Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net. The EventId.Net for Splunk Add-on assumes that Splunk is collecting information from Windows servers and workstation via the Splunk Universal Forwarder.
The kerberos client received a KRB_AP_ERR_TKT_NYV error from the server <server>. This indicates that the ticket used against that server is not yet valid (in relationship to that server time). Contact your system administrator to make sure the client and server times are in sync and that the KDC in realm <domain> is in sync with the KDC in the client realm.
|English: This information is only available to subscribers. An example of English, please!|
|Concepts to understand:|
What is Kerberos?
In our case, this event was occurring on the server the users were accessing when they manually changed their computer's time in order to post-date transactions on a different application.
Check the time on the workstation. Try setting it to sync to an internet source or to sync with the local server.
This error can also be caused by a wrong date or time on some DC of your network. Check the system date and time on every DC to find the wrong one. Use net time to synchronize time between DCs, run gpupdate and everything will be alright.
As per Microsoft: "Kerberos cannot authenticate the Web program user because the time period for this service ticket has not started yet. The time on the server does not match the time on the Key Distribution Center (KDC) that issued the ticket, so the server does not recognize this as a valid ticket". See MSW2KDB for additional information about this event.
I started to receive this error after adding a new domain controller with the correct time, but the wrong time zone.
From a newsgroup post: "I understand that in your SBS 2003 server, you get event ID 5 with a KRB_AP_ERR_TKT_NYV error. I would like to provide the following action plan:
1. Open the service console; check if the W32Time service is running.
2. On client computers, check the TIME Zone settings to make sure that all the client workstations and SBS server 2003 have the same time zone configuration.
3. Go to command prompt, type net time /setsntp: <SBS server name>. For detailed steps, please refer to ME258059. The article applies to Windows Server 2003 also.
Note: If there are any third party time sync programs running on the server, please go to Add/Remove programs and uninstall them.
4. Restart the computer and check if the problem is resolved. If the issue still exists, refer to ME325850 to reset the computer account password. Then restart computer and check again.
If the issue still occurs, please manually synchronize the time from the client PCs. To do so, please refer to ME314090".
See "Troubleshooting Kerberos Errors" for a white paper that can help you troubleshoot Kerberos authentication problems that might occur in a Microsoft Windows Server 2003 operating system environment.
In my case the cause of this error was my oblivion, I forgot to run newsid.exe on the cloned system. After running newsid.exe, the error has disappeared.
Kerberos cannot authenticate the Web program user because the time period for this service ticket has not started yet. The time on the server does not match the time on the Key Distribution Center (KDC) that issued the ticket, so the server does not recognize this as a valid ticket.
Ensure that the time on the server matches the time on the KDC of its domain.
|Private comment: Subscribers only. See example of private comment|
|Links: Troubleshooting Kerberos Errors|
|Search: Google - Bing - Microsoft - Yahoo - EventID.Net Queue (0) - More links...|
|Custom search for *****: Google - Bing - Microsoft - Yahoo|
Send comments or solutions
- Notify me when updated