Kerberos error KDC_ERR_BADOPTION
Kerberos error KDC_ERR_BADOPTION
am 05.06.2006 18:21:58 von Tim
We are trying to configure an IIS 6.0 server for Kerberos but are recieving
the error:
KDC_ERR_BADOPTION. We followed this link
http://msdn.microsoft.com/msdnmag/issues/05/09/SecurityBrief s/ to help with
the initial setup.
Our environment is as such:
- Windows 2000 domain
- Server set up in AD to trust delegation
- App pool ID set up in AD to trust delegation
- Enabled Kerberos logging: http://support.microsoft.com/?id=262177
- Forced Kerberos to use TCP: http://support.microsoft.com/kb/244474
- Forced precedence of Kerberos over NTML:
http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/kerbnlb.mspx
Any assistance would be greatly appreciated.
-Tim
RE: Kerberos error KDC_ERR_BADOPTION
am 06.06.2006 13:43:20 von wjzhang
Hi Tim,
Please make sure the client connects to the server has 'enable integrated
authentication' selected in IE internet options->advanced. Otherwise the
authentication protocol will be NTLM instead of Kerberos.
Another point is that you should change the site's application pool's
identity to Local System since you've enable the computer to be trusted for
delegation in AD.
Best regards,
WenJun Zhang
Microsoft Online Partner Support
This posting is provided "AS IS" with no warranties, and confers no rights.
Re: Kerberos error KDC_ERR_BADOPTION
am 06.06.2006 20:49:58 von Tim
Still no luck. The clients were already configured with integrated
authentication and the site was added to the Local Intranet zone but the
client still looks to be authenticating through NTLM. Both IIS on the web
and SQL 2000 are set to run under local system.
From the web server:
Successful Network Logon:
User Name: userName
Domain: domainName
Logon ID: (0x0,0x1B8804)
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: workstationName
Logon GUID: -
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 10.1.1.105
Source Port: 1327
""WenJun Zhang[msft]"" wrote in message
news:qC$ov5ViGHA.5608@TK2MSFTNGXA01.phx.gbl...
> Hi Tim,
>
> Please make sure the client connects to the server has 'enable integrated
> authentication' selected in IE internet options->advanced. Otherwise the
> authentication protocol will be NTLM instead of Kerberos.
>
> Another point is that you should change the site's application pool's
> identity to Local System since you've enable the computer to be trusted
> for
> delegation in AD.
>
> Best regards,
>
> WenJun Zhang
> Microsoft Online Partner Support
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
>
>
Re: Kerberos error KDC_ERR_BADOPTION
am 08.06.2006 15:57:45 von wjzhang
Hi Tim,
I suggest you use webfetch to perform a test and trace the rawdata of http
request/response. It will ensure Kerberos token can be properly sent to the
server-side.
HOW TO: Use Wfetch.exe to Troubleshoot HTTP Connections
http://support.microsoft.com/default.aspx?scid=kb;en-us;2842 85
To use, please input:
Host: (Your servername)
Path: (The relative path of your page. e.g: /simple.htm)
Auth: (Select Kerberos and input the proper username/password)
Press Go! to issue a http request to the server and check what response is
returned. You can paste the whole log data here for me to take a look.
Best regards,
WenJun Zhang
Microsoft Online Partner Support
This posting is provided "AS IS" with no warranties, and confers no rights.
Re: Kerberos error KDC_ERR_BADOPTION
am 09.06.2006 16:41:33 von Tim
Here is the output from the log:
started....
WWWConnect::Connect("http://vmdynamics.labtsc.com","80")\n
0x2af9 (No such host is known.): getaddrinfo()
finished.
""WenJun Zhang[msft]"" wrote in message
news:$VCTLOwiGHA.4500@TK2MSFTNGXA01.phx.gbl...
> Hi Tim,
>
> I suggest you use webfetch to perform a test and trace the rawdata of http
> request/response. It will ensure Kerberos token can be properly sent to
> the
> server-side.
>
> HOW TO: Use Wfetch.exe to Troubleshoot HTTP Connections
> http://support.microsoft.com/default.aspx?scid=kb;en-us;2842 85
>
> To use, please input:
>
> Host: (Your servername)
> Path: (The relative path of your page. e.g: /simple.htm)
> Auth: (Select Kerberos and input the proper username/password)
>
> Press Go! to issue a http request to the server and check what response is
> returned. You can paste the whole log data here for me to take a look.
>
> Best regards,
>
> WenJun Zhang
> Microsoft Online Partner Support
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
>
>
Re: Kerberos error KDC_ERR_BADOPTION
am 09.06.2006 21:14:29 von Tim
Sorry about that, I didn't run the test correctly. I re-ran it and this was
the output:
started....
Reusing existing connection (source port 4210)\n
ISC_REQ_MUTUAL_AUTH | ISC_REQ_DELEGATE set\n
0x80090303 (The specified target is unknown or unreachable): Unable to
InitializeSecurityContext
finished.
WWWConnect::Close("vmdynamics","80")\n
closed source port: 4210\r\n
""WenJun Zhang[msft]"" wrote in message
news:$VCTLOwiGHA.4500@TK2MSFTNGXA01.phx.gbl...
> Hi Tim,
>
> I suggest you use webfetch to perform a test and trace the rawdata of http
> request/response. It will ensure Kerberos token can be properly sent to
> the
> server-side.
>
> HOW TO: Use Wfetch.exe to Troubleshoot HTTP Connections
> http://support.microsoft.com/default.aspx?scid=kb;en-us;2842 85
>
> To use, please input:
>
> Host: (Your servername)
> Path: (The relative path of your page. e.g: /simple.htm)
> Auth: (Select Kerberos and input the proper username/password)
>
> Press Go! to issue a http request to the server and check what response is
> returned. You can paste the whole log data here for me to take a look.
>
> Best regards,
>
> WenJun Zhang
> Microsoft Online Partner Support
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
>
>
Re: Kerberos error KDC_ERR_BADOPTION
am 09.06.2006 21:40:28 von Tim
Ran the same test again using the IP instead of the host name and got this:
started....
Reusing existing connection (source port 4291)\n
ISC_REQ_MUTUAL_AUTH | ISC_REQ_DELEGATE set\n
SEC_I_CONTINUE_NEEDED\n
REQUEST: **************\n
GET /loader.aspx HTTP/1.1\r\n
Host: 10.1.1.201\r\n
Accept: */*\r\n
Connection: Keep-Alive\r\n
Authorization: Kerberos
YIIKcQYJKoZIhvcSAQICAQBuggpgMIIKXKADAgEFoQMCAQ6iBwMFACAAAACj ggSFYYIEgTCCBH2gAwIBBaEMGwpMQUJUU0MuQ09Noh0wG6ADAgECoRQwEhsE SFRUUBs
KMTAuMS4xLjIwMaOCBEcwggRDoAMCARehAwIBAqKCBDUEggQxt6zAFegMXIn TTftiqMGwWeBjqX7oCPMF667YyohsBpV+rcX2sd25wbZ1dRwl6FlMBBSY/w2 xinvSeBJIaaRpueEab9BKcNiZTPVZnI
OjUnye3/xSi4MvdWtLWJlplz4r7tJuEvKCB2X/pRbVMsxAZT3ou/GILSrR3s KiROXfIzFuasL+5gmfnOD5IbsrAC3fjBnIZ+OOeu4mMgC5s3ikLZ0GeqHlhY WdpcNsd0PmfrD+AuRJuJvH0djB1Xpav
49d0HwQvWZFSnXp2bW1hJOljnHgZdAt5V0fpAqyxCMYyPMAbrk3PmmQTa0GT s+beCk44HrAnG/OheRd72gk/AwVZkkA0YmChmhYHEUQPakRnPRFLUMrJRwb2 BkKZkawzuM8eKmmG1eVNPcAYvKgiWFi
jl+YCi0l1VVk/zTJMj/03K1KNAPgevIfl32ln72ttoaVE+1XktmF9zLRzkax pqAIssHqoTNhkkFsffQbrn7E+22pOf8rakty0rJ8yk3aS3EpXBA5044jN6OQ pYfDwDlDkv82V1owUlDQVZcxp6Snupv
aJ2RCJtpMLYV1F3XFed9M4kT9s220D9RV0JJ6FNzw1mIn4l1oBUr/6wxV4Sk u9H1TOnG9AYRylquvGzrsnPJncyvYoguW2geQe0kJIXuBAU/z4HCAFMAEzXp feyl0TswnZ7cdzkEeOioMe76/1eBFdV
4T56UvF9Rcd/eR1ljXeJp69QZaVhJyDjJqEisCLtXGqO+7V/XHIEmWkzu7wR HcXl/b6sHWNVDaGdPMs/MGcNR7/jzL4sBOM0Wp88AzqtqBmQWO6MiwdPeFWm EaSj6A3oy3ijPz0mJC3vCG4MZN+zKIY
nwiUbgx68qcsllL7sYiEyzZcQmg7npCyt5IvIEzGLVCDB8PdSjv61ktPF5fA JF4EHQg23DrbIRnUbdGtB+C/9lu9zwxQgPsRrHg5QxjYcyrWoURlvtwdX9NG pq6I8sWJ7OlBXI8N52pTXJbKEGxUabl
asgcmk/EfymL9ZidkD1wm8s0ckUK40HEdmkljbA9Ced2ewViwNM8mJKhjmJS wPddO+reE5zcYmKV8vCXX4amSgILLmwcoruVjBEqYHbCGPjFsommkTafLTU4 7ZD8wScZJu5niRUCtBUyVzlF58bgBiP
eJQlPUnJyewp6Lay7XQTHPpEZj6SRUHzwfzpQrwiN9tK3cJrxbIQsnuu94Rm JBT18UdQqxjVKVBe+m1a0dhy34vwMUL75fGnwzK03VPf/HAHaCI5k7oKu0Wd CqbDQGZgaRLAFmPPahQH7A1KZDG2gsY
LOARb2r40MjosUOkvAT1+/RnKThA3/u6zOBJiO2oJSdrCUTwbItmIa785DSF xnUHKvwlJa7KJEk4OxOJHLRG3af6vfutWmnamaDlYV7VsC1K/IrsLRbYpbKs OkggW8MIIFuKADAgEXooIFrwSCBatPL
j5oEXvE1vTTQQw9lxsQDkCIZ6OyXlaK4UrLtQe32kI6yWrAI4NVqweXThOIT BE7gzUQFGTF6og8XW4t8bwXiOq70+d7LNq6Y6UT00234KcKigg/osZEb/hOt TuBeU8GQByQNCw+FPeLduvQ13+UssdO
VEp+vSVWh/Ao6GkcWkq/QTU4G9xwwSh05wR8sjwjMLwuf/JDdDQz4bxNCpHZ 7qpXCiRmh8dSiqjgtf6STtJFmF8r+D1RP1wy3Tl2xC0eAQ48IJiC/IOQLRoi oQlQjkqXqhaXcgEXrtz/+cqYcpxAD3/
MuXC3oq1Tnz0kB1AxXgEYuWiGRVBNcXBpj0PZz9mF0nkDiTNLlIVJQoWxox4 oiqVK9xAftYUiYdK34NAF6AsyybZuf2toWwz47lu2Pm4Bm5NhiP/ZR/z8ogd mQFRH0/2mBjtTxvKZ2pQE/5x1p9tVJC
nxEGTLiTF/Q3Li56tdK0rAhsLzavH3uk3mBbOHgsiUPgCf4DouZMDL3Dr6m9 JauJ2Ux2BygrTlW8HvkeHmtOChrxbt2yosy16v420EeSmJGgI9pdvPJCOEO5 Q1r2gO9Y8Lwq1c1EeKropI9jGS1/0rz
WJH6B/cfu2X+MIkJFV7Pw+hPhEZ8PAIS7IlKN424v3Rl8TSWtKveC9Pu/8wW z6IV1UokUHc3yAzGqIImuaXU6Uvw7Ix0NsIOsxws8EiDE2fIJ2PvXSPLDsyj mnZ3dth6P9xCMkJj5vM/d7kchrDKoOq
NkecJiwOgfpnsw57EYZfiykNlm/gib0aDsYAwD29qjwdAwg5sX84kYzxMFNY e0po5dktueWWXpQYbhHJPsp0XNZrq6Q7vgeQeuU5qJ4w9/ZjLh38V6tqx5Je FT82oZ5ZV185sTHGlPTHk86zDsUC6Qo
sTj49uEe15i/xnL6kSykeElkuyMsab0xaHai/ZLkfrAREH/RS7nOxERTdFG5 QJJVKcJ7O66zLVtKr6lqYilkuzyt5zC/WR1zLTvVOYqLNamjX4rCJ2hTz8dH HQQQxqWqeE7lfncELLnO5UoSA9gaYV1
eD8Zk8DtpA/iy5TNDiuj5OS5t2y/P/liJ6R4C6Cm6Kl0+HhS06ActJe2lxHa BHGHJTyEvkyyhtAzeJqa8cMfvCqJUiRJ60hudevd1ocxISE2SwWNU913Kg6J b3VtSRxiorWpcWFpyzZFq7Dns967DgR
ggDUXOXKHBLm1feEDvt+kfEitvR0LVp48YYcDZziKCNQhwoaMpFF7KVs5lE5 8SJTo+5EzdNzBFT5WSPuTluGVLnlLJeW3D9WPHnbg+C0EvJVMM3an2dKCABr 41MXUecLwgf/Yj+r/xGWfPRKOwqu7rZ
5wNx6Rr2akc0Dv+0gijQJyUwQXCWA/OSBcdXGQA+W6mzoETCq09GRyr5apwK H6qaklfBa9vkJSccW1ugovFb4PaNVjAQ34kjrXCwjiMadgTO2LLM6PQyEnH3 gsoAjWQcQvQzHxM8+A+TiSArD0q5XBw
1m3mPCWYDiaAF6iqbQ51PShc/PNY+KlPEDuXE2IyJ1Y89gJM2uVuPxgqdtZ+ zvmWHJUD+1/9O750RlKBZpMw5ygacQqlWP2+k+l4Ghw6c5U1N6fuUcB82GRe m+GGrpWEZ1ZXOXi0Pzw48PyIpCZT2hN
tx3edc82zap9XjvY82lQQ4oxsUd+frFIC2rVDwHNc8CnyI0J8BRz4M25SWhy GMVf5OsTL73wSFco5PhtSBnPYifDSA2TI37Hq+sbWrOtt32/JtQyRUkEsoLv 1LW15/8WmupSd0b9G9cL8iY4GvCkYMS
C9InnIVyU33ZXLdymkSWa6cGzsAE+vzI0YhvG+zFKpE2+CwlQMS/QBnKXZs9 XSV5dIrPqV4TS8E+xfScwgDGJTPb8H48I3vOrQw5i21fs8brKvf3/tfBf+2h A==\r\n
\r\n
RESPONSE: **************\n
HTTP/1.1 401 Unauthorized\r\n
Content-Length: 1656\r\n
Content-Type: text/html\r\n
Server: Microsoft-IIS/6.0\r\n
WWW-Authenticate: Negotiate\r\n
X-Powered-By: ASP.NET\r\n
Date: Fri, 09 Jun 2006 19:37:58 GMT\r\n
\r\n
"http://www.w3.org/TR/html4/strict.dtd">\r\n
You are not authorized to view this page\r\n
\r\n
\r\n
\r\n
\r\n
You are not authorized to view this page\r\n
You do not have permission to view this directory or page using the
credentials that you supplied because your Web browser is sending a
WWW-Authenticat
e header field that the Web server is not configured to accept.\r\n
\r\n
Please try the following: \r\n
\r\n
- Contact the Web site administrator if you believe you should be able to
view this directory or page. \r\n
- Click the button to
try again with different credentials. \r\n
\r\n
HTTP Error 401.2 - Unauthorized: Access is denied due to server
configuration.
Internet Information Services (IIS)\r\n
\r\n
Technical Information (for support personnel) \r\n
\r\n
- Go to Microsoft
Product Support Services and perform a title search for the words
HTTP
and 401. \r\n
- Open IIS Help, which is accessible in IIS Manager (inetmgr),\r\n
and search for topics titled About Security, Authentication,
and About Custom Error Messages. \r\n
\r\n
\r\n
|
\r\n
finished.
""WenJun Zhang[msft]"" wrote in message
news:$VCTLOwiGHA.4500@TK2MSFTNGXA01.phx.gbl...
> Hi Tim,
>
> I suggest you use webfetch to perform a test and trace the rawdata of http
> request/response. It will ensure Kerberos token can be properly sent to
> the
> server-side.
>
> HOW TO: Use Wfetch.exe to Troubleshoot HTTP Connections
> http://support.microsoft.com/default.aspx?scid=kb;en-us;2842 85
>
> To use, please input:
>
> Host: (Your servername)
> Path: (The relative path of your page. e.g: /simple.htm)
> Auth: (Select Kerberos and input the proper username/password)
>
> Press Go! to issue a http request to the server and check what response is
> returned. You can paste the whole log data here for me to take a look.
>
> Best regards,
>
> WenJun Zhang
> Microsoft Online Partner Support
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
>
>
Re: Kerberos error KDC_ERR_BADOPTION
am 12.06.2006 16:12:21 von wjzhang
Hi Tim,
This indicates Kerberos auth actually didn't work on your server. Please
make sure your KDC is correctly configured and also check if integrated
windows auth is enabled in IIS.
Also by default, both Kerberos and NTLM are enabled in
NTAuthenticationProviders metabase entry. You may have to verify this to
see if Kerberos is removed.
215383 How to configure IIS to support both the Kerberos protocol and the
NTLM protocol for network authentication
http://support.microsoft.com/default.aspx?scid=kb;EN-US;2153 83
Best regards,
WenJun Zhang
Microsoft Online Partner Support
This posting is provided "AS IS" with no warranties, and confers no rights.
Re: Kerberos error KDC_ERR_BADOPTION
am 12.06.2006 17:41:00 von Tim
I verified that the IIS server is running integrated authentication and that
the metabase is set to Negotiate,NTLM as described in the article. Do you
have any suggestions on what areas we might look into on the KDC?
-Tim
""WenJun Zhang[msft]"" wrote in message
news:fQVdCpijGHA.4948@TK2MSFTNGXA01.phx.gbl...
> Hi Tim,
>
> This indicates Kerberos auth actually didn't work on your server. Please
> make sure your KDC is correctly configured and also check if integrated
> windows auth is enabled in IIS.
>
> Also by default, both Kerberos and NTLM are enabled in
> NTAuthenticationProviders metabase entry. You may have to verify this to
> see if Kerberos is removed.
>
> 215383 How to configure IIS to support both the Kerberos protocol and the
> NTLM protocol for network authentication
> http://support.microsoft.com/default.aspx?scid=kb;EN-US;2153 83
>
> Best regards,
>
> WenJun Zhang
> Microsoft Online Partner Support
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
>
>
Re: Kerberos error KDC_ERR_BADOPTION
am 13.06.2006 10:23:20 von wjzhang
Hi Tim,
If so, what's the result in webfetch with Kerberos auth? Could you provide
me with the trace to take a look?
If Kerberos auth actually fails on the server-side, you will have to post a
new thread to our Windows 2003 security or AD newsgroup to troubleshoot the
Kerberos auth part.
Best regards,
WenJun Zhang
Microsoft Online Partner Support
This posting is provided "AS IS" with no warranties, and confers no rights.
Re: Kerberos error KDC_ERR_BADOPTION
am 13.06.2006 18:07:10 von Tim
Here is the result:
started....
WWWConnect::Connect("vmdynamics","80")\n
IP = "10.1.1.201:80"\n
source port: 2022\r\n
ISC_REQ_MUTUAL_AUTH | ISC_REQ_DELEGATE set\n
0x80090303 (The specified target is unknown or unreachable): Unable to
InitializeSecurityContext
finished.
WWWConnect::Close("vmdynamics","80")\n
closed source port: 2022\r\n
""WenJun Zhang[msft]"" wrote in message
news:4XuCoKsjGHA.764@TK2MSFTNGXA01.phx.gbl...
> Hi Tim,
>
> If so, what's the result in webfetch with Kerberos auth? Could you provide
> me with the trace to take a look?
>
> If Kerberos auth actually fails on the server-side, you will have to post
> a
> new thread to our Windows 2003 security or AD newsgroup to troubleshoot
> the
> Kerberos auth part.
>
> Best regards,
>
> WenJun Zhang
> Microsoft Online Partner Support
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
>
>
Re: Kerberos error KDC_ERR_BADOPTION
am 14.06.2006 14:37:22 von wjzhang
Hi Tim,
I'm not sure why it would fail with servername but worked with IP address
but I believe this should be related to the root cause. Looks like the
problem client has some problem on communicating with your domain
controller? Otherwise there shouldn't be such kind of name resolution
issue. You may try to remove the client machine from your domain and then
add it back to have a test.
If it's still no success, please post the issue to our Windows AD or
security newsgroup for suggestions. Thanks.
Best regards,
WenJun Zhang
Microsoft Online Partner Support
This posting is provided "AS IS" with no warranties, and confers no rights.
Re: Kerberos error KDC_ERR_BADOPTION
am 14.06.2006 17:36:14 von Tim
No luck there either. I'll try the other NG. Thank you very much for your
help.
-Tim
""WenJun Zhang[msft]"" wrote in message
news:SeNzO96jGHA.4528@TK2MSFTNGXA01.phx.gbl...
> Hi Tim,
>
> I'm not sure why it would fail with servername but worked with IP address
> but I believe this should be related to the root cause. Looks like the
> problem client has some problem on communicating with your domain
> controller? Otherwise there shouldn't be such kind of name resolution
> issue. You may try to remove the client machine from your domain and then
> add it back to have a test.
>
> If it's still no success, please post the issue to our Windows AD or
> security newsgroup for suggestions. Thanks.
>
> Best regards,
>
> WenJun Zhang
> Microsoft Online Partner Support
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
>
>