5 Replies Latest reply on Mar 9, 2018 7:52 PM by vkaufmann

    Kerberos Error

    Ashwin.Kumar

      Hi Community,

       

      continuously we are getting this logs in AF Server, could anyone please advise me, whether we need to take any action on this or we can ignore this.

        • Re: Kerberos Error
          Lal_Babu_Shaik

          Hi Ashwin,

           

          Could you please check the service account you configured for AF service and AF message logs for the same?

            • Re: Kerberos Error
              Ashwin.Kumar

              Babu, thanks for your reply

               

              AF service running using same service account (service_PI_af) which i was highlighted in my earlier email. we just receiving this error in windows systems logs.

              if we clearly notice for every sec i am getting repeative error.

               

              For example

              00:00:01 if i am getting Error Code: 0x44 KDC_ERR_WRONG_REALM

              00:00:01 then immediately i am getting another error log with Error Code:"0x19 KDC_ERR_PREAUTH_REQUIRED"

              after 3 seconds again i am getting 0x44 KDC_ERR_WRONG_REALM.

              so, this is what happening continuously.

               

              please advise me here.

               

              Thank you

              Ashwin

                • Re: Kerberos Error
                  Lal_Babu_Shaik

                  Hi Ashwin,

                   

                  Looks like your service account has an issue with domain authentication. Could you please ask your windows/wintel team to check the user id in the domain and check service account is added to correct domain. If Active directory authentication is failed then you have an impact on AF security with windows logon.

              • Re: Kerberos Error
                gmichaud-verreault

                Actually, this error can be ignored "0x19 KDC_ERR_PREAUTH_REQUIRED". This error is only logged when kerberos logging is enabled. These messages are a normal part of the Kerberos authentication process and do not indicate a problem. Per Microsoft's documentation, it is recommended to turn off Kerberos event logging when not troubleshooting Kerberos.

                 

                You can take a look at this post for more info.

                TL;DR

                The KDC (Key Distribution Center) requires all accounts to use pre-authentication. However, pre-authentication can be disabled for individual accounts when necessary for compatibility with other implementations of the protocol.

                How to disable pre-authentication?

                If the box “Do not require Kerberos pre-authentication” was checked on the user account properties then we would never see the error “KDC_ERR_PREAUTH_REQUIRED” message in a trace.

                 

                -----------

                KDC_ERR_WRONG_REALM

                This error may occur when a client requests a TGT from a domain controller for a domain to which the client does not belong. This error refers the client to the correct domain and does not indicate a problem. You can read more about it here.

                4 of 4 people found this helpful