Detect KERBEROS failure with error message

  • Article

Hi Folks,

This blog is targeting to essential troubleshooting of Kerberos, I have come across to many situation where finding out the exact error message becomes very challenging and that leads to clueless situations, So here I am not going to cover any specific error but this blog will help to get the error details regarding Kerberos.

Using Fiddler and Network Monitor Tools one can find out the error details very easily. Certainly reading and understanding Fiddler & Network monitor trace is not easy. I have tried to illustrate the traces using actual screen shots, so I do hope it will help to conclude the issue using the data collected through tools without hands on experience. I am sure after getting the exact error message you can able to find out the solution :)

Kerberos Failure Behavior : 3 Times Prompt Although Entering Valid Username and Password, It fails with 401 (401.1)

Progressive Steps:

1. Detect whether NTLM is failing or working.         

2. Ensure Kerberos is failing using FIDDLER and NETMON

3. Enable Kerberos logging and reproduce the issue and check the system event log ( https://support.microsoft.com/kb/262177)

Important Points:

1. Never troubleshoot Kerberos from the server. Make sure you browse the site from   client machine.

2. Internet Explorer Settings:

#1…. Make sure you add the URL to “Local Intranet Zone”.

#2…. Enable Windows Integrated Authentication.

#3…. Automatic logon with current username and password or, Automatic logon only in Intranet Zone.

  

Download Fiddler Tool and install it on the Client Machine

1. Clear the Browser Cache and start the fiddler and browse the URL from the Internet Explorer e.g. https://rajkumar/time.asp

Now Observe the Request and Response Cycle :

If it is NTLM, then you would see 2 consecutive 401 and then 200 (Status Code or Result) + Authorization Ticket will not start with YII… but could be any thing other than YII… (Generally it starts with TIRM..)

If it is KERBEROS, then you would see only 401 and then 200 (Status Code or Result) + Authorization Ticket will always start with YII…

 

Slide1

 

 

 

2. IF Kerberos is failing Get the Error Details: Download the Network Monitor Trace and capture the trace (Always open Network Monitor Tool as an administrator)

     Step 1: Close all the IE windows and Clear all the Browser Cache.

     Step 2: Purge the Ticket

                    On IIS 7 

                                Open Command Prompt and type Klist purge

                    C:\>KLIST purge

                           Current LogonId is 0:0x70a16
                            Deleting all tickets:
                            Ticket(s) purged!

 

        On IIS 6

                                Download KerbTray, Go to task manager, choose the icon right click and hit “Purge Ticket”

                                  image

      Step 3: Capture the Network Monitor Trace(NetMon Trace).

            Start NetMon – Browse to the URL e.g. https://rajkumar/time.asp – Enter username/Password 3 times, Let it fail with 401.

            Apply the filter as highlighted + add the extra column e.g. Krb Principal Name String & Kerberos Summary

If KERBEROS is failing it will list the reason and error code. In my case it is pointing to SPN(Service Principle Name with error code: KRB_ERROR – KDC_ERR_S_PRINCIPAL_UNKNOWN(7) ), so I am sure now that, there is something wrong with SPN Names and I can continue troubleshooting from SPN perspective.

Netmon