Multiple Kerberos errors on our domain

Question

Can anybody assist me? We are having thousands of Kerberos errors on our domain and I just can't gather enough info to troubleshoot. It seems to be happening everywhere on the domain. I have some software I wrote which syncs from a database to AD and each time I authenticate it generates these events yet it still succeeds. I really don't know what else to check.

0x6 KDC_ERR_C_PRINCIPAL_UNKNOWN
0x19 KDC_ERR_PREAUTH_REQUIRED

An error event occurred.  EventID: 0x80000003

Time Generated: 12/20/2024   08:30:41

Event String:
        A Kerberos error message was received:

         on logon session <omitted domain name>\dc-ch-2$

         Client Time:
         Server Time: 15:30:41.0000 12/20/2024 Z

         Error Code: 0x6 KDC_ERR_C_PRINCIPAL_UNKNOWN

         Extended Error:

         Client Realm:
         Client Name:
         Server Realm: <omitted domain name>
         Server Name: krbtgt/<omitted domain name>
         Target Name: krbtgt/<omitted domain name>

         Error Text:

         File: onecore\ds\security\protocols\kerberos\client2\logonapi.cxx

         Line: e11

         Error Data is in record data.

Answer 1

Logon type 3 means network logon.

0xC0000064 - "User logon with misspelled or bad user account".

0x6 KDC_ERR_C_PRINCIPAL_UNKNOWN implies Service Principal Name (SPN) access problem.

It seems that you logon to domain over network from DC-CH-2 and IP address in the event log, but Kerberos protocol does not accept username (in this case computer$ account).

• Pls chk if you have recently took DC-CH-2 out of Active Directory domain or changed DNS Server IP address of this computer?

• Pls chk the time sync between the computers involved in the script and domain controllers. This should be at most 5 mins (Kerberos req) Is it GMT-7 for the computer time-zone settings, I have seen 7 hrs difference in the logs.

• On DC-CH-2 does klist command list TGT (Ticket Granting Ticket) after logging onto domain? The user should automatically get TGT after logging on.

• Check DC-CH-2 computer secure channel with PDC Emulator role: netdom verify /d:.

If there is a problem with secure channel should be reset or if this is a Domain Controller, this role may need to be reinstalled.

• Pls check also setspn -L DC-CH-2. The list should be similar to other computers in the domain. SPNs are used for Kerberos to locate service names that are capable and that use Kerberos protocol.