Discussion:
User kerberos problems over VPN
(too old to reply)
Scott Moseman
2011-01-24 23:00:13 UTC
Permalink
I'm working in a Windows 2003 domain with an odd authentication
problem. Randomly, or so it seems, users will get "Access Denied"
messages when mapping to network resources after connecting over VPN.
I have not heard of anyone having this problem locally on the LAN. On
the Active Directory servers, the Security event log is showing a
Kerberos authentication error.

Authentication Ticket Request
Result Code: 0x6 ("Client not found in Kerberos database")

What could cause a remotely connected user to randomly have this
problem?

Thanks!
Peter Foldes
2011-01-25 04:38:57 UTC
Permalink
This post might be inappropriate. Click to display it.
Scott Moseman
2011-01-25 20:06:50 UTC
Permalink
This is an Event ID 672 "Failure Audit"; so the 0x6 result code is a
Kerberos error code.

Kerberos Error Number: 0x6
Kerberos Error Code: KDC_ERR_C_PRINCIPAL_UNKNOWN
Description: Client not found in Kerberos database.

However, I do not understand why this shows up over a VPN connection,
but not on the LAN.
DaveMo
2011-02-20 17:01:51 UTC
Permalink
Post by Scott Moseman
This is an Event ID 672 "Failure Audit"; so the 0x6 result code is a
Kerberos error code.
Kerberos Error Number: 0x6
Kerberos Error Code: KDC_ERR_C_PRINCIPAL_UNKNOWN
Description: Client not found in Kerberos database.
However, I do not understand why this shows up over a VPN connection,
but not on the LAN.
I can't give you an answer, but I can suggest a few additional
troubleshooting steps:

- Is the condition intermittent when it does occur? If the user sees
this message does it always happen for the duration of their VPN
session
- Do certain users see this more freqently then others? If so, is
there a difference in their accounts or in the way they connect
through VPN?
- Is it only certain resources that exhibit the problem, or is it any
resource that the user tries to access during the session?
- If you can do additional troubleshooting in one of the user
sessions that is having the problem, I would suggest doing some tests
with KLIST and/or kerbtray. Does the user have a TGT? Can a ticket be
requested for the server that is causing a problem?

For Kerberos issues, you want to figure out whether the problem is
user, workstation or resource based. All three parties are involved
and each can cause the problem. There is an updated version of KLIST
at http://www.securitay.com/support/freeutils.aspx that has additonal
capabilities handy for troubleshooting.

HTH

Loading...