2 of 2 people found this helpful
I'm assuming this is in PSE from a client node to the AF Server? Can you try directly on the AF Server. If you can access the table directly on the AF Server than Kerberos delegation is not working correctly.
Things to check:
1) If your services (AF and SQL) are using a custom service account, are the SPNs properly configured for both hostname and FQDN?
(For SQL the syntax is the same just change AFServer for MSSQLSvc: How to Configure an SPN for SQL Server Site Database Servers )
2) Is the delegation tab for the AF Service account properly configured for delegation? If using constrained delegation, is the MSSQL service listed in the list of service to delegate to?
3) Have you confirmed that your user account is not marked as sensitive and cannot be delegated?
Hope this helps,
Hi Sebastien, All
yes, this is in PSE from a client node to the AF Server and it works directly on the AF server.
And all the things you described in previous message are in place and correct, we checked all delegation and spn with domain administrator.
The strange things that sometime it works sometime it doesn't.
Also the strange thing that restart of AF Service on AF server fixes this issue and it works for sometime then it breaks again and to fix it we either restart AF Service or wait till it fixes by himself (and again it breaks then after sometime).
Also one thing to mention, it's upgrade from AF Server 2016 to AF Server 2017 SP2.
It doesn't make sense why AF Service restart fixes the issue, it looks like clean something, maybe Kerberos ticket cache or something else.
Login Failed for users ANONYMOUS.jpg 527.4 KB
1 of 1 people found this helpful
When AF Service starts, it attempts to auto-create the SPN necessary for Kerberos authentication; perhaps this is why it works again after a restart? So maybe somehow the SPNs are getting removed, at which point you start getting the anonymous logons. When the connection is working, have you verified that the SPN is present? And then during the issue time period, is the SPN still there?
When the issue occurs, does it occur for all users across the site at the same time? Do other users from other client machines experience the same issue?
As @Gavin Chen suggested could you please check the SPN setup for kerberos. You may try below command to check SPN to set for AF service and related server
setspn -l domain\useraccount
SPN is in place and correct, AF Service account doesn't have access to create SPN, it's created on domain level by domain admin and it's present so this shouldn't be a problem. The Issue occurs for all users across the site at the same time
Also there is some Kerberos error message(see attachment), not sure if it's could cause the issue.
kerberos log in win event.jpg 36.8 KB
From what I'm reading online, the error you are showing is a result of invalid pre-authentication information. You can find the information here:
According to the above article (which is not official microsoft documentation, I couldn't find anything on the Microsoft website), this happens when a TGT is requested and the ticket request fails. The most likely possibility being an invalid password. Do you frequently change the password for the service account running the PI AF Application Service? Is it possible that the service is running with an outdated password?
Otherwise, some next steps would be to verify the tickets on the AF Server while the issue is occurring. You can do this by running the command klist: klist | Microsoft Docs
There might be some information in the security logs on your DC as well as to why the ticket request failed. If logon auditing is not enabled, it may be worth it to enable it temporarily to get some additional information.
Hope this helps,