BO XI 3.0 Kerberos Authentication error

Similar Messages

• Authentication errors in Magic Triangle set up

  Hi All,
  I have recently integrated a SL server into AD to provide MCXs to Mac workstations as well as network homes, time machine server etc.
  Everything is working fine and there aren't any major problems - clients can log into AFP homes and the majority of MCXs are working well.  One thing I have noticed though is that exactly every 2 hours I get an error in Windows event viewer complaining of a Kerberos authentication error (Event ID 4768).  The account name specified in the event log is the computer record for the OD master.
  I did a bit of digging through the logs and can see the successful logging in of the Mac server computer account to the Password server.  In the password server service log, I get this:
  RSAVALIDATE: success.
  Apr  8 2012 14:10:12    USER: {0x4f7e1ea56b8b4567000000040000000, server.domain.com$} is the current user.
  Apr  8 2012 14:10:12    AUTH2: {0x4f7e1ea56b8b4567000000040000000, server.domain.com$} CRAM-MD5 authentication succeeded.
  The computer account 'server.domain.com$' is listed when you go into WGM and go to 'show system records' and is the computer account for the mac server that is the OD master.
  I believe that the server is trying to authenticate to the Windows DC, receiving an error (and generating the 4768 error code) and then successfully authenticating to OD. 
  I have changed the search policy on the server to authenticate against OD first and then AD, but I am still getting this error.  I don't know whether Directory Utility is buggy and incorrectly shows LDAP before AD as I cannot find the dscl command to list search policies anywhere, only to add, delete and amend search policies.
  Questions:
  1) Why is the server authenticating to itself every 2 hours?
  2) Does anyone know how to list the search policy order in dscl, so I can verify that the server is actually authing against OD first?
  3) If the search policy is OK, and I suspect it is, why is the server trying to auth against AD?
  4) Has anyone else seen this error and, if so, how did you resolve?
  Coincidently, I also get this error when I log into WGM using the directory admin username/password.
  TIA

  Hi James,
  Received wisdom for Magic Triangle is to bind the Mac server to AD and ensure that Kerberos is disabled on the Mac server. It sounds like you may not have done it that way?
  This reference may help:
  http://www.afp548.com/netboot/mactips/activedir.html
  Just a guess - but perhaps the re-authentication every 2 hours is due to Kerberos ticket expiration?
  Best

• WinRM cannot process the request. The following error occured while using Kerberos authentication: The network path was not found.

  I have two forests with a transitive on-way trust between them: PROD -> TEST (test trusts PROD). I had previously had kerberos authentication working with winrm from PROD to machines in TEST. I have verified the trust is healthy, I also verified users
  in TEST can use WINRM with kerberos just fine. Users from PROD cannot connect via kerberos to machines in TEST with winrm.
  I have verified the service has registered the appropriate SPNs. I ran dcdiag against all my PROD and TEST domain controllers and didn't find anything that would prevent kerberos from happening. I even tried disabling the firewall entirely on my TEST dcs
  but that didn't gain me anything.
  I've enabled kerberos logging but only see the expected errors such as it couldn't find a PROD SPN for the machine, which it shouldn't from what I understand, it should go to the TEST domain and find the SPN from there.
  I'm really out of next steps before I call PSS and hope someone here has run into this and could provide me some next steps.
  PowerShell Error:
  Connecting to remote server failed with the following error message : WinRM cannot process the request. The following error occured while using Kerberos authentication: The network path was not found.  
   Possible causes are:
    -The user name or password specified are invalid.
    -Kerberos is used when no authentication method and no user name are specified.
    -Kerberos accepts domain user names, but not local user names.
    -The Service Principal Name (SPN) for the remote computer name and port does not exist.
    -The client and remote computers are in different domains and there is no trust between the two domains.
   After checking for the above issues, try the following:
    -Check the Event Viewer for events related to authentication.
    -Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
   Note that computers in the TrustedHosts list might not be authenticated.
     -For more information about WinRM configuration, run the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic.
      + CategoryInfo          : OpenError: (:) [], PSRemotingTransportException
      + FullyQualifiedErrorId : PSSessionStateBroken
  winrs Error:
  Winrs error:
  WinRM cannot process the request. The following error occured while using Kerberos authentication: The network path was not found.  
   Possible causes are:
    -The user name or password specified are invalid.
    -Kerberos is used when no authentication method and no user name are specified.
    -Kerberos accepts domain user names, but not local user names.
    -The Service Principal Name (SPN) for the remote computer name and port does not exist.
    -The client and remote computers are in different domains and there is no trust between the two domains.
   After checking for the above issues, try the following:
    -Check the Event Viewer for events related to authentication.
    -Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
   Note that computers in the TrustedHosts list might not be authenticated.
     -For more information about WinRM configuration, run the following command: winrm help config.

  Hi Adam,
  I'm a little unclear about which SPNs you were looking for, in which case could you confirm you were checking that on the computer object belonging to the actual destination host it has the following SPNs registered?
  WSMAN/<NetBIOS name>
  WSMAN/<FQDN>
  If you were actually trying to use WinRM to connect to the remote forest's domain controllers, then what you said makes sense, but I was caught between assuming this was the case or you meant another member server in that remote forest.
  Also, from the client trying to connect to this remote server, are you able to telnet to port 5985? (If you've used something other than the default, try that port)
  If you can't, then you've got something else like a firewall (be that the Windows firewall on the destination or a hardware firewall somewhere in between) blocking you at the port level, or the listener on the remote box just isn't working as expected. I
  just replied to your other winrm post with steps for checking the latter, so I won't repeat myself here.
  If you can telnet to it and the SPNs exist, then you might be up against something called selective authentication which has to do with how the trust was defined. You can have a read of
  this to learn a bit more about selective trusts and whether or not it's affecting you.
  Cheers,
  Lain

• Error Event ID 11 The KDC encountered duplicate names while processing a Kerberos authentication request.

  I've been noticing The Error with event ID 11 popping up a lot on our domain controllers:
  The KDC encountered duplicate names while processing a Kerberos authentication request.
  When running setspn -X it says that it found 111 groups of duplicate SPNs. However, when going through the list, it references domain service accounts that are used to run our SQL Server services. We have about 50 remote locations and each of them has 3
  machines participating in a SQL mirror (principal, mirror, witness) and they all run the SQL Server service on the same account (1 account per location).
  We haven't experienced any issues at all but I was wondering if this could cause problems or if we are straying from best practice. Any advice is welcome. Thanks!

  I believe what you should do to follow best practice is to provide unique SPNs for each SQL server, which will also provide increased security, and to do that you must create individual service account for each SQL server so it can associate that
  account with that server's SPN.
  Here's more on it to help guide you. Read Paul's comments, as well as other suggestions in the following thread:
  event ID 11 There are multiple accounts with name MSSQLSvc/xxxxxx
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/8df35316-23ba-48ba-aa3e-2249fcbfecbc/event-id-11-there-are-multiple-accounts-with-name-mssqlsvcxxxxxx?forum=winserverDS
  Ace Fekay
  MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
  Microsoft Certified Trainer
  Microsoft MVP - Directory Services
  Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
  This posting is provided AS-IS with no warranties or guarantees and confers no rights.

• Exchange 2010 sp2 emc initialization error using "kerberos" authentication failed

  We use exchange 2010 SP2.
  We have 2 management stations, both w2k8 R2 SP1.
  I have one mangement station on which the emc and ems works ok.
  On the other management staiton (which is also in another ad site) the emc and ems don't work.
  I get the following error message : The attempt to connect to
  http://fqdnCasServer/PowerShell using "Kerberos" authentication failed: Connecting to remote server failed with the following error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic.
  I have checked the time on the management station and on the exchange server and this is ok.
  It is not a permissions issue because the user functions ok on the other management station.
  On the bad management station I can open the emc once and after a minute I get an error message and the message access denied. From then on I can't connect any more.
  What am I doing wrong?
  Anyone any tips?
  Thanks,
  JB 

  This is what I get in the eventlog of the bad management station.
  Log Name:      MSExchange Management
  Source:        MSExchange CmdletLogs
  Date:          1/10/2012 11:39:27
  Event ID:      6
  Task Category: (1)
  Level:         Error
  Keywords:      Classic
  User:          N/A
  Computer:      Server.domain.com
  Description:
  The description for Event ID 6 from source MSExchange CmdletLogs cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.
  If the event originated on another computer, the display information had to be saved with the event.
  The following information was included with the event:
  Get-ExchangeServer
  {Identity=Servername}
  Domain/ou/ou/ou/ou/username
  Exchange Management Console-Local
  3080
  22
  00:00:00.3593888
  View Entire Forest: 'True', Configuration Domain Controller: 'FQDN DC', Preferred Global Catalog: 'FQDN DC', Preferred Domain Controllers: '{ FQDN DN }'
  Microsoft.Exchange.Configuration.Tasks.ManagementObjectNotFoundException: The operation couldn't be performed because object 'FQDN MGMTSTATION' couldn't be found on 'FQDN DC'.
  Context
  the message resource is present but the message is not found in the string/message table
  Event Xml:
  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
      <Provider Name="MSExchange CmdletLogs" />
      <EventID Qualifiers="49152">6</EventID>
      <Level>2</Level>
      <Task>1</Task>
      <Keywords>0x80000000000000</Keywords>
      <TimeCreated SystemTime="2012-10-01T09:39:27.000000000Z" />
      <EventRecordID>11</EventRecordID>
      <Channel>MSExchange Management</Channel>
      <Computer>FQDN MGMT STATION</Computer>
      <Security />
    </System>
    <EventData>
      <Data>Get-ExchangeServer</Data>
      <Data>{Identity=MGMT STATION}</Data>
      <Data>domain/ou/ou/ou/ou/username</Data>
      <Data>
      </Data>
      <Data>
      </Data>
      <Data>Exchange Management Console-Local</Data>
      <Data>3080</Data>
      <Data>
      </Data>
      <Data>22</Data>
      <Data>00:00:00.3593888</Data>
      <Data>View Entire Forest: 'True', Configuration Domain Controller: 'FQDN DC', Preferred Global Catalog: 'FQDN DC', Preferred Domain Controllers: '{ FQDN DC }'</Data>
      <Data>Microsoft.Exchange.Configuration.Tasks.ManagementObjectNotFoundException: The operation couldn't be performed because object 'FQDN MGMT STATION' couldn't be found on 'FQDN DC'.</Data>
      <Data>Context</Data>
      <Data>
      </Data>
    </EventData>
  </Event>

• Error=49 from the LDAP server for GSSAPI Kerberos authentication

  I am trying to find solution for ldapsearch failure with GSSAPI Kerberos authentication . I am running Sun Directory Server 5.2 P4 on a Solaris-9 sparc machine..
  Steps :
  bash-2.05# kinit tester1
  Password for [email protected]:
  bash-2.05#
  When I do ldapsearch , I am getting following logs on the server :
  tail -f /var/Sun/mps/slapd-bf1r-dsun-1/logs/access
  [22/Feb/2007:01:44:16 -0700] conn=32 op=-1 msgId=-1 - fd=26 slot=26 LDAP connection from 10.7.30.185 to 10.7.30.16
  [22/Feb/2007:01:44:16 -0700] conn=32 op=0 msgId=1 - BIND dn="uid=tester1,ou=people,dc=test1,dc=com" method=sasl version=3 mech=GSSAPI
  [22/Feb/2007:01:44:16 -0700] conn=32 op=0 msgId=1 - RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress
  [22/Feb/2007:01:44:16 -0700] conn=32 op=1 msgId=2 - BIND dn="uid=tester1,ou=people,dc=test1,dc=com" method=sasl version=3 mech=GSSAPI
  [22/Feb/2007:01:44:16 -0700] conn=32 op=1 msgId=2 - RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress
  [22/Feb/2007:01:44:16 -0700] conn=32 op=2 msgId=3 - BIND dn="uid=tester1,ou=people,dc=test1,dc=com" method=sasl version=3 mech=GSSAPI
  [22/Feb/2007:01:44:16 -0700] conn=32 op=2 msgId=3 - RESULT err=49 tag=97 nentries=0 etime=0
  [22/Feb/2007:01:44:16 -0700] conn=32 op=3 msgId=4 - UNBIND
  [22/Feb/2007:01:44:16 -0700] conn=32 op=3 msgId=-1 - closing - U1
  [22/Feb/2007:01:44:17 -0700] conn=32 op=-1 msgId=-1 - closed.
  [22/Feb/2007:01:45:50 -0700] conn=33 op=-1 msgId=-1 - fd=26 slot=26 LDAP connection from 10.7.30.185 to 10.7.30.16
  [22/Feb/2007:01:45:50 -0700] conn=33 op=0 msgId=1 - BIND dn="uid=tester1,ou=people,dc=test1,dc=com" method=sasl version=3 mech=GSSAPI
  [22/Feb/2007:01:45:50 -0700] conn=33 op=0 msgId=1 - RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress
  [22/Feb/2007:01:45:50 -0700] conn=33 op=1 msgId=2 - BIND dn="uid=tester1,ou=people,dc=test1,dc=com" method=sasl version=3 mech=GSSAPI
  [22/Feb/2007:01:45:50 -0700] conn=33 op=1 msgId=2 - RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress
  [22/Feb/2007:01:45:50 -0700] conn=33 op=2 msgId=3 - BIND dn="uid=tester1,ou=people,dc=test1,dc=com" method=sasl version=3 mech=GSSAPI
  [22/Feb/2007:01:45:50 -0700] conn=33 op=2 msgId=3 - RESULT err=49 tag=97 nentries=0 etime=0
  [22/Feb/2007:01:45:50 -0700] conn=33 op=3 msgId=4 - UNBIND
  [22/Feb/2007:01:45:50 -0700] conn=33 op=3 msgId=-1 - closing - U1
  [22/Feb/2007:01:45:51 -0700] conn=33 op=-1 msgId=-1 - closed.
  I am using default Identiy Mapping and the ldif file looks like this :
  dn: cn=default,cn=GSSAPI,cn=identity mapping,cn=config
  objectClass: dsIdentityMapping
  objectClass: nsContainer
  objectClass: dsPatternMatching
  objectClass: top
  cn: default
  dsMatching-pattern: ${Principal}
  creatorsName: cn=directory manager
  createTimestamp: 20070220045812Z
  dsMatching-regexp: uid=(.*)
  dsSearchBaseDN: ou=people,dc=test1,dc=com
  dsMappedDN: uid=${Principal},ou=people,dc=test1,dc=com
  modifiersName: uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoo
  t
  modifyTimestamp: 20070221082740Z
  Following is the snoop for LDAP on the server :
  bash-2.05# !snoop
  snoop -v port 389 | grep LDAP
  Using device /dev/eri (promiscuous mode)
  TCP: Destination port = 389 (LDAP)
  LDAP: ----- LDAP: -----
  LDAP:
  LDAP: ""
  LDAP:
  LDAP: ----- LDAP: -----
  LDAP:
  LDAP: ""
  LDAP:
  TCP: Destination port = 389 (LDAP)
  LDAP: ----- LDAP: -----
  LDAP:
  LDAP: ""
  LDAP:
  TCP: Destination port = 389 (LDAP)
  LDAP: ----- Lightweight Directory Access Protocol Header -----
  LDAP: *[LDAPMessage]
  LDAP: [Message ID]
  LDAP: Operation *[APPL 0: Bind Request]
  LDAP: [Version]
  LDAP: [Object Name]
  LDAP: uid=tester1,ou=people,dc=test1,d
  LDAP: c=com
  LDAP: Authentication: SASL *[3]
  LDAP: [OctetString]
  LDAP: GSSAPI
  LDAP: [OctetString]
  LDAP: *** NOT PRINTED - Too long value ***
  LDAP:
  LDAP: ----- LDAP: -----
  LDAP:
  LDAP: ""
  LDAP:
  LDAP: ----- Lightweight Directory Access Protocol Header -----
  LDAP: *[LDAPMessage]
  LDAP: [Message ID]
  LDAP: Operation *[APPL 1: Bind Response]
  LDAP: [Result Code]
  LDAP: SASL Bind In Progress
  LDAP: [Matched DN]
  LDAP: [Error Message]
  LDAP: SASL Credentials [7]
  LDAP:
  TCP: Destination port = 389 (LDAP)
  LDAP: ----- LDAP: -----
  LDAP:
  LDAP: ""
  LDAP:
  TCP: Destination port = 389 (LDAP)
  LDAP: ----- Lightweight Directory Access Protocol Header -----
  LDAP: *[LDAPMessage]
  LDAP: [Message ID]
  LDAP: Operation *[APPL 0: Bind Request]
  LDAP: [Version]
  LDAP: [Object Name]
  LDAP: uid=tester1,ou=people,dc=test1,d
  LDAP: c=com
  LDAP: Authentication: SASL *[3]
  LDAP: [OctetString]
  LDAP: GSSAPI
  LDAP:
  LDAP: ----- LDAP: -----
  LDAP:
  LDAP: ""
  LDAP:
  LDAP: ----- Lightweight Directory Access Protocol Header -----
  LDAP: *[LDAPMessage]
  LDAP: [Message ID]
  LDAP: Operation *[APPL 1: Bind Response]
  LDAP: [Result Code]
  LDAP: SASL Bind In Progress
  LDAP: [Matched DN]
  LDAP: [Error Message]
  LDAP: SASL Credentials [7]
  LDAP:
  TCP: Destination port = 389 (LDAP)
  LDAP: ----- LDAP: -----
  LDAP:
  LDAP: ""
  LDAP:
  TCP: Destination port = 389 (LDAP)
  LDAP: ----- Lightweight Directory Access Protocol Header -----
  LDAP: *[LDAPMessage]
  LDAP: [Message ID]
  LDAP: Operation *[APPL 0: Bind Request]
  LDAP: [Version]
  LDAP: [Object Name]
  LDAP: uid=tester1,ou=people,dc=test1,d
  LDAP: c=com
  LDAP: Authentication: SASL *[3]
  LDAP: [OctetString]
  LDAP: GSSAPI
  LDAP: [OctetString]
  LDAP:
  LDAP: ----- Lightweight Directory Access Protocol Header -----
  LDAP: *[LDAPMessage]
  LDAP: [Message ID]
  LDAP: Operation *[APPL 1: Bind Response]
  LDAP: [Result Code]
  LDAP: 1
  LDAP: Invalid Credentials
  LDAP: [Matched DN]
  LDAP: [Error Message]
  LDAP: SASL(-1): generic failure:
  LDAP:
  TCP: Destination port = 389 (LDAP)
  LDAP: ----- LDAP: -----
  LDAP:
  LDAP: ""
  LDAP:
  TCP: Destination port = 389 (LDAP)
  LDAP: ----- Lightweight Directory Access Protocol Header -----
  LDAP: *[LDAPMessage]
  LDAP: [Message ID]
  LDAP: Operation [APPL 2: Unbind Request]
  LDAP:
  TCP: Destination port = 389 (LDAP)
  LDAP: ----- LDAP: -----
  LDAP:
  LDAP: ""
  LDAP:
  LDAP: ----- LDAP: -----
  LDAP:
  LDAP: ""
  LDAP:
  LDAP: ----- LDAP: -----
  LDAP:
  LDAP: ""
  LDAP:
  TCP: Destination port = 389 (LDAP)
  LDAP: ----- LDAP: -----
  LDAP:
  LDAP: ""
  LDAP:
  Please help me on how to fix this issue.
  Thanks,
  Radhakrishnan

  I did reply on the other thread of yours...
  Ludovic

• Kerberos Authentication between Sharepoint 2013 Foundation - SSRS 2012 - Oracle 11g failing with ORA-12638: Credential retrieval failed

  I have set up SharePoint 2013 Foundation, SharePoint Reporting Services and SQL Server 2012 in a single server. I then created a Data Connection to Oracle 11g. Upon testing the connection, it throws the error “ORA-12638: Credential retrieval failed”.
  Given below are the steps of installation and configuration.
  Installation till basic authentication:
  The installation has been done in a
  single server.
  Installed SQL Server 2012 (Developer version).
  Selected only the following features:
  Database Engine Services
  Analysis Services
  Reporting Services – SharePoint
  Reporting Services Add-in for SharePoint Products
  Management Tools – Basic
  - Management Tools - Complete
    2. Installed SQL Server 2012 SP1.
    3. Installed SQL Server 2012 SP2.
    4. Installed SharePoint Foundation 2013.
    5. Created web application (without Kerberos; we did not even create the SPNs).
        The application pool has been configured to use Reporting Services account since it is a single server installation. This account has been registered as a managed
  account.
    6. Created Site Collection.
    7. Verified that Reporting Services is not installed.
    8. Installed SharePoint Reporting Services from SharePoint 2013 Management Shell.
    9. Verified that Reporting Services is installed.
   10. Created a new SQL Server Reporting Services Service Application and associated the Web Application to the new SQL server Reporting Services Service Application.
    11. Verified that SQL Server Reporting Services Service Application and its proxy have started. Reset IIS.
    12. Created a Site.
    13. Created a Data Connection library with “Report Data Source” content type.
    14. Created a Report Model library with “Report Builder Model” content type.
    15. Created a Report library with “Report Builder Report” content type.
    16. Uploaded an SMDL to the Report Model library.
    17. Added the top level site to Local Intranet instead of as a Trusted Site in the browser settings.
    18. Able to create and save a report using Report Builder.
  Hence, basic authentication is working and SSRS is able to connect to Oracle database.
  Next we have to configure Kerberos settings between SharePoint and SQL Server.
  Implementation of Kerberos authentication
  In the Report Server machine, opened the file C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\WebServices\Reporting\rsreportserver.config  and added the Authentication Types of RSWindowsNegotiate
  and RSWindowsKerberos.
   2.  Set up the following SPNs.
                 a) SQL Server Database Engine service (sqlDbSrv2):
                  setspn -S MSSQLSvc/CER1110:1433 CERDEMO\sqlDbSrv2
                  setspn -S MSSQLSvc/CER1110.cer.demo.com:1433 CERDEMO\sqlDbSrv2
               In the Delegation tab of the account, selected "Trust this user for delegation to any service (Kerberos only)".
  b) Account: SharePoint Setup Admin account (spAdmin2)
       setspn -S HTTP/CER1110:9999 CERDEMO\spAdmin2
                  setspn -S HTTP/CER1110.cer.demo.com:9999 CERDEMO\spAdmin2
                  In the Delegation tab of the account, selected "Trust this user for delegation to any  service
  (Kerberos only)".
  c) Account: SQL Server Reporting Service account (sqlRepSrv2)
                     setspn -S HTTP/CER1110 CERDEMO\sqlRepSrv2
                     setspn -S HTTP/CER1110.cer.demo.com CERDEMO\sqlRepSrv2
                     In the Delegation tab of the account, selected "Trust this user for delegation to any service
  (Kerberos only)".
    3. Configure the Web Application to use “Negotiate (Kerberos)”.
    4. Logged in as SharePoint Administrator to the SharePoint server and opened the top level site in the IE browser.
       The Event Viewer logged the login process for the SharePoint Administration account as
  Negotiate and not Kerberos.
    5. Implemented Kerberos for Oracle database and client.
       Able to connect to the Oracle database via Kerberos authentication using SQL Plus.
    6. Turn on Windows Firewall.
    7. While testing the site's data connection using Kerberos settings, got the error
  “Can not convert claims identity to windows token. This may be due to user not logging in using windows credentials.”
        Note: The Data Connection for basic authentication still worked.
    8. Created a Claims to Windows Token Service account (spC2WTS2).
    9. Started the Claims to Windows Token Service.
   10. Registered the Claims to Windows Token Service account as a Managed Account.
   11. Changed the Claims To Windows Token Service to use the above managed account.
   12. Verified that the Claims to Windows Token Service account (spC2WTS2) is automatically added to the WSS_WPG local group on the SharePoint box.
        Note: The Reporting Services service account is also a part of the WSS_WPG local group.
   13. Added the Claims to Windows Token Service account (spC2WTS2) to the Local Admin Group on the machine having the SharePoint App Server.
   14. In the SharePoint box, added the Claims to Windows Token Service account (spC2WTS2) in the Act as part of the operating system policy right.
   15. The Claims to Windows Token Service account (spC2WTS2) has the WSS_WPG group configured.
        When the C2WTS service was configured to use the managed account Claims to Windows Token Service account (spC2WTS2) earlier, the spC2WTS2 account was automatically
  added to the WSS_WPG local group on the SharePoint box. The WSS_WPG group in turn is configured in c2wtshost.exe.config file.
   16. Verified that the Reporting Services account is a managed account and part of the WSS_WPG group.
   17. Earlier Service Application Pool - SQL Server Reporting Services App Pool service was associated with the SharePoint Admin account.
        Changed this to associate the Reporting Service account with the Service Application Pool - SQL Server Reporting Services App Pool service.
   18. Changed the delegation of the Reporting Service account to constrained delegation with Protocol Transitioning. This is because we are transitioning from one authentication scheme (Claims) to another (Windows Token).
        For this, the delegation has been changed to "Trust this user for delegation to specified services only". Also, selected the sub radio button "Use
  any authentication protocol". Selected the Oracle Kerberos service as the service to which this account can present delegated credentials.
        Note: The Reporting Service account already had an HTTP SPN.
   19. Next, the goal was to make the Claims To Windows Token Service account match the Reporting Service account.
         For this, we created a fake SPN for the Claims To Windows Token Service account since the delegation tab was missing.
         The delegation has been changed to "Trust this user for delegation to specified services only". Also, selected the sub radio button "Use any
  authentication protocol". Selected the Oracle Kerberos service as the service to which this account can present delegated credentials.
   20. Restarted the SharePoint server.
   21. Tested the data connection with the Kerberos settings again.
         Got the error
  “ORA-12638: Credential retrieval failed”.
  Can anyone tell me what is wrong with this setup?

  http://www.freeoraclehelp.com/2011/10/kerberos-authentication-for-oracle.html
  Problem4: ORA-12638: Credential retrieval failed
  Solution:  Make sure that SQLNET.KERBEROS5_CC_NAME is set in sqlnet.ora and okinit has been run before attempting to connect to the database.
  Do check 
  http://webcache.googleusercontent.com/search?q=cache:5a2Pf3FH7vkJ:externaltable.blogspot.com/2012/06/kerberos-authentication-and-proxy-users.html+&cd=5&hl=en&ct=clnk&gl=in
  If this helped you resolve your issue, please mark it Answered. You can reach me through http://itfreesupport.com/

• Updating hybrid configuration failed - Kerberos authentication: The network path was not found

  I'm configuring Exchange 2010 SP3 as a Hybrid server with Exchange Online. This is a single server running Exchange roles Mailbox, Client Access, Unified Messaging and Hub Transport.
  When I run the Manage Hybrid Configuration, I receive the following error:
  Updating hybrid configuration failed with error
  'System.Management.Automation.Remoting.PSRemotingTransportException: Connecting to remote server failed with the following error message : WinRM cannot process the request. The following error occurred while using Kerberos authentication: The network
  path was not found.
  The full text from the Hybrid Configuration log file (C:\Program Files\Microsoft\Exchange Server\V14\Logging\Update-HybridConfiguration)
  [1/5/2014 21:21:1] INFO:Opening runspace to
  http://[servername]/powershell?serializationLevel=Full
  [1/5/2014 21:21:1] INFO:Disconnected from On-Premises session
  [1/5/2014 21:21:1] ERROR:Updating hybrid configuration failed with error 'System.Management.Automation.Remoting.PSRemotingTransportException: Connecting to remote server failed with the following error message : WinRM cannot process the request. The following
  error occured while using Kerberos authentication: The network path was not found. 
   Possible causes are:
    -The user name or password specified are invalid.
    -Kerberos is used when no authentication method and no user name are specified.
    -Kerberos accepts domain user names, but not local user names.
    -The Service Principal Name (SPN) for the remote computer name and port does not exist.
    -The client and remote computers are in different domains and there is no trust between the two domains.
   After checking for the above issues, try the following:
    -Check the Event Viewer for events related to authentication.
    -Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
   Note that computers in the TrustedHosts list might not be authenticated.
     -For more information about WinRM configuration, run the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic.
     at System.Management.Automation.Runspaces.AsyncResult.EndInvoke()
     at System.Management.Automation.Runspaces.Internal.RunspacePoolInternal.EndOpen(IAsyncResult asyncResult)
     at System.Management.Automation.Runspaces.RunspacePool.Open()
     at System.Management.Automation.RemoteRunspace.Open()
     at Microsoft.Exchange.Management.Hybrid.RemotePowershellSession.Connect(PSCredential credentials, CultureInfo sessionUiCulture)
     at Microsoft.Exchange.Management.Hybrid.Engine.Execute(ILogger logger, String onPremPowershellHost, PSCredential onPremCredentials, PSCredential tenantCredentials, HybridConfiguration hybridConfiguration)
     at Microsoft.Exchange.Management.SystemConfigurationTasks.UpdateHybridConfiguration.InternalProcessRecord()'.
  I have sought help, posting on the forum at community.office365.com -
  http://community.office365.com/en-us/forums/158/t/212265.aspx. But I've got to a point where I believe the problem is more to do with how PowerShell is operating on the on-prem Exchange server.
  Has anyone else come across this problem running the Hybrid Configuration Wizard?

  Hello Darrell,
  Have you verified the settings of Powershell virtual directories for the on-premises Exchange Servers? The following article has a list of some common issues with that virtual directory and how to correct them:
  http://technet.microsoft.com/en-us/library/ff607221(v=exchg.80).aspxI would take a look at the one titled "Configure Kerberos Authentication" specifically to ensure everything
  looks good.
  As the article states you can run the Exchange BPA and it will check if any of these exist as well.

• The KDC encountered duplicate names while processing a Kerberos authentication request in a Domain controller server

  HI
  we have a sharepoint farm and in domain controller server, this error is in event viewer
  Log Name:      System
  Source:        Microsoft-Windows-Kerberos-Key-Distribution-Center
  Date:          9/15/2014 10:44:15 PM
  Event ID:      11
  Task Category: None
  Level:         Error
  Keywords:      Classic
  User:          N/A
  Computer:      XXXAPP01.xxxportal.com
  Description:
  The KDC encountered duplicate names while processing a Kerberos authentication request. The duplicate name is HTTP/XXXWFE01.xxxportal.com (of type DS_SERVICE_PRINCIPAL_NAME). This may result in authentication failures or downgrades to NTLM. In order to prevent
  this from occuring remove the duplicate entries for HTTP/XXXWFE01.xxxportal.com in Active Directory.
  Event Xml:
  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
      <Provider Name="Microsoft-Windows-Kerberos-Key-Distribution-Center" Guid="{3FD9DA1A-5A54-46C5-9A26-9BD7C0685056}" EventSourceName="KDC" />
      <EventID Qualifiers="49152">11</EventID>
      <Version>0</Version>
      <Level>2</Level>
      <Task>0</Task>
      <Opcode>0</Opcode>
      <Keywords>0x80000000000000</Keywords>
      <TimeCreated SystemTime="2014-09-15T19:44:15.000000000Z" />
      <EventRecordID>131824</EventRecordID>
      <Correlation />
      <Execution ProcessID="0" ThreadID="0" />
      <Channel>System</Channel>
      <Computer>XXXAPP01.xxxportal.com</Computer>
      <Security />
    </System>
    <EventData>
      <Data Name="Name">HTTP/XXXWFE01.xxxportal.com</Data>
      <Data Name="Type">DS_SERVICE_PRINCIPAL_NAME</Data>
      <Binary>
      </Binary>
    </EventData>
  </Event>
  adil

  Hi adil,
  Service principal names (SPNs) are stored as a property of the associated account object in Active Directory
  Domain Services (AD DS). I noticed that you have used setpn –X to identify the duplicate SPN. Please refer to following articles and check if help you to solve this issue.
  Event ID 11 — Service Principal
  Name Configuration
  Event ID 11 in the System log of domain controllers
  Please also refer to following article and check if can help you.
  The problem with duplicate SPNs
  Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft
  does not guarantee the accuracy of this information.
  If any update, please feel free to let me know.
  Hope this helps.
  Best regards,
  Justin Gu

• Issue in confuguration of Kerberos authentication

  Hi all
  We are trying to configure Kerberos authentication for single sign-on on a SAP WAS 6.40 Java System. We configured the Kerberos using SPNEGO wizard. After configuring when we tried to login to UME, but it prompted for Username and Password which confirms that single sign on is not working.
  In default trace file we got the following info
  i. Key for the principal [email protected] not available in default key     tab
  ii. [Krb5LoginModule] authentication failed
       Unable to obtain password from user
  iii. Login module com.sun.security.auth.module.Krb5LoginModule from authentication stack com.sun.security.jgss.accept does not authenticate the caller.
  iv. LOGIN.FAILED
      Unable to obtain password from user
  1. Why password cannot be obtained from user?
  2. Is there a default keytab other than the one created by the spnego wizard?
  3. If there is one, then can we add the key for [email protected]  in         that file and how?
  4. How can this be resolved?
  Regards
  Deepu

  Your log files are recording an authentication error, so that usually means your login information is incorrect, or just corrupted. Try reseting your Kerberos password, and if that doesn't work, double-check your Kerberos connectivity and configuration settings.

• Kerberos authentication prompting for credentials in Sharepoint 2013

  Hello all,
  I think I’m a bit confused on what I should expect out of Kerberos and sharepoint.
  Following the steps located in
  http://blog.blksthl.com/2012/09/26/the-first-kerberos-guide-for-sharepoint-2013-technicians/ , I’ve setup Kerberos in my Sharepoint 2013 environment. My hope was that configuring kerberos authentication would solve the issue of users being prompted for
  credentials when they access sharepoint. I know that one way to address this problem is to tweak the IE settings by adding the site to the local intranet or trusted zones, but am I wrong in thinking that Kerberos should also authenticate the user on to the
  site? Here’s my situation:
  Previously, I had our sharepoint URL in the trusted zone and had IE set to pass my credentials through, and that worked. After configuring Kerberos, I can see the tickets on my system using klist and the security log on our web front-end shows that I authenticated
  using Kerberos.
  However, if I then remove the sharepoint URL from the trusted zone in IE, I still get prompted for credentials. If I cancel the credential prompt, I get a 401 error and the security log on the server shows a NTLM login attempt.
  As soon as I put the URL back in the trusted zone, I can access the site and the server log shows a Kerberos authentication.
  I’m I wrong in thinking that if Kerberos was working properly then I shouldn't need to have the URL in the trusted zone?
  Thanks
  Bill

  Thanks for the quick reply, Alex. At least it’s good to know it appears to be working as designed.
  Thanks again,
  Bill

• Kerberos Authentication: "Integrity check on decrypted field failed"

  Hi,
  I have configured a portal (NW 7.0 SP13) for Kerberos Authentication. I have another portal with exactly the same configuration (same MS-ADS etc, just a different user) which is working fine. But this one is giving me the error "Integrity check on decrypted field failed" (and Kerberos Auth fails).
  Any ideas?? I get the same error whether I use the keytab from the SPNEGO wizard, or the keytab from "ktpass -princ host/%HOST%@%DOMAIN% -pass %PASSWORD% -out keytab -mapUser %USER% +DesOnly /crypto DES-CBC-MD5 /ptype KRB5_NT_PRINCIPAL"
  The only difference I can see between the ldifde outputs of the two users (the one that works and the one that doesn't) is the one that doesn't has an extra SPN "HTTP/" - would that cause this error??
  Has anyone else had this error & what causes it?
  Many thanks in advance.
  Regards
  Jane
  Full error text:
  JGSS_DBG_CTX Creating context, initiator = no, input cred = not null
  JGSS_DBG_CRED getCred: only one cred, returning it
  JGSS_DBG_CRED getName found name: host/[email protected], mech=1.2.840.113554.1.2.2
  JGSS_DBG_CRED Krb5 name type = 0
  JGSS_DBG_CTX Creating context, cred usage = 2
  GSS Context created
  JGSS_DBG_UNMARSH Real token len 1641
  JGSS_DBG_UNMARSH Token oid 1.2.840.113554.1.2.2
  JGSS_DBG_UNMARSH inner token len 1630
  JGSS_DBG_PROV getFactory: index = 0 found factory
  JGSS_DBG_PROV getMechs: Mechanism(s) supported by provider IBMJGSSProvider
  JGSS_DBG_PROV 1.2.840.113554.1.2.2
  JGSS_DBG_PROV getMechs: 1 unique mechanism(s) found
  JGSS_DBG_PROV [0]: 1.2.840.113554.1.2.2
  JGSS_DBG_CTX Default list of negotiable mechs:
  1.2.840.113554.1.2.2
  JGSS_DBG_CTX ticket enc type = des-cbc-md5
  com.ibm.security.krb5.internal.KrbException, status code: 31
  message: Integrity check on decrypted field failed
  at com.ibm.security.krb5.internal.crypto.n.decrypt(n.java:31)
  at com.ibm.security.krb5.internal.crypto.n.decrypt(n.java:15)
  at com.ibm.security.krb5.internal.crypto.n.decrypt(n.java:32)
  at com.ibm.security.krb5.EncryptedData.decrypt(EncryptedData.java:106)
  at com.ibm.security.jgss.mech.krb5.k.a(k.java:248)
  at com.ibm.security.jgss.mech.krb5.k.b(k.java:188)
  at com.ibm.security.jgss.mech.krb5.k.acceptSecContext(k.java:533)
  at com.ibm.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:155)
  at com.ibm.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:153)
  at com.sap.security.core.server.jaas.SPNegoLoginModule.doHandshake(SPNegoLoginModule.java:738)
  at com.sap.security.core.server.jaas.SPNegoLoginModule.login(SPNegoLoginModule.java:362)
  at com.sap.engine.services.security.login.LoginModuleLoggingWrapperImpl.login(LoginModuleLoggingWrapperImpl.java:185)
  at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:70)
  at java.security.AccessController.doPrivileged(AccessController.java:242)
  at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:181)
  at com.sap.engine.system.SystemLoginModule.login(SystemLoginModule.java:90)
  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:85)
  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:58)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:60)
  at java.lang.reflect.Method.invoke(Method.java:391)
  at javax.security.auth.login.LoginContext.invoke(LoginContext.java:699)
  at javax.security.auth.login.LoginContext.access$000(LoginContext.java:151)
  at javax.security.auth.login.LoginContext$4.run(LoginContext.java:634)
  at java.security.AccessController.doPrivileged(AccessController.java:242)
  at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:631)
  at javax.security.auth.login.LoginContext.login(LoginContext.java:557)
  at com.sap.security.core.logon.imp.SAPJ2EEAuthenticator.getLoggedInUser(SAPJ2EEAuthenticator.java:146)
  at com.sapportals.portal.prt.service.authenticationservice.AuthenticationService.getLoggedInUser(AuthenticationService.java:303)
  at com.sapportals.portal.prt.connection.UMHandler.handleUM(UMHandler.java:96)
  at com.sapportals.portal.prt.connection.ServletConnection.handleRequest(ServletConnection.java:186)
  at com.sapportals.portal.prt.dispatcher.Dispatcher$doService.run(Dispatcher.java:524)
  at java.security.AccessController.doPrivileged(AccessController.java:242)
  at com.sapportals.portal.prt.dispatcher.Dispatcher.service(Dispatcher.java:407)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
  at com.sap.engine.services.servlets_jsp.server.servlet.InvokerServlet.service(InvokerServlet.java:156)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
  at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.doWork(RequestDispatcherImpl.java:321)
  at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:377)
  at com.sap.portal.navigation.Gateway.service(Gateway.java:126)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
  at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
  at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
  at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:387)
  at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:365)
  at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:944)
  at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:266)
  at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
  at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
  at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
  at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
  at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
  at java.security.AccessController.doPrivileged(AccessController.java:215)
  at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:100)
  com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:170)
  JGSS_DBG_CTX Error authenticating request. Reporting to client
  Major code = 11, Minor code = 31
  org.ietf.jgss.GSSException, major code: 11, minor code: 31
  major string: General failure, unspecified at GSSAPI level
  minor string: Kerberos error while decoding and verifying token: com.ibm.security.krb5.internal.KrbException, status code: 31
  message: Integrity check on decrypted field failed

  Hi Désirée,
  Yes the service user has "Use DES encryption" set.
  In the end, it was resolved by changing the password and running the SPNEGO wizard again to generate a new keytab with the new password.
  Regards
  Jane

• Kerberos Authentication Setup for MSCRM in cross forest oneway trust environment.

  Dear All,
  Kindly help related to implement Kerberos authentication on CRM application with multiple Forest environment. My environment details are as below:
  Number of forests: 2
  1. First is with name of domain1.local
  2. Second is with name of domain2.local
  Trust Level: One Way trust from domain1 and domain2.
  CRM Farm Details:
  1.  1 CRM(APP + WEB)Server (CRMAPP-01.domain1.local)
  2.  1 SQL Server (CRMSQL-01.domain1.local)
  3. 1 CRM SSRS Server (CRMSSRS-01.domain.local)
  4. CRM site url: http://mscrminternal.domain.local/MSORG1
  *I have successfuly configured Kerberos authentication and everything is working fine once try to access for Users of domain1.
  But once I tried to access for users of domain2. I am getting following error.
  HTTP Error 401 - Unathorized: Access denied.
  *If i switch to NTLM, I can access CRM site for domain2 and domain1 users without any issue.
  I read MS article, Kerberos delegation can be established if one way FOrest trust is present.
  Please help me to understand if Kerberos is possible to setup cross forest oneway trust.
  Regards
  Gyan
  GYAN SHUKLA

  Hi Gyan,
  I assume that you have solved this issue by synchronizing time between Domain Controllers, right?
  Then your last reply should be marked as answer.
  If this issue still persists, pelase feel free to let us know.
  Best Regards,
  Amy 

• IChat - Host does not support Kerberos authentication

  Hi all,
  I have been trying but with no success to set up an iChat server on 10.6. Our OS X server is bound to AD and will hopefully be using AD to authenticate the iChat clients. I have followed Apple's guide on commenting out the <!-- <cram-md5/> --> section of the c2s.xml file which hasn't solved our problems. Open Directory isn't running as a master it is connected to another directory (our AD directory), and as a test I set up a Wiki server on the same box and this does allow us to authenticate against AD.
  The error message we are receiving in iChat is "The host example.com does not support Kerberos authentication. The client is set to use Kerberos, the username format is [email protected] all I think the correct settings.
  Under iChat General Settings on the server the Host Domain is example.com, SSL Certificate: No Certificate, Authentication: Any Method, and Enable XMPP server-to-server federation is enable for all domains.
  This is our jabber fullstatus:
  jabber:state = "RUNNING"
  jabber:readWriteSettingsVersion = 1
  jabber:logPaths:PROXY_LOG = "/private/var/jabberd/log/proxy65.log"
  jabber:logPaths:MUCSTDLOG = "/var/jabberd/log/mu-conference.log"
  jabber:logPaths:JABBER_LOG = "/var/log/system.log"
  jabber:proxyState = "RUNNING"
  jabber:currentConnections = "0"
  jabber:currentConnectionsPort1 = "0"
  jabber:currentConnectionsPort2 = "0"
  jabber:pluginVersion = "10.6.100"
  jabber:serviceMode = "CHATSERVER"
  jabber:domainName = "example.com"
  jabber:mucState = "RUNNING"
  jabber:servicePortsAreRestricted = "NO"
  jabber:servicePortsRestrictionInfo = emptyarray
  jabber:hosts:arrayindex:0 = "example.com"
  jabber:setStateVersion = 1
  jabber:startedTime = "2010-10-07 16:12:01 +0100"
  jabber:jabberdState = "RUNNING"
  This is our changeip -checkhostname:
  Primary address = 192.168.1.20
  Current HostName = ichat.example.com
  DNS HostName = ichat.example.com
  The names match. There is nothing to change.
  dirserv:success = "success"
  Any help with this would be much appreciated, and I can supply further logs details if needed. I have used example.com to protect our domain name but i kept the format identical.
  Cheers,
  Chris

  From the console:
  08/10/2010 13:00:52 com.apple.launchd.peruser.2027651558[416] ([0x0-0x16a16a].com.apple.iChat[2873]) The USER environmental variable changed out from under us!
  08/10/2010 13:00:52 com.apple.launchd.peruser.2027651558[416] ([0x0-0x16a16a].com.apple.iChat[2873]) In a future build of the OS, this error will be fatal.
  08/10/2010 13:00:52 com.apple.launchd.peruser.2027651558[416] ([0x0-0x16b16b].com.apple.iChatAgent[2875]) The USER environmental variable changed out from under us!
  08/10/2010 13:00:52 com.apple.launchd.peruser.2027651558[416] ([0x0-0x16b16b].com.apple.iChatAgent[2875]) In a future build of the OS, this error will be fatal.
  08/10/2010 13:00:52 iChatAgent[2875] [Warning] JConnection: Error: Error Domain=XMPPErrorDomain Code=122 UserInfo=0x10020b680 "The host corepublishing.co.uk does not support Kerberos authentication."
  The iChat server log shows this at the same time:
  Oct 8 13:00:52 ichat jabberd/c2s[1051]: [7] [::ffff:192.168.2.170, port=50624] connect
  Oct 8 13:00:52 ichat jabberd/c2s[1051]: [7] [::ffff:192.168.2.170, port=50624] disconnect jid=unbound, packets: 0

• DAG Kerberos Authentication Issue Exchange 2010 on 2008R2 Servers

  I have 2 Exchange 2010 servers in a DAG. The witness server is in site A along with one the Exchange servers. The second Exchange server is in a DR site. The DAG has been functioning fine for 1.5 yrs. Last weekend after a scheduled reboot of all 3 servers
  involved (2 e-mail servers and the witness server), the e-mail server in the DR site cannot gain access to the witness share directory per the failover cluster manager. It says to check to see if the witness directory is on-line, etc... Using pings and
  explorer, there is no problem for the DR site e-mail server to contact the witness server and directory. Even restablished the Quorem to the same directory, no issues. Upon doing a network trace though, I am receiving KERBEROS pre-authentication errors when
  you start the Cluster service on the DR site e-mail server when it tries to contact the witness server:
  (1.4 is the Witness server; 6.5 is the e-mail server in the DR site)
  Source              Destination
  192.168.1.4","192.168.6.5","KRB5","319","KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED"
  192.168.6.5","192.168.1.4","TCP","54","26049 > kerberos [FIN, ACK] Seq=235 Ack=266 Win=65792 Len=0"
  192.168.6.5","192.168.1.4","TCP","66","26050 > kerberos [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1"
  192.168.1.4","192.168.6.5","TCP","60","kerberos > 26049 [ACK] Seq=266 Ack=236 Win=66048 Len=0"
  192.168.1.4","192.168.6.5","TCP","60","kerberos > 26049 [RST, ACK] Seq=266 Ack=236 Win=0 Len=0"
  192.168.1.4","192.168.6.5","TCP","66","kerberos > 26050 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1406 WS=256 SACK_PERM=1"
  192.168.6.5","192.168.1.4","TCP","54","26050 > kerberos [ACK] Seq=1 Ack=1 Win=66048 Len=0"
  192.168.6.5","192.168.1.4","KRB5","368","AS-REQ"
  192.168.1.4","192.168.6.5","KRB5","282","KRB Error: KRB5KDC_ERR_PREAUTH_FAILED"
  192.168.6.5","192.168.1.4","TCP","54","26050 > kerberos [FIN, ACK] Seq=315 Ack=229 Win=65792 Len=0"
  192.168.1.4","192.168.6.5","TCP","60","kerberos > 26050 [ACK] Seq=229 Ack=316 Win=66048 Len=0"
  192.168.1.4","192.168.6.5","TCP","60","kerberos > 26050 [RST, ACK] Seq=229 Ack=316 Win=0 Len=0"
  Thoughts anyone?

  Hi,
  Unfortunately, the available information is not enough to have a clear view of the occurred behavior, it is not an efficient way to work in this community since we may need more resources, for example exchange log, detail cluster log (an application)
  dump or ETL trace, which is not appropriate to handle in the community. I‘d like to suggest that you submit a service request to MS Professional tech support service so that a dedicated Support Professional can further assist with this request.
  Please visit the below link to see the various paid support options that are available to better meet your needs.
  http://support.microsoft.com/default.aspx?id=fh;en-us;offerprophone
  Best regards,
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.