Windows Server 2003 Security Infrastructures: Core Security Features (HP Technologies)
In the next two sections, we will explore some basic Kerberos and Windows Server 2003 authentication troubleshooting tools. An indispensable tool for every administrator is the Event Viewer. The next section will list some common Kerberos error messages as they appear in the Event Viewer. The following side note explains how to enable advanced Kerberos event logging.
5.6.1 Kerberos error messages
In Windows Server 2003, Microsoft included some Kerberos-specific event IDs. They are listed in Table 5.11. If you want to go even more in detail, Table 5.12 shows the Kerberos-related error messages as they appear in the Windows Event Viewer. Both can give interesting hints when troubleshooting Kerberos authentication problems.
Event ID | Meaning |
---|---|
672 | An authentication service (AS) ticket was successfully issued and validated. |
673 | A ticket granting service (TGS) ticket was granted. |
674 | A security principal renewed an AS ticket or TGS ticket. |
675 | Kerberos preauthentication failed. This event is generated on a key distribution center (KDC) when a user types in an incorrect password. |
Code | Short Meaning | Error Explanation |
---|---|---|
0x6 | Client Principal unknown | The KDC could not translate the client principal name from the KDC request into an account in the Active Directory. To troubleshoot this error, check whether the client account exists in AD, whether it has not expired, and whether AD replication is functioning correctly. |
0x7 | Server Principal unknown | The KDC could not translate the server principal name from the KDC request into an account in the Active Directory. To troubleshoot this error, check whether the client account exists in AD, whether it has not expired, and whether AD replication is functioning correctly. |
0x9 | Null key error | Keys should never be null (blank). Even null passwords generate keys because the password is concatenated with other elements to form the key. |
0xE | Encryption type not supported | The client tried to use an encryption type that the KDC does not support, for any of the following reasons: The client’s account does not have a key of the appropriate encryption type; the KDC account does not have a key of the appropriate encryption type; the requested server account does not have a key of the appropriate encryption type. The type may not be recognized at all, for example, if a new type is introduced. This happens most frequently with MIT compatibility, where an account may not yet have an MIT-compatible key. Generally, a password change must occur for the MIT-compatible key to be available. |
0x17 | Password has expired | This error can be caused by conflicting credentials. Let the user log off and then log on again to resolve the issue. |
0x18 | Preauthentication failed | This indicates failure to obtain ticket, possibly due to the client providing the wrong password. |
0x1A | Requested server and ticket do not match | This error will occur when a server receives a ticket destined for another server. This problem can be caused by DNS problems. |
0x1F | Integrity check on decrypted field failed | This error indicates that there is a problem with the hash included in a Kerberos message. This could be caused by a hacker attack |
0x20 | Ticket has expired | This is not a real error; it just indicates that a ticket’s lifetime has ended and that the Kerberos client should obtain a new ticket. |
0x22 | Session request is a replay | This error indicates that the same authenticator is used twice. This can be caused by a hacker attack. |
0x19 | Preauthentication error | The client did not send preauthentication, or did not send the appropriate type of preauthentication, to receive a ticket. The client will retry with the appropriate kind of preauthorization (the KDC returns the preauthentication type in the error). |
0x25 | Clock skew too great | There is time discrepancy between client and server or client and KDC. To resolve this issue, synchronize time between the client and the server. |
0x26 | Bad address in Kerberos session tickets | Session tickets include the addresses from which they are valid. This error can occur if the address sending the ticket is different from the valid address in the ticket. A possible cause of this could be an Internet Protocol(IP) address change. In Windows 2000, this change is dynamic and existing cached tickets could be invalidated. Another possible cause is when a ticket is passed through a proxy server. The client is unaware of the address scheme used by the proxy server, so unless the program caused the client to request a proxy server ticket with the proxy server’s source address, the ticket could be invalid. |
0x3C | Generic error | A generic error that may be a memory allocation failure. The event logs may be useful if this error occurs. |
0x29 | Kerberos AP exchange error | This indicates that the server was unable to decrypt the ticket sent by a client, meaning that the server does not know its own secret key, or the client received the ticket from a KDC that did not know the server’s key. This can be tested by determining if the server can obtain a ticket to itself, or if anybody else can locate the server. The secure channel used by NTLM is also an indicator of the validity of the password on local machine accounts. |
Enabling Advanced Kerberos Event Logging Advanced Kerberos event logging can be enabled using the following Windows registry hack. Set the Loglevel registry key (REG_DWORD) to value 1. Loglevel is located in the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters.
5.6.2 Troubleshooting tools
Microsoft delivers several tools to troubleshoot Kerberos (see Table 5.13). They are spread across the resource kit, the support tools, and the platform SDK. Most of them are command prompt tools.
Tool | Comments |
---|---|
mytoken.exe (Platform SDK) | Command prompt tool to display the content of a user’s access token: This includes the user’s rights and group memberships. |
whoami.exe (Default Windows installation) | Command line tool to look at the content of the user’s access token (use the /all switch). |
klist (Resource Kit) | Command prompt tool to look at the local Kerberos ticket cache. Klist can also be used to purge tickets. Klist is a very simple but very important tool that you can use to find out how far the authentication got. |
Kerbtray (Resource Kit) | GUI tool that displays the content of the local Kerberos ticket cache. |
Netdiag (Support tools) | Netdiag helps isolate networking and connectivity problems by providing a series of tests to determine the state of your network client. One of the “NETDIAG” tests is the Kerberos test. To run the Kerberos test, type “netdiag /test:Kerberos” at the command prompt. |
Replication monitor (replmon) (Support tools) | Using Replication monitor, an administrator can not only check the replication traffic but also the number of AS and TGS requests and the FSMO roles. |
Network monitor (Server CD) | Network monitor does not come out of the box with a parser for the Kerberos protocol. However, a special Kerberos parser dll is available from Microsoft. |
Setspn (Support Tools) | Tool allowing you to manage (view, reset, delete, add) service principal names (SPNs). |
Категории