Eroare autentificare tichete Kerberos

Configurare noua (How To)

Situatie

Avem eroarea: The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server sbpc128$. The target name used was cifs/sbnb018.scandia.local. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (SCANDIA.LOCAL) is different from the client domain (SCANDIA.LOCAL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

Solutie

Pasi de urmat

Procesul de autentificare Kerberos functioneaza dupa stergerea tichetelor (Kerberos Cache) pe server.
Un tichet Kerberos este criptat utilizand parola contului unui computer client, daca parola contului computer-ului client se modifica in timpul procesului de autentificare , biletul nu poate fi decriptat si procesul de autentificare nu va functiona.
Pentru a rezolva aceasta problema trebuie sa parcurgem urmatorii pasi folosind autentificarea cu credentiale Domain Admin.
1.Trebuie sa ne logam in domain controller sau folosind un alt computer care are instalat Remote Server Administration Tools
2.Dati click pe Start, navigate pana la Administrative Tools si dati click pe Active Directory and Computers.
3.Localizati contul computer-ului in Active Directory Domain Services (AD DS)
4.Dati click dreapta pe computer-ul care nu se mai foloseste apoi Delete.

Pentru verificarea tichetelor cached Kerberos folosim Klist:

1.Trebuie sa ne logam pe computer-ul client Kerberos

2.Deschideti un Command Prompt.

3.Scrieti “klist tickets” si apasati ENTER.

4.Verificati daca sunt tichete Kerberos cached valabile:

– Asigurati-va că câmpul Client afisaza clientul pe care executati Klist.

– Asigurati-va ca campul Server afisaza domeniul in care va conectati.

Tip solutie

Permanent

Voteaza

(20 din 43 persoane apreciaza acest articol)

Despre Autor

Leave A Comment?