5.6 Kerberos and authentication troubleshooting


In the next two sections, we will explore some basic Kerberos and Windows Server 2003 authentication troubleshooting tools. An indispensable tool for every administrator is the Event Viewer. The next section will list some common Kerberos error messages as they appear in the Event Viewer. The following side note explains how to enable advanced Kerberos event logging.

5.6.1 Kerberos error messages

In Windows Server 2003, Microsoft included some Kerberos-specific event IDs. They are listed in Table 5.11. If you want to go even more in detail, Table 5.12 shows the Kerberos-related error messages as they appear in the Windows Event Viewer. Both can give interesting hints when troubleshooting Kerberos authentication problems.

Table 5.11: Kerberos-Specific Event IDs

Event ID

Meaning

672

An authentication service (AS) ticket was successfully issued and validated.

673

A ticket granting service (TGS) ticket was granted.

674

A security principal renewed an AS ticket or TGS ticket.

675

Kerberos preauthentication failed. This event is generated on a key distribution center (KDC) when a user types in an incorrect password.

Table 5.12: Kerberos Error Messages and Meaning

Code

Short Meaning

Error Explanation

0x6

Client Principal unknown

The KDC could not translate the client principal name from the KDC request into an account in the Active Directory. To troubleshoot this error, check whether the client account exists in AD, whether it has not expired, and whether AD replication is functioning correctly.

0x7

Server Principal unknown

The KDC could not translate the server principal name from the KDC request into an account in the Active Directory. To troubleshoot this error, check whether the client account exists in AD, whether it has not expired, and whether AD replication is functioning correctly.

0x9

Null key error

Keys should never be null (blank). Even null passwords generate keys because the password is concatenated with other elements to form the key.

0xE

Encryption type not supported

The client tried to use an encryption type that the KDC does not support, for any of the following reasons: The client’s account does not have a key of the appropriate encryption type; the KDC account does not have a key of the appropriate encryption type; the requested server account does not have a key of the appropriate encryption type. The type may not be recognized at all, for example, if a new type is introduced. This happens most frequently with MIT compatibility, where an account may not yet have an MIT-compatible key. Generally, a password change must occur for the MIT-compatible key to be available.

0x17

Password has expired

This error can be caused by conflicting credentials. Let the user log off and then log on again to resolve the issue.

0x18

Preauthentication failed

This indicates failure to obtain ticket, possibly due to the client providing the wrong password.

0x1A

Requested server and ticket do not match

This error will occur when a server receives a ticket destined for another server. This problem can be caused by DNS problems.

0x1F

Integrity check on decrypted field failed

This error indicates that there is a problem with the hash included in a Kerberos message. This could be caused by a hacker attack

0x20

Ticket has expired

This is not a real error; it just indicates that a ticket’s lifetime has ended and that the Kerberos client should obtain a new ticket.

0x22

Session request is a replay

This error indicates that the same authenticator is used twice. This can be caused by a hacker attack.

0x19

Preauthentication error

The client did not send preauthentication, or did not send the appropriate type of preauthentication, to receive a ticket. The client will retry with the appropriate kind of preauthorization (the KDC returns the preauthentication type in the error).

0x25

Clock skew too great

There is time discrepancy between client and server or client and KDC. To resolve this issue, synchronize time between the client and the server.

0x26

Bad address in Kerberos session tickets

Session tickets include the addresses from which they are valid. This error can occur if the address sending the ticket is different from the valid address in the ticket. A possible cause of this could be an Internet Protocol(IP) address change. In Windows 2000, this change is dynamic and existing cached tickets could be invalidated. Another possible cause is when a ticket is passed through a proxy server. The client is unaware of the address scheme used by the proxy server, so unless the program caused the client to request a proxy server ticket with the proxy server’s source address, the ticket could be invalid.

0x3C

Generic error

A generic error that may be a memory allocation failure. The event logs may be useful if this error occurs.

0x29

Kerberos AP exchange error

This indicates that the server was unable to decrypt the ticket sent by a client, meaning that the server does not know its own secret key, or the client received the ticket from a KDC that did not know the server’s key. This can be tested by determining if the server can obtain a ticket to itself, or if anybody else can locate the server. The secure channel used by NTLM is also an indicator of the validity of the password on local machine accounts.

Enabling Advanced Kerberos Event Logging Advanced Kerberos event logging can be enabled using the following Windows registry hack. Set the Loglevel registry key (REG_DWORD) to value 1. Loglevel is located in the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters.

5.6.2 Troubleshooting tools

Microsoft delivers several tools to troubleshoot Kerberos (see Table 5.13). They are spread across the resource kit, the support tools, and the platform SDK. Most of them are command prompt tools.

Table 5.13: Kerberos Troubleshooting Tools

Tool

Comments

mytoken.exe (Platform SDK)

Command prompt tool to display the content of a user’s access token: This includes the user’s rights and group memberships.

whoami.exe (Default Windows installation)

Command line tool to look at the content of the user’s access token (use the /all switch).

klist (Resource Kit)

Command prompt tool to look at the local Kerberos ticket cache. Klist can also be used to purge tickets. Klist is a very simple but very important tool that you can use to find out how far the authentication got.

Kerbtray (Resource Kit)

GUI tool that displays the content of the local Kerberos ticket cache.

Netdiag (Support tools)

Netdiag helps isolate networking and connectivity problems by providing a series of tests to determine the state of your network client. One of the “NETDIAG” tests is the Kerberos test. To run the Kerberos test, type “netdiag /test:Kerberos” at the command prompt.

Replication monitor (replmon)

(Support tools)

Using Replication monitor, an administrator can not only check the replication traffic but also the number of AS and TGS requests and the FSMO roles.

Network monitor

(Server CD)

Network monitor does not come out of the box with a parser for the Kerberos protocol. However, a special Kerberos parser dll is available from Microsoft.

Setspn

(Support Tools)

Tool allowing you to manage (view, reset, delete, add) service principal names (SPNs).




Windows Server 2003 Security Infrastructures. Core Security Features of Windows. NET
Windows Server 2003 Security Infrastructures: Core Security Features (HP Technologies)
ISBN: 1555582834
EAN: 2147483647
Year: 2003
Pages: 137
Authors: Jan De Clercq

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net