Kerberos Authentication to VWMare...

Hello All,

We are running into authentication issues when we use Kerberos based
authentication from MOSS webpart (installed on physical machine) when it
communicate with web services installed on Windows Server 2003 on VMWare.

Both MOSS and VMWare server are part of the same domain and use same domain
admin credentials.

Scenario: When we try to access the MOSS website which contains our webpart
from anywhere (on a new system or from the VMWare system where web services
are installed) we running into authentication issues. But, when we acces the
MOSS website from MOSS system, authentication to web services installed on
VMWare goes through and everything works fine.

Environment:
MOSS system: Windows Server 2003 R2, MOSS 2007
VWMare system: Windows Server 2003 R2, .NET Framework 2.0

Any help or inputs would be greatly appreciated.

Thanks in advance.

When we enabled Kerberos Debugging find the following warnings in LSASS.log
file:

456.580> Kerb-Warn: SPN not found HTTP <systemname>.domain.local
456.580> Kerb-Warn: SpInitLsaModeContext failed to get outbound ticket,
KerbGetServiceTicket failed with 0xc000018b

Sometimes in the Windows Event Log following errors:

A Kerberos Error Message was received:
on logon session
Client Time:
Server Time: 15:41:50.0000 3/4/2009 Z
Error Code: 0x7 KDC_ERR_S_PRINCIPAL_UNKNOWN
Extended Error: 0xc0000035 KLIN(0)
Client Realm:
Client Name:
Server Realm: <domain>
Server Name: HTTP/<domain>
Target Name: HTTP/<domain>
Error Text:
File: 9
Line: ae0
Error Data is in record data.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

A Kerberos Error Message was received:
on logon session <domain>\<user>
Client Time:
Server Time: 14:11:24.0000 3/4/2009 Z
Error Code: 0x12 KDC_ERR_CLIENT_REVOKED
Extended Error: 0xc0000072 KLIN(0)
Client Realm:
Client Name:
Server Realm: DOMAIN
Server Name: krbtgt/<domain>
Target Name: krbtgt/<domain>
Error Text:
File: e
Line: 6c0
Error Data is in record data.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

We have checked the SPN using SetSPN with -L option and see that both MOSS
and VMWare are part of the same domain.

"Praveen Kumar D" wrote:

> Hello All,
>
> We are running into authentication issues when we use Kerberos based
> authentication from MOSS webpart (installed on physical machine) when it
> communicate with web services installed on Windows Server 2003 on VMWare.
>
> Both MOSS and VMWare server are part of the same domain and use same domain
> admin credentials.
>
> Scenario: When we try to access the MOSS website which contains our webpart
> from anywhere (on a new system or from the VMWare system where web services
> are installed) we running into authentication issues. But, when we acces the
> MOSS website from MOSS system, authentication to web services installed on
> VMWare goes through and everything works fine.
>
> Environment:
> MOSS system: Windows Server 2003 R2, MOSS 2007
> VWMare system: Windows Server 2003 R2, .NET Framework 2.0
>
> Any help or inputs would be greatly appreciated.
>
> Thanks in advance.

Thanks DavMo.

We figured by looking at the event log on the domain controller server that
there were multiple SPNs defined. Once we removed one of the SPN, Kerberose
authentication started working fine from VMWare system.

But, we ran into other issues but they are related to deleted SPS being used
by the client intranet and our web services application pool configured using
Network Services.

"DaveMo" wrote:

> On Mar 4, 8:24 pm, Praveen Kumar D
> <PraveenKum...@discussions.microsoft.com> wrote:
> > When we enabled Kerberos Debugging find the following warnings in LSASS.log
> > file:
> >
> > 456.580> Kerb-Warn: SPN not found HTTP <systemname>.domain.local
> > 456.580> Kerb-Warn: SpInitLsaModeContext failed to get outbound ticket,
> > KerbGetServiceTicket failed with 0xc000018b
> >
> > Sometimes in the Windows Event Log following errors:
> >
> > A Kerberos Error Message was received:
> > on logon session
> > Client Time:
> > Server Time: 15:41:50.0000 3/4/2009 Z
> > Error Code: 0x7 KDC_ERR_S_PRINCIPAL_UNKNOWN
> > Extended Error: 0xc0000035 KLIN(0)
> > Client Realm:
> > Client Name:
> > Server Realm: <domain>
> > Server Name: HTTP/<domain>
> > Target Name: HTTP/<domain>
> > Error Text:
> > File: 9
> > Line: ae0
> > Error Data is in record data.
> >
> > For more information, see Help and Support Center athttp://go.microsoft.com/fwlink/events.asp.
> >
> > A Kerberos Error Message was received:
> > on logon session <domain>\<user>
> > Client Time:
> > Server Time: 14:11:24.0000 3/4/2009 Z
> > Error Code: 0x12 KDC_ERR_CLIENT_REVOKED
> > Extended Error: 0xc0000072 KLIN(0)
> > Client Realm:
> > Client Name:
> > Server Realm: DOMAIN
> > Server Name: krbtgt/<domain>
> > Target Name: krbtgt/<domain>
> > Error Text:
> > File: e
> > Line: 6c0
> > Error Data is in record data.
> >
> > For more information, see Help and Support Center athttp://go.microsoft.com/fwlink/events.asp.
> >
> > We have checked the SPN using SetSPN with -L option and see that both MOSS
> > and VMWare are part of the same domain.
> >
> >
> >
> > "Praveen Kumar D" wrote:
> > > Hello All,
> >
> > > We are running into authentication issues when we use Kerberos based
> > > authentication from MOSS webpart (installed on physical machine) when it
> > > communicate with web services installed on Windows Server 2003 on VMWare.
> >
> > > Both MOSS and VMWare server are part of the same domain and use same domain
> > > admin credentials.
> >
> > > Scenario: When we try to access the MOSS website which contains our webpart
> > > from anywhere (on a new system or from the VMWare system where web services
> > > are installed) we running into authentication issues. But, when we acces the
> > > MOSS website from MOSS system, authentication to web services installed on
> > > VMWare goes through and everything works fine.
> >
> > > Environment:
> > > MOSS system: Windows Server 2003 R2, MOSS 2007
> > > VWMare system: Windows Server 2003 R2, .NET Framework 2.0
> >
> > > Any help or inputs would be greatly appreciated.
> >
> > > Thanks in advance.- Hide quoted text -
> >
> > - Show quoted text -
>
> Where are you configuring Kerberos authenticaton to be used MOSS ->
> VMWare? What you might be configuring is Negotiate and when it works
> you are actually using NTLM. This would likely be the case if you
> start from a session on the MOSS machine.
>
> When you are remote, the system will try Kerberos and start that
> process by trying to find an SPN. This looks to be failing, so there
> is something going wrong. If you want to have additional tools to
> troubleshoot this issue try the updated klist from my website
> www.securitay.com/support. You can try to get a ticket directly
> without going through the app layer which might help. You can also use
> it to clear the SPN lookup cache which can cause problems in testing.
>
> KDC_ERR_CLIENT_REVOKED is more puzzling because this typically
> indicates that the client account has been locked out in AD. Can you
> use the account to log on? Are you sure that the service account for
> the VMWare "service" is really running as who you think it is?
>
> HTH,
> Dave
>