Event ID 3 Kerberos KDC_ERR_S_PRINCICAL_UNKNOWN

**Delil** · 05-03-2007

We are running a Windows 2003 server since long time with several users connected. Since past few days users started complaining for slow logon. When we started troubleshooting I found a load of error messages in my Event Viewer along with KDC_ERR_BADOPTION messages also. Event Viewer log is as follows:

05/03/2007 12:33:36 Kerberos Error None 3 N/A DCAADC001 "A Kerberos Error
Message was received:
on logon session
Client Time:
Server Time: 12:33:36.0000 3/5/2007 Z
Error Code: 0xd KDC_ERR_BADOPTION
Extended Error: 0xc00000bb KLIN(0)
Client Realm:
Client Name:
Server Realm: domain.com
Server Name: host/dc1.domain.com
Target Name: host/dc1.domain.com@domain.com
Error Text:
File: 9
Line: ae0
Error Data is in record data."

05/03/2007 12:29:00 Kerberos Error None 3 N/A DCAADC001 "A Kerberos Error
Message was received:
on logon session
Client Time:
Server Time: 12:29:0.0000 3/5/2007 Z
Error Code: 0x7 KDC_ERR_S_PRINCIPAL_UNKNOWN
Extended Error:
Client Realm:
Client Name:
Server Realm: domain.com
Server Name: cifs/127.0.0.1
Target Name: cifs/127.0.0.1@domain.com
Error Text:
File: 9
Line: ae0
Error Data is in record data."

**Manik** · 05-03-2007

As per the log, I guess any of your user is making a request for a ticket for a service that Kerberos is not aware at all. So I think enabling the tracing on Kerberos will help you get the cause what is the actually problem. You can enable the same with the following steps:

Start Registry Editor.Add the following registry value:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters

Registry Value:
LogLevel

Value Type:
REG_DWORD

Value D

ata:
0x1

If the Parameters subkey does not exist, create it.

**Delil** · 05-03-2007

I appreciate your help Manik. As you suggested I have enabled loggin. Since then I getting the following message: (0xd and 0x7) on the only 2 DCs. Still I’m not able to understand why there is the cifs/127.0.0.1 setup as the Server Name and Target Name.

Running Kerbtray, I see that when I am logged in I have connections to:
cifs/SAN1 (not 127.0.0.1)
host/DC1
krbtgt/domain.loc

When I look at the Encryption types, the Ticket Encryption Type and Key Encryption Type are the same for cifs and host but the Key Encryption Type is different (etype 0) for the krbtgt.

**Wooody** · 06-03-2007

Still i'm not able t understand the situation properly. I mean, there should be a copy function, just paste it in to the news reader. Or better post the actual message shown from the event log.