We had Kerberos with delegation all working but it suddenly stopped and need some help to diagnose please.
We have sites running on a Web Server communicating to an App Server and App Pools running under a service account 'MYCOMPANY\svc_uat'.
SPNs are registered for the account, Constrained Delegation configured and there are no duplicate SPNs.
Calls to Web Server succeed but Web Server Event log show the following error
A Kerberos error message was received:
on logon session
Client Time:
Server Time: 12:2:10.0000 8/8/2018 Z
Error Code: 0xd KDC_ERR_BADOPTION
Extended Error: 0xc0000272 KLIN(0)
Client Realm:
Client Name:
Server Realm: MYCOMPANY.CO.UK
Server Name: HTTP/appserver.mycompany.co.uk
Target Name: HTTP/
appserver.mycompany.co.uk@MYCOMPANY.CO.UK
Error Text:
File: 9
Line: 1396
Error Data is in record data.
I cannot find any information about the Extended Error 0xc0000272 KLIN(0), which I hoped could provide more insight.
Previously KDC_ERR_BADOPTION was due to missing SPN for HTTP/appserver.mycompany.co.uk, but it is registered
setspn -l MYCOMPANY\svc_uat
Registered ServicePrincipalNames for CN=svc_uat,OU=Users New Service Accou
nts,DC=internal,DC=mycompany,DC=co,DC=uk:
HTTP/webserver
HTTP/webserver.mycompany.co.uk
HTTP/appserver.mycompany.co.uk
HTTP/appserver
Contranstrained Delegation for MYCOMPANY\svc_uat includes
HTTP\appserver
HTTP\appserver.mycompany.co.uk
Any help would be greatly appreciated.
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)