MX2007 mailbox server not getting Kerberos Ticket
I am getting an event ID 7 system error on my MX2007 server: "The digitally signed Privilege Attribute Certificate (PAC) that contains the authorization information for client PREPMAIL$ in realm CP.LOCAL could not be validated. This error is usually caused by domain trust failures." There is only 1 domain here, so there is no trust issue between mutiple domains. What is happening on the server is the Information store is not starting and Im wondering if this has somthing to do with it.
July 7th, 2010 5:52pm
Hi, Reset the secure channel between trusts A secure channel helps secure session communication across a trust relationship. Kerberos uses a secure channel to authenticate users and computers. The secure channel must be available for Kerberos authentication to operate correctly. When a trust is verified, the secure channel is reset. Note: The name of the domain is identified in the event log message. To perform this procedure, you must have membership in the Domain Admins group or the Enterprise Admins group, or you must have been delegated the appropriate authority. To reset the secure channel between trusts: Log on to a domain controller in the forest. Click Start , point to Administrative Tools , and then click Active Directory Domains and Trusts . Right-click the domain that contains the trust for which you want reset the secure channel, and then click Properties . Click the Trusts tab. Click the trust to be verified, and then click Properties . Click Validate . Click Yes, validate the incoming trust . Provide administrative credentials for the reciprocal domain, and then click OK . Verify To verify that the Kerberos Privilege Attribute Certificate (PAC) is present and functioning correctly, you should ensure that a Kerberos ticket was received from the Key Distribution Center (KDC) and cached on the local computer. You can view cached Kerberos tickets on the local computer by using the Klist command-line tool. Note: Klist.exe is not included with Windows Vista, Windows Server 2003, Windows XP, or Windows 2000. You must download and install the Windows Server Resource Kit before you can use Klist.exe. To view cached Kerberos tickets by using Klist: Log on to a Kerberos client computer within your domain. Click Start , point to All Programs , click Accessories , and then click Command Prompt . Type klist tickets , and then press ENTER. Verify that a cached Kerberos ticket is available. Ensure that the Client field displays the client on which you are running Klist. Ensure that the Server field displays the domain in which you are connecting. Close the command prompt. I hope you will get done. Regards. Shafaquat Ali.M.C.I.T.P Exchange 2007/2010, M.C.I.T.P Windows Server 2008, M.C.T.S OCS Server 2007 R2
July 7th, 2010 8:12pm
When did this start? Did someone demote a DC or make any other changes to the AD domain?
July 7th, 2010 11:07pm
no. New intall of the mailbox 2007 server, transitioning from MX2000
July 8th, 2010 9:41pm
Hi, Please try to troubleshoot ti based on the below article: http://technet.microsoft.com/en-us/library/cc786325(WS.10).aspx Thanks Allen
July 12th, 2010 11:40am