1. Welcome Guest! In order to create a new topic or reply to an existing one, you must register first. It is easy and free. Click here to sign up now!.
    Dismiss Notice

Kerberos Errors - KRB5KDC_ERR_BADOPTION

Discussion in 'Windows Security' started by Reeves, Jul 21, 2009.

  1. Reeves

    Reeves Guest

    I have configured the environment with Kerberos constrained delagation and it
    is working fine. I was running packet captures as I was getting intermittent
    authenication errors. My environment is using a service account on the IIS
    application pool and I have not configured server001 to delegate because the
    service account is set to delegate.

    I'm getting two errors that I would like to get more information on.

    All of the SPNs have been set and there is an spn set for host by default,
    but I am not able to figure out what service is trying to make the call with
    host/server001.test.com.

    Status Not Supported
    ------------------------------------------------------------------------
    Kerberos KRB-ERROR
    Record Mark: 150 bytes
    0... .... .... .... .... .... .... .... = Reserved: Not Set
    .000 0000 0000 0000 0000 0000 1001 0110 = Record Length: 150
    Pvno: 5
    MSG Type: KRB-ERROR (30)
    stime: 2009-07-14 18:37:49 (UTC)
    susec: 624858
    error_code: KRB5KDC_ERR_BADOPTION (13)
    Realm: TEST.COM
    Server Name (Service and Host): host/server001.test.com
    Name-type: Service and Host (3)
    Name: host
    Name: server001.test.com
    e-data PA-PW-SALT
    Type: PA-PW-SALT (3)
    Value: BB0000C00000000003000000
    NT Status: STATUS_NOT_SUPPORTED (0xc00000bb)
    Unknown: 0x00000000
    Unknown: 0x00000003


    Status No Match
    ------------------------------------------------------------------------
    Kerberos KRB-ERROR
    Record Mark: 150 bytes
    0... .... .... .... .... .... .... .... = Reserved: Not Set
    .000 0000 0000 0000 0000 0000 1001 0110 = Record Length: 150
    Pvno: 5
    MSG Type: KRB-ERROR (30)
    stime: 2009-07-14 18:43:24 (UTC)
    susec: 435209
    error_code: KRB5KDC_ERR_BADOPTION (13)
    Realm: TEST.COM
    Server Name (Service and Host): host/server001.test.com
    Name-type: Service and Host (3)
    Name: host
    Name: server001.test.com
    e-data PA-PW-SALT
    Type: PA-PW-SALT (3)
    Value: 720200C00000000003000000
    NT Status: STATUS_NO_MATCH (0xc0000272)
    Unknown: 0x00000000
    Unknown: 0x00000003
     
    Reeves, Jul 21, 2009
    #1
  3. PA Bear [MS MVP]

    PA Bear [MS MVP] Guest

    Please post such questions in a Windows Server-specific newsgroup, Reeves.
    Thanks.

    Reeves wrote:<!--coloro:blue--><span style="color:blue <!--/coloro-->
    > I have configured the environment with Kerberos constrained delagation and
    > it is working fine. I was running packet captures as I was getting
    > intermittent authenication errors. My environment is using a service
    > account on the IIS application pool and I have not configured server001 to
    > delegate because the service account is set to delegate.
    >
    > I'm getting two errors that I would like to get more information on.
    >
    > All of the SPNs have been set and there is an spn set for host by default,
    > but I am not able to figure out what service is trying to make the call
    > with
    > host/server001.test.com.
    >
    > Status Not Supported
    > ------------------------------------------------------------------------
    > Kerberos KRB-ERROR
    > Record Mark: 150 bytes
    > 0... .... .... .... .... .... .... .... = Reserved: Not Set
    > .000 0000 0000 0000 0000 0000 1001 0110 = Record Length: 150
    > Pvno: 5
    > MSG Type: KRB-ERROR (30)
    > stime: 2009-07-14 18:37:49 (UTC)
    > susec: 624858
    > error_code: KRB5KDC_ERR_BADOPTION (13)
    > Realm: TEST.COM
    > Server Name (Service and Host): host/server001.test.com
    > Name-type: Service and Host (3)
    > Name: host
    > Name: server001.test.com
    > e-data PA-PW-SALT
    > Type: PA-PW-SALT (3)
    > Value: BB0000C00000000003000000
    > NT Status: STATUS_NOT_SUPPORTED (0xc00000bb)
    > Unknown: 0x00000000
    > Unknown: 0x00000003
    >
    >
    > Status No Match
    > ------------------------------------------------------------------------
    > Kerberos KRB-ERROR
    > Record Mark: 150 bytes
    > 0... .... .... .... .... .... .... .... = Reserved: Not Set
    > .000 0000 0000 0000 0000 0000 1001 0110 = Record Length: 150
    > Pvno: 5
    > MSG Type: KRB-ERROR (30)
    > stime: 2009-07-14 18:43:24 (UTC)
    > susec: 435209
    > error_code: KRB5KDC_ERR_BADOPTION (13)
    > Realm: TEST.COM
    > Server Name (Service and Host): host/server001.test.com
    > Name-type: Service and Host (3)
    > Name: host
    > Name: server001.test.com
    > e-data PA-PW-SALT
    > Type: PA-PW-SALT (3)
    > Value: 720200C00000000003000000
    > NT Status: STATUS_NO_MATCH (0xc0000272)
    > Unknown: 0x00000000
    > Unknown: 0x00000003 <!--colorc--><!--/colorc-->
     
    PA Bear [MS MVP], Jul 21, 2009
    #2

Share This Page