Troubleshooting Kerberos Problems
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Any authentication problem with console logon, network logon, access to network resources, or remote access might indicate some sort of Kerberos error because the Kerberos protocol is the default authentication protocol.
To determine whether a problem is occurring with Kerberos authentication, check the System event log for errors from any services such as Kerberos, kdc, LsaSrv, or Netlogon that provide authentication. If any such errors exist, there might be errors associated with the Kerberos protocol as well. In addition, failure audits in the Security event log might show that the Kerberos protocol was being used when a logon failure occurred.
Where to start
In most cases, a Kerberos-related error is a symptom of another service failing. The Kerberos protocol relies on many services that must be available and functioning properly in order for any authentication to take place. The following is a list of the services or conditions that you will want to make sure are functioning properly before you scrutinize the Kerberos protocol.
Make sure that the network infrastructure is functioning properly and that all computers and services can communicate.
Make sure that a domain controller is accessible.
Make sure that DNS is configured properly and resolving host names and services appropriately.
Make sure that the clocks are synchronized across the domain.
To synchronize the computer's time with the current time on the domain
Click Start, and then click Run.
Type net time /domain /set, and then click OK.
Warning
You should not use the Net time command to configure or set time when the Windows Time service is running. Also, running the command Net time /querysntp will display the name of an NTP server with which a computer is configured to synchronize, but that NTP server is used only when the computer's time client is configured as NTP or AllSync. Most domain member computers have a time client type of NT5DS, which means they synchronize time from the domain hierarchy. The only typical exception to this is the domain controller that functions as the primary domain controller (PDC) emulator operations master of the forest root domain, which is typically configured to synchronize time with an external time source. To view the time client configuration of a computer, run the W32tm /query /configuration command (from an elevated Command Prompt in Windows Vista and Windows Server 2008) and read the Type line in the command output. For more information, see How Windows Time Service Works (https://go.microsoft.com/fwlink/?LinkId=117753) and Windows Time Service Tools and Settings (https://go.microsoft.com/fwlink/?LinkID=42984).
If you have examined all these conditions and are still having authentication problems or Kerberos errors, you need to look further for the solution to your problems. Problems can be caused by the way the Kerberos protocol is configured or they can be caused by the way other technologies that work with the Kerberos protocol are configured.
In this section
Service Logons Fail Due to Incorrectly Set SPNs
Authentication Uses NTLM instead of Kerberos
Authentication Fails in a Mixed Windows and UNIX Environment
Authentication Fails Due to User PAC