According to T734135
, a user account's password or personal identification number (PIN) can be stored on the local computer, which allows the user to log on to the computer without entering a password or PIN. In certain conditions, this password may end up being incorrect, causing this event. The article provides some suggestions on how to verify if the stored password is configured correctly.
Error code: 0xd = KDC_ERR_BADOPTION - See the "KDC_ERR_BADOPTION when attempting constrained delegation" link for one example of situation when this may be recorded
Error code: 0x20 = KRB_AP_ERR_TKT_EXPIRED
for a hotfix applicable to Microsoft Windows Server 2003.
for additional information about this event.
According to Microsoft, this issue may occur if the service principal name (SPN) of the service is not authenticated. The SPN is not authenticated if the SPN is not registered to a service account. The SPN is the server name found in the event's description. See ME887993
to register the SPN with the account that the service runs under.
for a description of common Kerberos-related errors in Windows 2000.
See the links to T738673
("Kerberos Authentication Tools and Settings"), T786325
(Troubleshooting Kerberos Problems) and EV100538
(Troubleshooting Kerberos Errors) for Kerberos related troubleshooting information.
This issue is inherent in Windows 2003 Domain Controllers when Kerberos TCP logging has been turned on. This should only be used for troubleshooting purposes as per Microsoft due to excessive event IDs. To turn off logging, refer to KB262177 and do the opposite. If you have a GPO enabled and enforced, change the 1 in “Computer Configuration -> Administrative Templates -> Kerberos Parameters -> Kerberos Event Logging” to a 0. This will effectively turn off all Kerberos logging, but it will not prevent critical system Kerberos event logs. In some instances, you may need to contact Microsoft tech support for a hotfix (KB824905) to fix this issue.