6 Replies Latest reply on Mar 19, 2018 9:17 PM by sraposo

    login failed when open af linked table

    Saken

      Hi,

      getting following error message(attachment) when try to open af linked table from system explorer,

      table linked to sql server db, there is Kerberos delegation from sql service account(sql server db) to af service account

      and also user trying to open linked table has read access to sql server db.

      AF server principal name is also created.

      What else to look to, any possible reasons of this issue?

       

      thanks,

      S

        • Re: login failed when open af linked table
          sraposo

          Hi Saken,

           

          I'm assuming this is in PSE from a client node to the AF Server? Can you try directly on the AF Server. If you can access the table directly on the AF Server than Kerberos delegation is not working correctly.

           

          Things to check:

           

          1) If your services (AF and SQL) are using a custom service account, are the SPNs properly configured for  both hostname and FQDN?

           

          PI Server

           

          (For SQL the syntax is the same just change AFServer for MSSQLSvc: How to Configure an SPN for SQL Server Site Database Servers )

           

          2) Is the delegation tab for the AF Service account properly configured for delegation? If using constrained delegation, is the MSSQL service listed in the list of service to delegate to?

           

          PI Server

           

          3) Have you confirmed that your user account is not marked as sensitive and cannot be delegated?

           

           

          Hope this helps,

          Seb

          2 of 2 people found this helpful
          • Re: login failed when open af linked table
            Saken

            Hi Sebastien, All

            yes, this is in PSE from a client node to the AF Server and it works directly on the AF server.

            And all the things you described in previous message are in place and correct, we checked all delegation and spn with domain administrator.

            The strange things that sometime it works sometime it doesn't.

            Also the strange thing that restart of AF Service on AF server fixes this issue and it works for sometime then it breaks again and to fix it we either restart AF Service or wait till it fixes by himself (and again it breaks then after sometime).

            Also one thing to mention, it's upgrade from AF Server 2016 to AF Server 2017 SP2.

             

            It doesn't make sense why AF Service restart fixes the issue, it looks like clean something, maybe Kerberos ticket cache or something else.

             

             

            thanks,

            S

              • Re: login failed when open af linked table
                gachen

                When AF Service starts, it attempts to auto-create the SPN necessary for Kerberos authentication; perhaps this is why it works again after a restart? So maybe somehow the SPNs are getting removed, at which point you start getting the anonymous logons. When the connection is working, have you verified that the SPN is present? And then during the issue time period, is the SPN still there?

                 

                When the issue occurs, does it occur for all users across the site at the same time? Do other users from other client machines experience the same issue?

                1 of 1 people found this helpful
                • Re: login failed when open af linked table
                  LalBabuShaik

                  Hi Saken

                   

                  As @Gavin Chen suggested could you please check the SPN setup for kerberos. You may try below command to check SPN to set for AF service and related server

                   

                  setspn -l domain\useraccount

                    • Re: login failed when open af linked table
                      Saken

                      Hi All,

                      SPN is in place and correct, AF Service account doesn't have access to create SPN, it's created on domain level by domain admin and it's present so this shouldn't be a problem. The Issue occurs for all users across the site at the same time

                      Also there is some Kerberos error message(see attachment), not sure if it's could cause the issue.

                       

                       

                      thanks,

                      S

                        • Re: login failed when open af linked table
                          sraposo

                          Hi Saken,

                           

                          From what I'm reading online, the error you are showing is a result of invalid pre-authentication information. You can find the information here:

                           

                          Windows Security Log Event ID 4771 - Kerberos pre-authentication failed

                           

                          According to the above article (which is not official microsoft documentation, I couldn't find anything on the Microsoft website), this happens when a TGT is requested and the ticket request fails. The most likely possibility being an invalid password. Do you frequently change the password for the service account running the PI AF Application Service? Is it possible that the service is running with an outdated password?


                          Otherwise, some next steps would be to verify the tickets on the AF Server while the issue is occurring. You can do this by running the command klist: klist | Microsoft Docs

                           

                          There might be some information in the security logs on your DC as well as to why the ticket request failed. If logon auditing is not enabled, it may be worth it to enable it temporarily to get some additional information.

                           

                          Hope this helps,
                          Seb