powered by Jive Software

Kerberos Related EventID 3 and EventID 4 after Implementing SSO

I have Openfire 3.3.3 on a server named Phantom.ad.mcbrideandson.com with about 100 spark clients on version 2.5.7, SSO is implemented and working properly. However, on the OpenFire server I have noticed that my event viewers system log is completely full of event ID’s 3 & 4.

Event ID 3 This is the most

frequent, and is occurring on computers from the mcbridehomes.pvt and on the

ad.mcbrideandson.com domain frequent errors from both domains, but it seems

mcbridehomes.pvt has the most

Mcbirdehomes.pvt: The mcbridehomes.pvt is another

domain with whom we have a trust. These computers do

NOT have spark installed at all, nor any jabber client.

Ad.mcbrideandson.com: ad.mcbrideandson.com is our domain

with the computers using spark, interestingly these computer names do not have

the .ad.mcbrideandson.com appended to them (though maybe the $ is

representative of that?)

Event Type: Error

Event Source: Kerberos

Event Category: None

Event ID: 3

Date: 10/26/2007

Time: 3:20:34 AM

User: N/A

Computer: PHANTOM

Description:

A Kerberos Error Message was

received:

on logon session

Client Time:

Server Time: 8:20:35.0000 10/26/2007

Z

Error Code: 0x7

KDC_ERR_S_PRINCIPAL_UNKNOWN

Extended Error:

Client Realm:

Client Name:

Server Realm: AD.MCBRIDEANDSON.COM

Server Name:

cifs/MBH-RG.mcbridehomes.pvt

Target Name:

cifs/MBH-RG.mcbridehomes.pvt@AD.MCBRIDEANDSON.COM

Error Text:

File: 9

Line: ae0

Error Data is in record data.

For more information, see Help and Support

Center at http://go.microsoft.com/fwlink/events.asp.

Event ID 4: This is another error we are

getting only on computers from the ad.mcbrideandson.com domain. It almost looks

like it might be occurring most on specific computers, as I often see the same

computer names in the logs.

Event Type: Error

Event Source: Kerberos

Event Category: None

Event ID: 4

Date: 10/26/2007

Time: 3:20:32 AM

User: N/A

Computer: PHANTOM

Description:

The Kerberos client received a

KRB_AP_ERR_MODIFIED error from the server MB-77$. The target name used was

cifs/MB-TRAINING2.ad.mcbrideandson.com. This indicates that the password used

to encrypt the Kerberos service ticket is different than that on the target

server. Commonly, this is due to identically named machine accounts in the

target realm (AD.MCBRIDEANDSON.COM), and the client realm. Please contact your

system administrator.

For more information, see Help and Support

Center at

http://go.microsoft.com/fwlink/events.asp.

are the computers bound to your domain? do they have a krb5.ini file?

I have the KDC set in the spark.properties file on all the clients:

ssoKDC=contract_srv.ad.mcbrideandson.com

ssoRealm=AD.MCBRIDEANDSON.COM

I have not modified the krb5.ini files on any of the clients, or on any of the computers in the other domain.

The computers in mcbridehomes.pvt are not part of my domain, it is a seperate domain entirely. The only users as part of my domain are those from ad.mcbrideandson.com

What is the OS of the client machines?

Are the user accounts from both domains on the AD server you are using for LDAP lookup?

What is the current content of your krb5.ini?

The errors reported has nothing to do with Openfire. It is a CIFS (Windows filesharing) issue. It appears that PHANTOM is trying to obtain a service ticket for cifs/MBH-RG.mcbridehomes.pvt@AD.MCBRIDEANDSON.COM (presumably to do file sharing of some sort) and eventID 3 is telling you that the particular principal being requested dosnt exist. EventID 4 gives some good clues too- it says the error is common when you have multiple domains with client names that are the same. So perhaps PHANTOM is confused as to which MBH-RG host it is talking to? In any case, it is doubtful these are related to Openfire at all.