
KRB_AP_ERR_MODIFIED
Client (when trying to access our intranet server) (Windows XP Professional SP3)
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/aqweb.aq.ComapnyNameRemoved.co.uk. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named machine accounts in the target realm (AQ.COMAPNYNAMEREMOVED.CO.UK), and the client realm. Please contact your system administrator.
Internet Server (Windows Server 2003 Standard Edition SP1)
KRB_ERR_RESPONSE_TOO_BIG (for krbtgt, cifs & ldap)
Authentication & Access Control Diagnostics 1.0 (Kerberos Configuration)
AQ-AD (domain server)
Wrong credentials for AppPoolIdentity
Service principal name (SPN) for user 'AQ\Admin' not found in Active Directory
Service principal name (SPN) for user 'aq\administrator' not found in Active Directory
AQWEB (intranet server)
Wrong credentials for AppPoolIdentity
Service principal name (SPN) for user 'AQ\Administrator' not found in Active Directory
Any help would be much appreciated as this has turned into a very urgent issue.