1. Forum
  2. Usenet
  3. MICROSOFT.PUBLIC.WINDOWS.

  • Kerberos suddenly stopped working

    From Ricardo da Silva@21:1/5 to All on Wed Aug 8 05:47:42 2018
    We had Kerberos with delegation all working but it suddenly stopped and need some help to diagnose please.

    We have sites running on a Web Server communicating to an App Server and App Pools running under a service account 'MYCOMPANY\svc_uat'.
    SPNs are registered for the account, Constrained Delegation configured and there are no duplicate SPNs.

    Calls to Web Server succeed but Web Server Event log show the following error

    A Kerberos error message was received:
    on logon session
    Client Time:
    Server Time: 12:2:10.0000 8/8/2018 Z
    Error Code: 0xd KDC_ERR_BADOPTION
    Extended Error: 0xc0000272 KLIN(0)
    Client Realm:
    Client Name:
    Server Realm: MYCOMPANY.CO.UK
    Server Name: HTTP/appserver.mycompany.co.uk
    Target Name: HTTP/appserver.mycompany.co.uk@MYCOMPANY.CO.UK
    Error Text:
    File: 9
    Line: 1396
    Error Data is in record data.

    I cannot find any information about the Extended Error 0xc0000272 KLIN(0), which I hoped could provide more insight.

    Previously KDC_ERR_BADOPTION was due to missing SPN for HTTP/appserver.mycompany.co.uk, but it is registered

    setspn -l MYCOMPANY\svc_uat
    Registered ServicePrincipalNames for CN=svc_uat,OU=Users New Service Accou
    nts,DC=internal,DC=mycompany,DC=co,DC=uk:
    HTTP/webserver
    HTTP/webserver.mycompany.co.uk
    HTTP/appserver.mycompany.co.uk
    HTTP/appserver

    Contranstrained Delegation for MYCOMPANY\svc_uat includes
    HTTP\appserver
    HTTP\appserver.mycompany.co.uk


    Any help would be greatly appreciated.
    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)