Hi, anyone got this error in context with Moss2007 SP2, NLB, Win2k8r2 64-bit, Kerberos. I get this error only on one server, host2. Log Name: System Source: Microsoft-Windows-Security-Kerberos Date: 17.11.2010 04:37:52 Event ID: 3 Task Category: None Level: Error Keywords: Classic User: N/A Computer: host2.gtv.grp Description: A Kerberos Error Message was received: on logon session Client Time: Server Time: 3:38:7.0000 11/17/2010 Z Error Code: 0x7 KDC_ERR_S_PRINCIPAL_UNKNOWN Extended Error: 0xc0000035 KLIN(0) Client Realm: Client Name: Server Realm: domain.GRP Server Name: HTTP/host1.domain.grp Target Name: HTTP/host1.domain.grp@domain.GRP Error Text: File: 9 Line: efb Error Data is in record data. Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft-Windows-Security-Kerberos" Guid="{98E6CFCB-EE0A-41E0-A57B-622D4E1B30B1}" EventSourceName="Kerberos" /> <EventID Qualifiers="32768">3</EventID> <Version>0</Version> <Level>2</Level> <Task>0</Task> <Opcode>0</Opcode> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2010-11-17T03:37:52.000000000Z" /> <EventRecordID>31906</EventRecordID> <Correlation /> <Execution ProcessID="0" ThreadID="0" /> <Channel>System</Channel> <Computer>host2.domain.grp</Computer> <Security /> </System> <EventData> <Data Name="LogonSession"> </Data> <Data Name="ClientTime"> </Data> <Data Name="ServerTime">3:38:7.0000 11/17/2010 Z</Data> <Data Name="ErrorCode">0x7</Data> <Data Name="ErrorMessage"> KDC_ERR_S_PRINCIPAL_UNKNOWN</Data> <Data Name="ExtendedError">0xc0000035 KLIN(0)</Data> <Data Name="ClientRealm"> </Data> <Data Name="ClientName"> </Data> <Data Name="ServerRealm">DOMAIN.GRP</Data> <Data Name="ServerName">HTTP/host1.domain.grp</Data> <Data Name="TargetName">HTTP/host1.domain.grp@domain.GRP</Data> <Data Name="ErrorText"> </Data> <Data Name="File">9</Data> <Data Name="Line">efb</Data> <Binary>3015A103020103A20E040C350000C00000000001000000</Binary> </EventData> </Event> best regards, Knut

The KDC_ERR_S_PRINCIPAL_UNKNOWN is described http://www.windowsecurity.com/articles/Troubleshooting-Kerberos-SharePoint-environment-Part1.html "...As the SPN missing the Active Directory will send a KDC_ERR_S_PRINCIPAL_UNKNOWN. This is the message saying that the Active Directory cannot find a matching SPN for this website...." (found by google search, very handy) Server Name: HTTP/host1.domain.grp Target Name: HTTP/host1.domain.grp@domain.GRP/bac

Hi Bob, the confusing thing is, that the SPN's are in place. C:\Users\mossadm-p>setspn -l Service_MossAppPoolp http/host2.domain.grp http/host2 http/host1.domain.grp http/host1 Knut

Did you provide the full domain\username when you specified the setspn command? /bac

Yepp

Yepp

You should also try the SETSPN -X to search for duplicates. Likewise, use the -S for adds, as it tests for dupes./bac

Also, have you researched the delegconfig tool? This may be useful for troubleshooting./bac

Hi Bob, I did execute the setspn command. C:\Users\mossadm-p>setspn -S http/v-st-n002-p v-st-n002-p Checking domain DC=gtv,DC=grp CN=Service_MossAppPool-p,OU=ServiceAccounts,OU=Administration,DC=domain,DC=grp http/v-st-n002-p.domain.grp http/v-st-n002-p http/v-st-n001-p.domain.grp http/v-st-n001-p CN=mossadm-p,OU=ServiceAccounts,OU=Administration,DC=domain,DC=grp http/v-st-n002-p.domain.grp http/v-st-n002-p http/v-st-n001-p.domain.grp http/v-st-n001-p Duplicate SPN found, aborting operation! The mossadm-p account is the serverfarm account for MOSS and Service_MossAppPool-p is the ProtalPool account. I still dont get it. Knut

Hi Knut, 1 An Event log 3 about a Kerberos error that has the error code Error Code: 0x7 KDC_ERR_S_PRINCIPAL_UNKNOWN for Server Name will be logged when a share access is made against a server IP address and no server name. If the error is logged, the Windows client automatically tries to fail back to NTLM authentication for the user account. If this operation works, receive no error. Please disable Kerberos logging to stop throwing these errors. 2 Duplicate SPN found, aborting operation! Means you no longer have to depend upon boggling commands using LDIFDE or your own custom scripts to find out the duplicate SPNs. For detail please see http://blogs.msdn.com/b/saurabh_singh/archive/2009/01/09/new-features-in-setspn-exe-on-windows-server-2008.aspxBest regards. Emir

Definately resolve the spns, but also, here are more of my notes on verifying the config in IIS using the IIS Admin Pack Configuration Editor. Our IIS7 configuration had two issues which were clarified via the IIS Admin Pack Configuration Editor. The IIS Admin Pack http://www.iis.net/download/administrationpack providers This was suspect during test 3, so we were on the right track, but using the IIS Admin Pack made the process of editing these changes more straight forward. useAppPoolCredentials The IIS Admin Pack Config Editor made it clear this was not set as expected, and made editing simple. After installing the IIS7 Admin Pack, Select the site in question, and under Features view, Management you will see Configuration Editor. Run it. Select ApplicationHost.config for the From: Navigate to the s ystem.webServer/security/authentication/windowsAuthentication Note the providers and useAppPoolCredentials Click the ellipses related to the providers to open the collection editor Update providers. Delete all entries, then re-add Negotiate first, then NTLM (case sensitive), close the collection editor and click Apply to save the changes. Note: You could also use the Generate Script option to make the necessary change scripts for use later. Change useAppPoolCredentials to True. Click Apply to save the change. View the settings using From: www.yoursite.com Web.Config . We don't want the web.config to override and possibly alter these settings. Use the From selector to verify these are not overridden. /bac