KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN Windows 2008 R2 /Windows 7
I have a Well working Windows inviroment running 6 servers and around 50 pcs. 3 pcs cannot acces i small Synology disk wich is enabled on the netword
and connected to the AD. No problems pinging the name on the device and all Network settings seems allright. Via the IP adresse (\\192.168.0.x) I can browse without problems but via the name I get acces denied (\\disk01)
Allso they can acces shares, printers etc. shared in the domain.
At last a had some remote support from Synology WHO say I have some AD authorization problems. Below is what they are saying. The solution I can find in this is that there is a hotfix for Windows 2008 but nothing about R2.
Any suggestions?
Thanks, Michael Grn
During the checking with WireShark, the error happens clearly by:
PC connects to NAS and PC finds he needs to DC to get authorization via the kerberos wayThe PC goes to DC to get a valid authorizationDC responds PC the authorization error via kerberos way as the attached image. Error "KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN"The accessing attempt is failed then
From the WireShark, solving 3 will solve this issue between PC and DC. Be honest, we don't know why this PC has problem on DC authorization. But the response is from DC, the NAS is not involved in this error. From the error "KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN",
we found this thread:
http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/bf15309d-6261-4c7e-821a-42a92cbe844f
Maybe you could give a try. If still to no avail, we will suggest to use IP way to do authorization to skip it. Or contacting Windows Support to see if they could solve "KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN" error for you.
Michael Grn
November 7th, 2012 6:39am
HI Michael
the error mean many possibility came from the Keberos Token don't have you IPrincipal populate before sending is token to the smb.
or your certificate don't have a UPN in the SubjectAltName
here a good article on howto troubleshoot Keberos
http://blogs.technet.com/b/askds/archive/2012/07/27/kerberos-errors-in-network-captures.aspx.
you PC is part of the Domain and can reach the DC via port 389 or 636, does you PC got a certificate machine.
if you run the cmd on your DC .
dcdiag -dcinfo verify do you have some error or the test pass without error ?
other possibility is than you setup authentication setting via GPO or in local policy that was not compatible with your scenario.
ex: disable the send unencrypted authentication for the smb if one of the most mistake people did, of try to do a Strong Keberos authentication
without the right setting and configuration
hope this help you to
Stef71
Free Windows Admin Tool Kit Click here and download it now
November 7th, 2012 2:43pm
Hi Michael,
As this thread has been quiet for a while, we will mark it as Answered as the information provided should be helpful. If you need further help, please feel free to reply this post directly so we will be notified to follow it up. You can also choose to unmark
the answer as you wish.
BTW, wed love to hear your feedback about the solution. By sharing your experience you can help other community members facing similar problems. Thanks for your understanding and efforts.
Best Regards
Kevin
TechNet Subscriber Support
If you are
TechNet Subscription user and have any feedback
on our support quality, please send your feedback here.
November 11th, 2012 9:19pm