Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 3 Source: Kerberos

Source
Level
Description
A Kerberos Error Message was received:
on logon session InitializeSecurityContext
Client Time:
Server Time: 17:15:47.0000 11/18/2003 Z
Error Code: <error code> <error symbolic name>
Extended Error: 0xc00000bb KLIN(0)
Client Realm:
Client Name:
Server Realm: <domain>
Server Name: host/<domain>
Target Name: host/<name>@<domain>
Error Text:
File: 9
Line: ab8
Error Data is in record data.
Comments
 
According to T734135, a user account's password or personal identification number (PIN) can be stored on the local computer, which allows the user to log on to the computer without entering a password or PIN. In certain conditions, this password may end up being incorrect, causing this event. The article provides some suggestions on how to verify if the stored password is configured correctly.
Error code: 0xd = KDC_ERR_BADOPTION - See the "KDC_ERR_BADOPTION when attempting constrained delegation" link for one example of situation when this may be recorded
Error code: 0x20 = KRB_AP_ERR_TKT_EXPIRED
See ME918442 for a hotfix applicable to Microsoft Windows Server 2003.

See ME938702 for additional information about this event.
According to Microsoft, this issue may occur if the service principal name (SPN) of the service is not authenticated. The SPN is not authenticated if the SPN is not registered to a service account. The SPN is the server name found in the event's description. See ME887993 to register the SPN with the account that the service runs under.
See ME230746 for a description of common Kerberos-related errors in Windows 2000.


See the links to T738673 ("Kerberos Authentication Tools and Settings"), T786325 (Troubleshooting Kerberos Problems) and EV100538 (Troubleshooting Kerberos Errors) for Kerberos related troubleshooting information.
This issue is inherent in Windows 2003 Domain Controllers when Kerberos TCP logging has been turned on. This should only be used for troubleshooting purposes as per Microsoft due to excessive event IDs. To turn off logging, refer to KB262177 and do the opposite. If you have a GPO enabled and enforced, change the 1 in “Computer Configuration -> Administrative Templates -> Kerberos Parameters -> Kerberos Event Logging” to a 0. This will effectively turn off all Kerberos logging, but it will not prevent critical system Kerberos event logs. In some instances, you may need to contact Microsoft tech support for a hotfix (KB824905) to fix this issue.

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net.

Read more...

 

Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.

Read more...