Over 1 million tech questions and answers.

Troubleshooting Kerberos Delegation: Apr 7

Q: Troubleshooting Kerberos Delegation: Apr 7

Hiya

This white paper explains how to troubleshoot delegation issues that can arise in Kerberos authentication scenarios. The paper summarizes required infrastructure and describes Windows authentication scenarios. The central discussion is organized around four troubleshooting checklists: one each for Active Directory, client application, middle tier, and back-end. The appendices detail diagnostic tools and give examples of how to resolve problems in typical IIS to SQL delegation scenarios

System Requirements
Supported Operating Systems: Windows Server 2003

Microsoft Word or Word Viewer

http://www.microsoft.com/downloads/...4f-e28a-4726-bffe-2f64ae2f59a2&DisplayLang=en

Regards

eddie

Read other answers
RELEVANCY SCORE 200
Preferred Solution: Troubleshooting Kerberos Delegation: Apr 7

I recommend downloading and running Reimage. It's a computer repair tool that has been proven to identify and fix many Windows problems with a high level of success.

I've used it in the past to identify and fix everything from blue screens (BSOD's), ActiveX errors, corrupt files and processes, dll/exe/sys errors, recover lost memory, Windows update problems, defragging, malware removal etc.

You can download it direct from this link http://downloadreimage.com/download.php. (This link will automatically start a download of Reimage that you can save to your computer.)

RELEVANCY SCORE 87.6

Hiya

Source code for Kerberos Protocol Transition and Constrained Delegation whitepaper sample scenarios

System Requirements
Supported Operating Systems: Windows Server 2003

All editions of Windows Server 2003 for code samples on Microsoft IIS servers;
All editions of Windows Server 2003, Windows 2000 professsional and all editions of Windows 2000 Server for code samples on Microsoft SQL server;
All but Web edition of Windows Server 2003 for running Active Directory

http://www.microsoft.com/downloads/...10-7c48-453a-a1af-d6a8b1944ce2&DisplayLang=en

Regards

eddie
 

A:Kerberos Protocol Transition and Constrained Delegation Whitepaper Samples: Feb 20

Originally posted by eddie5659:
Source code for Kerberos Protocol Transition and Constrained Delegation whitepaper sample scenarios
Click to expand...

Whachutalkinbout Willis?
 

Read other 2 answers
RELEVANCY SCORE 47.6

Dear all,

one of my user encounter an outlook delegation error. it say that the delegate were not save correctly. cannot modify access control list.



The troubleshoot step i did. User test on another machine which is running on outlook 2007 no issue with that. But when change to outlook 2010 the delegation error take places. i re-create the profile but still same issue. i have also added this dword IgnoreSOBError and modify to value 1 HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\x.0\Outlook\Preferences

Re-install and un-install outlook 2010

unfortunately, i still encounter the same problem. But when i try to delegate on my site using outlook client version 2010. i have no problem at all.

can anyone advise me on this?

i kindly appreciate your kindness help.



thank you.

A:outlook 2010 delegation error

If you meant 2010 Exchange see this: http://support.microsoft.com/kb/2545238
If not, choose the correct fix it here: http://support.microsoft.com/kb/2593557 or do it manually as instructed.

Read other 2 answers
RELEVANCY SCORE 47.6

How to Delegate User Account Unlocking capability to Team Leader and Managers via Active Directory? 
1, I need clear cut steps which I can perform in AD
2, Also how Manager or Team lead will access that for user account unlocking?

ST

Read other answers
RELEVANCY SCORE 47.6

HI,

I am trying to fix the issue in which I am not able to do remote desktop .I have came across the solution which says we need to set "Encrytion Oracle remediation " as "vulnerable"But when I am trying to fix this I am not able to find "Credence Delagation " option in my group policy.
Any help and suggestion will be appreciated.


Thanks,
RG

Read other answers
RELEVANCY SCORE 47.6

Dear all,

one of my user encounter an outlook delegation error. it say that the delegate were not save correctly. cannot modify access control list.



The troubleshoot step i did. User test on another machine which is running on outlook 2007 no issue with that. But when change to outlook 2010 the delegation error take places. i re-create the profile but still same issue. i have also added this dword IgnoreSOBError and modify to value 1 HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\x.0\Outlook\Preferences

Re-install and un-install outlook 2010

unfortunately, i still encounter the same problem. But when i try to delegate on my site using outlook client version 2010. i have no problem at all.

can anyone advise me on this?

i kindly appreciate your kindness help.



thank you.

A:outlook 2010 delegation error

If you meant 2010 Exchange see this: https://support.microsoft.com/kb/2545238
If not, choose the correct fix it here: https://support.microsoft.com/kb/2593557 or do it manually as instructed.

Read other 2 answers
RELEVANCY SCORE 47.6

Greetings!

Stats: Outlook 2002, Exchange 2000, Delegated Mailboxes

Here are the issues we're having:

Person A gave rights to Person B to manage their mailbox (delegation). The delegation is set up correctly, but its hindering some functionality (which may not even exist).

1) Can Person B (the controller of A's box) utilize A's contacts via the Address Book? At this point, we cannot. We tried to add it via the Address book 'Tools --> Options' menu, but its not even listed. We also verified the properties of the delegated contact list and its checked to generate Exchange Views.

* Basic problem: Person B cannot utilize the contact list from anything except for manually clicking on the 'Contacts' folder in the delegated mailbox. (So, using the To... doesn't work)
2) Can Person B set 'reminders' in Person A's calendar? If so, we have something set up incorrectly. Presently, reminders in the delegated mailbox do not pop up for the controller. Ideas?

* Basic Problem: Events come and go in the delegated calendar without reminding the controller (Person B).
 

A:Outlook Delegation: Bane of my existance

1. As far as I know, "no". But did you double-check that the Person A's address book is an "Outlook address book"?

2. Unsure

Check www.slipstick.com (the ultimate Outlook resource, IMHO)
 

Read other 1 answers
RELEVANCY SCORE 46.8

Hello,

My machine has been experiencing intermittent BSODing over the last few weeks and I wonder if you could give me a hand troubleshooting it? I'll summarise what i've done so far. It's not given me anything today, as I say, it's intermittent.

System Info:
Processor Name: Intel(R) Core(TM) i7-4770K CPU @ 3.50GHz
Processor Information: Intel64 Family 6 Model 60 Stepping 3
Graphics Information: NVIDIA GeForce GTX 780 Ti
Mobo: Z87I-PRO
System BIOS: 0903
Installed System Memory: 16 GB
Operating System: Microsoft Windows 7 Home Premium 64-bit (originally installed on system)
Age of system: 1 year, 1 month
OS Reinstalls: None
This is a desktop PC
System Manufacturer: Purchased from ChillBlast
Troubleshooting so far:
* Checked EventViewer for after the crashes. The only useful thing showing is that the Kernel service is shutting down - which I suppose it would if power to it was interrupted.
* Opened up case to check components. Everything seated well. Extremely tidy cabling (if I may say so myself; nothing getting in any fan's way).
* Ran GPU stress test - all fine.
* Ran Processor stress test - all fine
* Ran driver verifier (ran for about 20 minutes) and nothing crashed.

Attached Files:
* PerfmonReport
* Your app collection dump
* IPDT Processor Test results

Appreciate your support :)

A:Intermittent BSOD (full troubleshooting included) - need troubleshooting advice

Bump please :)

Read other 5 answers
RELEVANCY SCORE 46.8

I recently purchased a new laptop running Windows 7.  On setup, I was pleased to find that it connected to my home network without much complaint.  However, I soon noticed a misstep -- after putting my laptop to sleep, upon waking, it
would consistently fail to connect to network.
I've tried disabling IP Helper, as well as the wireless adapter's IPv6 protocola
la advice on other forums.  I've also ensured that the driver settings do not allow for disabling to save power.  Seeing that none of these worked, I decided uninstall and delete the driver and install a newer version (in a related issue,
the driver update feature failed to detect the existence of a newer version -- why?).
This appears to have fixed the connection issue.  However, still, after sleeping the laptop and waking, although it connects to the router, I still need to reset the IP command-line via ipconfig /release + /renew.
I was running Vista on my previous machine, and I know that its Network Diagnostic tool would, when presenting solutions, frequently suggest that my computer had the wrong IP and that I should reset it.  I was hoping throughout this process
that the Network Diagnostic troubleshooter would present a similar option.  Instead, however, no matter what I do with my wireless, the troubleshooter only ever returns the message "Troubleshooter couldn't identify any problems."  Whether or not
I check the box for auto-repair or run ... Read more

A:Troubleshooting the Network Troubleshooting Utility / After-Sleep Connection Problems

Hi,
To avoid confusion Let us focus on the first issue within this thread first.
Can you access internet when connecting the laptop directly via cable?
Where did you download the newer version of network card driver? Usually, the “driver update” feature from device manager will go to Microsoft update catalog website for the corresponding driver instead of the manufacture’s website. AT
this point, I would suggest install the latest driver
here. Please note: Microsoft don't write drivers, for any driver related issue, the OEM is always the best resource to turn to. Your understanding is appreciated.
As a workaround, you can prevent the network card from sleeping by the following method:
Open Device manager->expand Network adapter-> right click on the wireless adapter->Properties->under Power Management tab, uncheck the box before “Allow the computer to turn off this device to save power”.
Is anything unclear, please feel free to post back.
Regards,Please remember to click ?Mark as Answer? on the post that helps you, and to click ?Unmark as Answer? if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. ?

Read other 3 answers
RELEVANCY SCORE 45.6

Im running AGPM 4 SP3 using a least privileged access service account, and when ever I deploy a GPO to production all of the users from Change Controls Production Delegation tab (Domain Admins / Enterprise Admins / Enterprise Domain Controllers / SYSTEM
/as well as my personal account I'm logged in with) get added to the security filtering of the deployed GPO. Not only is this for all current production GPOS but also if I create a new GPO within AGPM the same groups get added to the security filter. Any Ideas
what could be causing this?

Read other answers
RELEVANCY SCORE 44

Appreciate if anyone can advise of the RPTester tool is a publicly available tool glimpsed in forum question

Delegation Authorization Rules / ActAs removed in ADFS 4.0? (Windows Server 2016)

Read other answers
RELEVANCY SCORE 43.6

Hi all,

I am using Windows 2000 Professional. I wish to configure the Kerberos Policy in the system but do not know where to find policy and configure the settings.

Thanks all for ur help.....
 

A:Kerberos Policy

See if the MS article below helps. Let us know what happens.
http://support.microsoft.com/defaul...port/kb/articles/Q232/1/79.ASP&NoWebContent=1
 

Read other 2 answers
RELEVANCY SCORE 43.6

I had this on my HP which I returned for MCE's and now I see it here on my new Dell XP430 as well.

The ERROR is an HTTP Event 15016 and under General it says "Unable to initialize the security package Kerberos for server side authentication. The data field contains the error number."

And under Details it says:
" Name] Microsoft-Windows-HttpEvent
[ Guid] {7b6bc78c-898b-4170-bbf8-1a469ea43fc5}
[ EventSourceName] HTTP


- EventID 15016
[ Qualifiers] 49152



Version 0


Level 2


Task 0


Opcode 0


Keywords 0x80000000000000

- TimeCreated
[ SystemTime] 2009-04-12T21:13:07.363Z



EventRecordID 24054


Correlation

- Execution
[ ProcessID] 4
[ ThreadID] 52



Channel System


Computer DellXPS430


Security
- EventData

DeviceObject \Device\Http\ReqQueue

SecurityPackage Kerberos
000004000200300000000000A83A00C00000000000000000000000000000000000000000000000000E030980
Binary data:

In Words
0000: 00040000 00300002 00000000 C0003AA8
0008: 00000000 00000000 00000000 00000000
0010: 00000000 00000000 8009030E

In Bytes
0000: 00 00 04 00 02 00 30 00 ......0.
0008: 00 00 00 00 A8 3A 00 C0 ....?:.?
0010: 00 00 00 00 00 00 00 00 ........
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 00 00 00 00 00 00 00 ........
0028: 0E 03 09 80 ...?
----------------... Read more

A:Anyone else having Kerberos errors?

Kerberos is a computer network authentication protocol, which allows individuals communicating over a non-secure network to prove their identity to one another in a secure manner. It is also a suite of free software published by Massachusetts Institute of Technology (MIT) that implements this protocol. Its designers aimed primarily at a client-server model, and it provides mutual authentication — both the user and the server verify each other's identity. Kerberos protocol messages are protected against eavesdropping and replay attacks.
Kerberos builds on symmetric key cryptography and requires a trusted third party. Extensions to Kerberos can provide for the use of public-key cryptography during certain phases of authentication.
source:http://en.wikipedia.org/wiki/Kerberos_(protocol)

Read other 11 answers
RELEVANCY SCORE 43.6

Hi Expert! 
May i know what's the maximum days of kerberos token per machine. ? Somebody's idea ? 

Homer Sibayan

Read other answers
RELEVANCY SCORE 43.6

Can someone please explain me the basics of the kerberos protocol. I cannot understand anything.
 

A:kerberos protocol

http://en.wikipedia.org/wiki/Kerberos_(protocol)
 

Read other 1 answers
RELEVANCY SCORE 43.6

HI, Iam getting a blue screen then reboot after physical memory dump. This happens whenever I watch a .avi file or if I'm watching a streaming site like youtube, it even happened when i was on a myspace page yesterday. It plays the video but when ever i close the media player or website down I get the Blue Screen.

The Blue screen says Bad Pool Header and the main number at the bottom is 0x00000019 (0x00000021 0xD18BE000 0x00070808 0xFFFE0176)

In the event viewer under errors it says "Unable to initialize the security package kerberos for server side authentication. the data field contains the error number " It is an httpevent and has an ID of 15016.

There are also some updats that I cannot install, KB951698. not sure if this has anything to do with the kerberos thing.

I just installed vista 3 days ago from a dell upgrade dvd and put SP1 in yesterday. I have no idea what to do. There was another problem with sonic before but I found a patch for that, that problem gave me the same blue screen (I think, both had 0x00000019 though unsure if the drvmcdb.sys problem had same bracketed numbers).

Here the log from the debugger WINDBG

BugCheck 19, {21, 8608b000, 70808, ffff}
*** WARNING: Unable to verify timestamp for sthda.sys
*** ERROR: Module load completed but symbols could not be loaded for sthda.sys
Probably caused by : sthda.sys ( sthda+148ec )
Followup: MachineOwner
---------
1: kd> !analyze -v
********************************************************... Read more

Read other answers
RELEVANCY SCORE 43.2

We have loaded the DOD AGM image on a laptop.  IT is joined to the domain and configured using the local administrator log in.
THEN we attempt to log in with the required DOD CAC and we get:
The Kerberos protocol encountered an error while validating the KDC certificate during logon through smart card

The event log shows Event ID 9

"The client has failed to validate the Domain Controller certificate for X.army.mil. 
The following error was returned from the certificate validation process: 
A certificate chain could not be built to a trusted root authority."

we do not control the Domain Controller..That is controlled by another DOD group. (just and FYI)

 
 
 
Event ID 9

A:Windows 7 CAC and Kerberos error

Hi,


The issue may be more related to the third party programs. Please understand that Microsoft has the limited resources about the third party programs. You may contact to their support team directly.Kim Zhou

TechNet Community Support

Read other 4 answers
RELEVANCY SCORE 43.2

Can i create an application based on kerberos within 10 days using .net technologies?
And it would be very fine if anyone can provide it to me or any kind of links.....
plz its urgent......
 

A:kerberos application requried

ramveer91 said:


Can i create an application based on kerberos within 10 days using .net technologies?Click to expand...

Depends on your experience and the scope of your project.
ramveer91 said:


And it would be very fine if anyone can provide it to me or any kind of links.....
plz its urgent......Click to expand...

Google google google. For instance, when I google "kerberos .net application" I get a ton of hits, i.e.

http://software.intel.com/sites/man...dDocuments/kerberosauthenticationusingnet.htm
 

Read other 1 answers
RELEVANCY SCORE 43.2

Hi all,
I really does not know what is happening. We have 1 secure vlan default blocked all port IN/OUT. We had setup on the firewall to opened ports which are required allow the Windows 7 Enterprise able to work. The system is in a domain west.ads.cc.com example.
We have 3 issue came up for all systems located in this secure vlan as describe below:

IT systems in a different vlan cannot offer Remote Assistant. There is no issue with IT systems machines since they still can Remote Assistant to other vlan fine.
Users in this secure vlan cannot access to a shared drive from a different domain but still in the same forest level. Example our forest is ads.cc.com, the the different domain is east.ads.cc.com. There is no issue with the shared drive in east.ads.cc.com
since other user in different vlan located in domain west.ads.cc.com still able to access without any issue.Users in this secure vlan cannot connect to 1 SQL Server in west.ads.cc.com if using Windows Authentication. They still able to connect to this SQL Server if using SQL Authentication ID since we opened port 1433 as designed. We used procmon tool to analyze
found out there are totally 13 send/receive packets need to be communicate allow a full transaction established successful. But when we using Windows Authentication, the first 7 packets has been communicated and was drop after about 10 seconds at the 7th send
packets. This look like due to time out. We got the error related to SSPI handshake failed.... Read more

Read other answers
RELEVANCY SCORE 43.2

Didn't know what forum to place this in. Having issues with Kerberos Errors and my SCCM server. I have another issue, but I think this is related. I get the following event in my PC.

The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server aas-vm-sccm$. The target name used was HTTP/aas-vm-sccm.aas.global.amphenol-sensors.com. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (AAS.GLOBAL.AMPHENOL-SENSORS.COM) is different from the client domain (AAS.GLOBAL.AMPHENOL-SENSORS.COM), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
Now when I run the setspn -Q http/tnwd07190.aas.global.amphenol-sensors.com I get
Checking domain DC=aas,DC=global,DC=amphenol-sensors,DC=com
CN=AAS-SvcAdmin,OU=Svc&Floor Accounts,OU=Users,OU=Taunto... Read more

Read other answers
RELEVANCY SCORE 43.2

Hello, I'm really lost .. well : My Professor has asked me to work on a project called KERBEROS, and as you know KERBEROS authentication protocol is a network based on a mechanism for secret keys (symmetric encryption ) and the use of tickets ... My problem is that she asked me to show her how it works on windows server 2003 with ActiveDirectory ! I think its hyper difficult to show it no? even using a sniffler it is difficult or not? Please how can I show her that there is an authentification and an exchange ticket .... I want to know the shortest path and simplest guide in order to have a very great mark thankie .
 

A:Kerberos I HATE YOUUUU ><

Read other 9 answers
RELEVANCY SCORE 43.2

I have a java application which uses Kerberos authentication for login. Through IE 10 Kerberos authentication is successful only if the user has local admin privilege and the IE 10 should be run as administrator. Anyone in forums can help me to resolve this issue as we cannot give a domain user local admin privilege.

Read other answers
RELEVANCY SCORE 43.2

We have a mixed environment using MAC OSX and NoMAD to connect to AD resources. The user is logged on local. Our file server is a Synology NAS using Windows integration. ATA does not detect the Kerberos Signin and also not detect the kerberos SMB connection
to the Synology. Do I miss something. Our setup is complete virtual. all DC's are lightweight. ATA center is a new install on server 2019.

Read other answers
RELEVANCY SCORE 42.8

Hello,

I meet a strange problem with IE to access from the web a public URL with Kerberos SSO enabled for LAN acces (of course, SSO can't work for external access).
A single URL is wanted for internal (LAN) and external(web) access.

# Client:
O/S: Windows 7
Browsers: IE11 + Firefox 44

# Server
O/S: Windows Server 2012 R2
Web server: Tomcat 7

# Authentication
Windows AD : 2012
Kerberos + SSO

# URL to access web portal with HTTPS/TLSv1.2: 2 existing FQDN
Public FQDN: xyz.corp.fr (reachable from web)
Internal FQDN: a-b-xyz.corp.fr and a-b-xyz.corp.local (reachable from LAN)

Aim

Notebooks have to access web portal from LAN or web (roaming users).
For both LAN and web access, only one public URL is wanted to access web portal: https://xyz.corp.fr .

Symptoms

From LAN, to get SSO with IE11, I just have to add https://xyz.corp.fr in "Local intranet" securitiy zone.
But if the notebook is connected from the web, the URL https://xyz.corp.fr does not work ("This page can't be displayed") !

To solve this problem, I have to move https://xyz.corp.fr to "Trusted sites" security zone of IE or at least delete the URL from "Local Intranet" zone.
Then, if the notebook have to connect from LAN, SSO does not work anymore since https://xyz.corp.fr is no more in "Local Intranet" security zone.

NB: - no problem with Firefox 44 that does not use "security zones" concept
- problem got on 4 different PC under W7
- no problem... Read more

Read other answers
RELEVANCY SCORE 42.8

Hi,

I have a Windows 7 Home Premium x64 installation (i.e. one that does not attach to a domain) that needs to talk to a Samba share in a Kerberized (not AD) environment.

I have setup "Kerberos for Windows 4.0.1" and "Network Identity Manager 2.0.102.907" and they are successfully able to obtain a Kerberos ticket from the KDC used by the Samba share.

How do I now get Windows Explorer to use that ticket when accessing the share?

Regards,
Rob.

A:How do I integrate Kerberos with Windows Explorer?

After consulting with some network admin friends, the only way we see that working properly is to upgrade to win 7 pro and adding the system to the domain. LDAP/Kerberos is a tricky beast

Read other 2 answers
RELEVANCY SCORE 42.8

We have a situation where users are getting locked out after 2 logon attempts with bad passwords. Our policy is three bad passwords produces a lockout, but we've confirmed that it locks after only 2. In troubleshooting this, we found that every time a
user send logon credentials, two kerberos tickets are generated. To AD, after the second attempt, four "bad" tickets have been sent. How in the world do we begin tracing this down?

A:Kerberos Ticket Generated at Logon Sent Twice

I am reviving an old thread strictly for the sake of posting our fix. This happened again on a single machine in our environment and I remembered that I posted something here. I failed to return to relate the solution.
Turns out that a year or two before I started at my current job, a Group Policy Preference was created to force a particular encryption type (RC4-HMAC) to allow machines to connect to our Windows 2003 Server DCs. The GPP maintained a setting in the registry:
HKLM\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters.  The value is called
DefaultEncryptionType and was set to 17 (hex). Removing the value corrected the issue for us.

Read other 5 answers
RELEVANCY SCORE 42.8

I have the GA installed and working, and would like to add a few more ATA administrators.
Problem is they don't have passwords, just smartcards. Can I set up the ATA Console for Windows authentication, Smartcard auth or Kerberos Constrained instead of the (albeit very pretty) username/password only configuration that's default?

Read other answers
RELEVANCY SCORE 42.8

Hi, I am testing Windows 7 OS in our domain and found that Kerberos authentication to UNIX domain from Windows 7 is not working. It is prompting for a password everytime I connect to a unix host and not going throuh pass-through authentication. This works perfectly fine on Windows XP OS in our environment.

Is there any setting that needs to be done to make this working from Windows 7 client?

Thanks

A:Kerberos Authentication to UNIX from Windows 7 OS

Hi there could you try disabling User Account Control in Windows 7?
Control Panel\User Accounts and Family Safety\User Accounts\Change User Account Control Settings. Bring it all the way to the bottom.

Read other 2 answers
RELEVANCY SCORE 42.8

I've got a fairly new 2003 Active Directory and recently I have had two independent reports of users not being able to get into a file server that they were able to one week before. After a log off and log on they have been ok.

I believe this is due to the fact the users haven't logged off in a week and their Kerberos credentials expired. So I've checked domain policy and it seems that the policies are as follows:

Code:
Maximum lifetime for service ticket 600 minutes
Maximum lifetime for user ticket 10 hours
Maximum lifetime for user ticket renewal 7 days
The last one was of interest here so I just changed it to 60 days.

Code:
Maximum lifetime for user ticket renewal 60 days
I would like to ask what people's opinion's are on this, especially if there are any other veteran mcses out there, regarding the security implications of this change.
 

Read other answers
RELEVANCY SCORE 42.4

We have recently changed our SharePoint on-premise authentication method from NTLM only to Kerberos/NTLM. Since then when we try to login from Internet (no kerberos) IE causes trouble getting a 401 (Unauthorized) due to the fact that it does not fall back
to NTLM, but wants to use Kerberos instead. This behaviour only applies to IE and Edge, other browsers like Chrome or Firefox due proper NTLM. The Response Header I see in IE is correct (WWW-Authenticate: Negotiate, NTLM), though. Just that both IE or Edge
always only try kerberos which fails fro outside our corporate network or VPN. It doesn't look to me like it owuld be a Firewall or IIS Server issues, since other browsers (non-Microsoft) do properly work with NTLM within the same scenario. BTW, there is a
similar situation with Dynamics CRM on-premise, I am not an expert here, but with this when trying to browse the internal URL from WAN (which might not be the right approach, but firewall-wise it is allowed), we get the same issue with IE/Edge. Using internet-faced
deployment URL for CRM via ADFS, this works with IE/Edge too from outside corporate network. This seems to be the same cause, these browsers to not fall back to NTLM if Kerberos isn't available.
After I got my Kerberos Ticket once, until it expires or I purge it, I can work with these browser from outside LAN too.
IE security Settings is set to Enable Integrated Windows Authenticaton and servers in charge are members of Local Intranet Security zone
... Read more

Read other answers
RELEVANCY SCORE 42.4

Team,
We had an alert on Win SERVER for Kerberos golden ticket activity, which says ticket usage was over a period of 13 hours which exceeded allowed maximum of 10 hours.
Need help to evaluate this alert.

Checked with AD team they confirmed no change in Group Policy has been made.
Now next where else we need to check for investigation for this alert.

Read other answers
RELEVANCY SCORE 42.4

Has anyone used or is it technically possible to use ATA to look at Kerberos interactions with domain controllers ahead of a forest functional upgrade from 2003?
Our AD has been in-place since around ~2004, although the DC are now running Windows 2008 R2 the FFL for Forest and Domain is 2003. We want to upgrade but are aware that upgrade from 2003 resets the krbtgt password and shifts from HMAC-RC4 to AES-256.
Whilst Windows clients should deal with this, non-Windows servers and apps will need to be tested and a plan put together. The first issue is identifying non-Windows clients that are using Kerberos, aggregating and reporting. Whilst trawling for Kerberos activity
it makes sense to also look at who is still using NTLM as well as LDAP.
I'm aware that this isn't really the purpose of ATA but based on the information it captures is the requirement outlined above something that ATA could be used to fulfil?
Paul Bendall

Read other answers
RELEVANCY SCORE 42.4

Hello everyone, after looking for ages to fix this trouble I finally end up seeking for help on this forum!

First of all, excuse my poor english!

So, I just bought a brand new Acer Aspire 6920G notebook...pretty happy with it so far, a very good machine...The thing is : I'm having a pretty anoying problem, and this as been occuring since the very first day...Once in a while, my firefox freezes and I can't even shut it down or just reboot the laptop, I have to do it manualy which is very annoying and not quite good for the hardware I guess...

I checked on the event viewer and end up knowing that the only single error occuring is this one :

HttpEvent ID 15016 "unable
to initialize the security package kerberos for server side authentication.
the error continues in Event viewer.

That's the only error showing up there (beside the manual reboot) SO ... I have been trying to fix this and can't find a solution,, I would be grateful to anyone who could help me...thanks in advance!

Here's my HijackThis log :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:42:42, on 2008-09-28
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Acer\Empowering Technology\ePower\ePower_DMC... Read more

A:Trouble with error 15016 (Kerberos) Win Vista!!

Error just happen again with Google Chrome, so firefox isn't the problem...help me please!
 

Read other 2 answers
RELEVANCY SCORE 42

Hi, each user workstation--about a half dozen Win 7 SP1 64-bit and Win 10 64-bit LTSB 2016 PCs--I check logs an error to the System Event Log every 1-2 hours. The event / error reads:



The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server MY-SERVER'S-NAME$. The target name used was HTTP/MY-SERVER'S-NAME.MY-DOMAIN-NAME.com. This indicates that the target server failed to decrypt the ticket provided by the client. This
can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can
also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated
to use the current password. If the server name is not fully qualified, and the target domain (MY-DOMAIN-NAME.COM) is different from the client domain (MY-DOMAIN-NAME.COM), check if there are identically named server accounts in these two domains, or use the
fully-qualified name to identify the server.



I've gone through the steps at this link:
https://technet.microsoft.com/en-us/library/cc733987(WS.10).aspx (Check for duplicate or unused computer accounts [also queried LDAP from a DC to make sur... Read more

Read other answers
RELEVANCY SCORE 42

Got an alert from the Microsoft Advanced Threat Analytics that I think has to be legit.  It is in my sharepoint 2013 environment and it says the following.

Suspicious account enumeration activity using Kerberos protocol, originating from SERVER, was detected. The attacker performed a total of 346 guess attempts for account names, 296 guess attempts matched existing account names in
Active Dir
Sounds like a real attack to me but does anyone know if this is sharepoint doing something, highly unlikely since sharepoint wouldnt be guessing accounts like this.

thanks,

Jason VanCise

Read other answers
RELEVANCY SCORE 42

i received the following alert many and many times on 2 of my exchange CAS Servers and don't know
whether it's a real attack or a false positive , as i check my security and scanned servers and didn't found anything
Suspicious account enumeration activity using Kerberos protocol, originating from   ( EXCAS01
)
, was detected. The attacker performed a total of 188
guess attempts for account names, 11
guess attempts matched existing account names in Active Directory.
Kindly advice !!

Read other answers
RELEVANCY SCORE 41.6

Hiya

The attached samples demonstrate how to locate domain controllers, change user passwords, list accounts, and create new user and computer accounts in Microsoft® Windows® 2000 from UNIX.

Each sample includes an executable that is built for the desired UNIX platform and a UNIX-style man page that documents the command usage.

System Requirements
Supported Operating Systems: Windows 2000

http://www.microsoft.com/downloads/...9a-0815-40eb-a957-e7c698225622&DisplayLang=en

Regards

eddie
 

A:Windows 2000 Active Directory and Kerberos Services: June 22

How does Kerberos affect XP Home clients' accessibility to domain resources, or does it?
 

Read other 1 answers
RELEVANCY SCORE 41.2

I have a Windows 7 Home system that is connected by IKEv2 VPN to another network served by strongSwan.  The VPN also uses the smartcard to authenticate.  So I do have the server's root CA in my local machine's trusted root CA store, and it is capable
of using the card in general.  Once connected, the kinit that comes with Oracle Java can also be used to get a ticket for my username.  So time sync must be good.
The problem comes with Remote Desktop.  Attempting to connect to an inside system with RD using the smartcard causes the message "The Kerberos protocol encountered an error while attempting to utilize the smartcard subsystem."
Tracing the packets seen by Windows Server 2016, I see that the client sends an as-req to the KDC, and it is asking for the correct principal name, but the request contains no preauth information (ie the certificate).  The server correctly responds
with "preauth required" and includes PKINIT as an auth choice.  No further communication with the KDC is attempted.
Attempts to make this work have included using ksetup on the client system to define the default realm and set a KDC.
What is needed to make the client send a properly formed ticket request?

Read other answers
RELEVANCY SCORE 39.2

Hi ,
I am running windows 7 professional 64 bit on a quadcore xeon machine.
My company IT policy requires that we change our account passwords every 2 months. After the last password change , my computer is locking me out of the network by trying to login with an invalid password stored somewhere in the credential manager.
I have tried clearing the credential manager many times , no use. we checked all my machines, virtual machines, network drives, printers, none of them seem to solve the problem.
Our IT specialist has checked our machines multiple times and found nothing.
so far we know of two machines with the same configuration causing this problem. The only way to avoid being locked out is to turn off my machine at night.  The login attempts occur at 5:00 am in the morning every day .
The event viewer reports the following event .
Log Name:      System
Source:        Microsoft-Windows-Security-Kerberos
Date:          10/22/2010 5:00:31 AM
Event ID:      14
Task Category: None
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:      computername.network.com
Description:
The password stored in Credential Manager is invalid. This might be caused by the user changing the... Read more

A:Security-kerberos Event ID 14 . credential manager causes system to login to network with invalid password and lock the account.

Microsoft Support found the problem for us.  Our domain accounts were locking when a Windows 7 computer was started.  The Windows 7 computer had a hidden old password from that domain account.
There are passwords that can be stored in the SYSTEM context that can't be seen in the normal Credential Manager view.
Download PsExec.exe from
http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx and copy it to C:\Windows\System32 .
From a command prompt run:    psexec -i -s -d cmd.exe
From the new DOS window run:  rundll32 keymgr.dll,KRShowKeyMgr
Remove any items that appear in the list of Stored User Names and Passwords.  Restart the computer.
 

Read other 22 answers
RELEVANCY SCORE 37.6

Hello,
I came across an unusual pass-the-ticket ATA alert. Please take a look below:
Time (UTC)    Source Ip Address    Source Computer   Source Computer Resolution Method                Destination Ip Address
06.10.2017   20:01:58,538           10.***.**.**1        LT******1           Netbios, RpcNtlm, Hint, Cached    10.***.***.*3
06.10.2017   20:05:29,289           10.***.**.**1        LT******1           Netbios, RpcNtlm, Hint, Cached    10.***.***.*3
06.10.2017   20:45:52,151           10.***.**.**2        LT******2           Dns, Cached                                
10.***.***.*3
06.10.2017   20:45:52,615           10.***.**.**2        LT******2           Dns, Cached                  &... Read more

Read other answers
RELEVANCY SCORE 32.4

A computer reports "non-system disk or disk error" at boot. What is the logical troubleshooting process?
 

A:troubleshooting?

Check for a floppy disk
 

Read other 2 answers
RELEVANCY SCORE 32.4

Hi, I'm using the new AIM 6.5 and I'm having problems every time now. It tends to freeze my whole computer when I use it, especially when I IM. I've tried uninstalling and reinstalling but that didn't work. Any ideas?

Thanks for your time.
 

A:AIM Troubleshooting

HestiaCerridwen said:



Hi, I'm using the new AIM 6.5 and I'm having problems every time now. It tends to freeze my whole computer when I use it, especially when I IM. I've tried uninstalling and reinstalling but that didn't work. Any ideas?

Thanks for your time.Click to expand...

Best to use another way.. I use GAIM or PIDGIN instead both can open the AIM Yahoo IM an etc.. Don't hose the system like AOL IM. Give those a try instead. Free 100% no ads an etc..
 

Read other 1 answers
RELEVANCY SCORE 32.4

Epox 8RDA3+ w/ AMD XP2800
Crucial 512mb DDR 3200 (took the other one out b/c of the W98 issue)
MSI GeForce FX5200
500W psu

Problem 1: System resource issue

Everything is recognized in the BIOS, but when it gets to the start up screen, it sits there for over a minute before it finally decides to finish booting up. Start to finish, it takes about 2 1/2 minutes. Even at the very start, system resources are at 69%. Now, with only the modem and netscape running, system resources are at 43%. This is ridiculous. Even before I started to add programs, it would take forever to boot up. I've used the Epox book and double-checked all the settings in the BIOS.

Problem 2: Windows installer issue

After the Fdisk and reformat of the hard drive, I thought I'd licked the problem of windows installing things over and over again, but apparently it's back again. In normal mode, device manager shows 3 motherboard resources, 5 NVIDIA nforce2 memory controller, 2 PCI-to-PCI bridge. (I'm almost afraid to view it in safe mode). If I remove anything, windows puts them right back when I restart. If I do it manually, I still get multiple entries.

Problem 3: Video issue

After I've been online awhile, I'll open up a new tab and the video freaks out. It starts with a black outline around the open tab, then seems to spread to the rest of the browser window. Sometimes I can close the browser, other times, I have to do C-A-D to close it.

I have uninstalled, reinstalled... Read more

A:Need troubleshooting help

Read other 16 answers
RELEVANCY SCORE 32.4

Hi .. Might be some interest to others , I just notice this in the
Microsoft newsrooms from Carey Frisch

Please follow this WGA troubleshooting procedure:

1. Download and install the WGA Diagnostic Tool:
http://go.microsoft.com/fwlink/?linkid=52012

2. After running the WGA Diagnostic Tool, click
on "Copy to Clipboard".

3. Visit the following website and create a post in the
"WGA Validation Problems" forum and paste the
results of the WGA Diagnostic Data in your post.
http://forums.microsoft.com/Genuine/default.aspx?SiteID=25
4. A WGA troubleshooting specialist will analyze the data and
recommend an appropriate solution.
 

Read other answers
RELEVANCY SCORE 32.4

Troubleshooting used to work but now it doesn?t. How can I fix the error message that says an error occurred while troubleshooting.

A:troubleshooting

Check that your Intel Rapid Storage driver is up to date, then look in services to see if the Diagnostic Service Host is running.

Read other 8 answers
RELEVANCY SCORE 32.4

I recently signed up for DSL (3m/768) from cincinnati bell's zoomtown.

I have had trouble maintaining a constant connection at any speed around 8pm to 2am in the morning.

I've only had it a few days but during that time span I would have problems at 3m speed, 2m, 1m, or even 768 settings from the provider.

Today the connection has been stable since about 7am.

Here is a list of my speeds (when the provided set me at 3m) from dslreports.com
down/up

Friday-sat:

1094/577
568/580
1011/645
1026/645
919/645
868/645
1374/647
276/645
868/645
521/645
1014/644
722/643
1113/616
815/646
992/645
1051/645
1193/644
1208/645
886/646
970/611
1076/625
1229/627

Today (sun):
341/541
332/576
374/547
424/648
453/645
471/645

As you can see my download speed is all over the place (and nothing near 2-3m). My upload speed is more consitant around 640 (probably 768 including overhead)

I called tech support many times. zoomtown has sent out a tech already and he couldn't find anything wrong with the line meter reader with regards the connection dropping. When he came he called to set the speed to 3m (was 768 down) and said with 3000/768 I had 16dB s/n. Is that good?

I called zoomtown again and they are going to send out another tech when the problem time is (most likely evening around 8pm). The soonest they can come out is friday.

Has anyone seen this happen before? any ideas what is wrong? Again the speeds listed above are for when they set my connection to 3M. When it was at 7... Read more

A:New guy here needs some help troubleshooting

As some of you know my DSL service has been cutting off on me. For the past 4 days (3 of which I have proof) my connection would drop like clockwork around 8:20PM at night and not come on until morning. Last night I was using xbox live and right at 8:20 or so my connection was lost. I looked out the window and the street lights were just powering on. I called my provider and they said it is likely that could be the cause since they have seen it before.

The only odd thing is that on Sat & Sun night the connection went out around 8:20pm and didn't come back until around 7am. But last night it cut out at 8:20PM and came back on at 9PM or so.

Below is a history of my connection. The green is the ping delay and the blue is packet loss (they have 3 locations pinging my IP):

They are sending a tech out friday evening and to try fix the problem. Hopefully it is as simple as the lights causing the problem (interfering with poorly sheilded cabling). Any other ideas what it might be?
 

Read other 2 answers