Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net. The EventId.Net for Splunk Add-on assumes that Splunk is collecting information from Windows servers and workstation via the Splunk Universal Forwarder.
A Kerberos Error Message was received:
on logon session InitializeSecurityContext
Server Time: 17:15:47.0000 11/18/2003 Z
Error Code: <error code> <error symbolic name>
Extended Error: 0xc00000bb KLIN(0)
Server Realm: <domain>
Server Name: host/<domain>
Target Name: host/<name>@<domain>
Error Data is in record data.
|English: This information is only available to subscribers. An example of English, please!|
|Concepts to understand:|
What is the role of the KDC?
What is Kerberos?
According to T734135, a user account's password or personal identification number (PIN) can be stored on the local computer, which allows the user to log on to the computer without entering a password or PIN. In certain conditions, this password may end up being incorrect, causing this event. The article provides some suggestions on how to verify if the stored password is configured correctly.
Error code: 0xd = KDC_ERR_BADOPTION - See the "KDC_ERR_BADOPTION when attempting constrained delegation" link for one example of situation when this may be recorded
Error code: 0x20 = KRB_AP_ERR_TKT_EXPIRED
See ME918442 for a hotfix applicable to Microsoft Windows Server 2003.
See ME938702 for additional information about this event.
According to Microsoft, this issue may occur if the service principal name (SPN) of the service is not authenticated. The SPN is not authenticated if the SPN is not registered to a service account. The SPN is the server name found in the event's description. See ME887993 to register the SPN with the account that the service runs under.
See ME230746 for a description of common Kerberos-related errors in Windows 2000.
See the links to T738673 ("Kerberos Authentication Tools and Settings"), T786325 (Troubleshooting Kerberos Problems) and EV100538 (Troubleshooting Kerberos Errors) for Kerberos related troubleshooting information.
This issue is inherent in Windows 2003 Domain Controllers when Kerberos TCP logging has been turned on. This should only be used for troubleshooting purposes as per Microsoft due to excessive event IDs. To turn off logging, refer to KB262177 and do the opposite. If you have a GPO enabled and enforced, change the 1 in “Computer Configuration -> Administrative Templates -> Kerberos Parameters -> Kerberos Event Logging” to a 0. This will effectively turn off all Kerberos logging, but it will not prevent critical system Kerberos event logs. In some instances, you may need to contact Microsoft tech support for a hotfix (KB824905) to fix this issue.
|Private comment: Subscribers only. See example of private comment|
|Search: Google - Bing - Microsoft - Yahoo - EventID.Net Queue (0) - More links...|
|Custom search for *****: Google - Bing - Microsoft - Yahoo|
Send comments or solutions
- Notify me when updated