Kerberos pre-authentication failed

Similar Messages

• Kerberos pre-authentication issues - why now?

  Hi all,
  We recently put up a new Windows 2003 Active Directory domain controller to replace a de-commissioned Windows 2000 DC.  When my VPN users try to authenticate to it using Kerberos, they are getting rejected with a pre-authentication failed error.  I know that this is a common issue with the ASA, and TAC has confirmed that there's no solution for it yet.  However, we have another W2K3 DC that has never had this issue.  So why now?  Why this new DC?  What's the difference between my DCs where one can authenticate a user with pre-authentication enabled and one can't?
  Any help or information that I can get would be helpful.
  Thanks,
  - Steve

  Hi JK,
  Thanks for the reply.
  Right, I understand that, and TAC directed me to the same document.  But we have an existing domain controller that we are currently using the authenicate against; pre-authentication is enabled, and it works fine.  It's only the NEW domain controller that has this problem.  So I'm trying to figure out what the difference is!
  I would rather NOT disable pre-authentication for all VPN users if possible - there are a lot of them and it lessens the security of Active Directory.
  Thanks,
  - Steve

• Pre-authentication failed in krb

  Hi All,
  Wee also facing the same issue, but in a different way.
  our java application accepts first 100(around) krb auth requests and the rest of the requests are droped out, during the droping it simply show the message like pre-authentication failed
  What is doubt is, do we have any constraint on number of concurrent access in krb?
  im using tomcat and casified sakai with apache2

  Hi All,
  Wee also facing the same issue, but in a different way.
  our java application accepts first 100(around) krb auth requests and the rest of the requests are droped out, during the droping it simply show the message like pre-authentication failed
  What is doubt is, do we have any constraint on number of concurrent access in krb?
  im using tomcat and casified sakai with apache2

• Kerberos Pre-Authentication - Security Vulnerabilities

  I have an issue with some Java applets locking out AD accounts, or prompting for a password.
  The solutions I have, and work, is to check the "Do not require Kerberos preauthentication" located in the user account of Active Directory Users and Computers, or to create a registry DWORD key called allowtgtsessionkey with a value of 1. 
  This key is located in
  HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters.
  Can you advise by enabling this option or creating the reg key, does this open any security vulnerabilities?  I have read on another forum that creating the key on a PC where a users has local admin rights, will be an issue, but was very vague.
  Many thanks
  Larry

  Hi,
  If the issue persists, please:
  Find out from which machine/device bad password attempts are generated.
  Locate any services/scheduled tasks/disconnected remote desktop connections/scripts/mapped drives which could be storing credentials, then clear stored credentials.
  More information for you:
  Troubleshooting Account Lockout
  https://technet.microsoft.com/en-us/library/cc773155%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396
  Account getting locked out
  https://social.technet.microsoft.com/Forums/en-US/92454597-b414-4840-82fd-16dd92a1706d/account-getting-locked-out
  Account Locked - Event 4771 Failure Code 0x18
  https://social.technet.microsoft.com/Forums/windowsserver/en-US/6187d7e2-d38a-4ecd-bf80-12ce3589c8e1/account-locked-event-4771-failure-code-0x18?forum=winserversecurity
  Error for Active Directory
  https://social.technet.microsoft.com/Forums/windowsserver/en-US/4923356c-1820-4626-83f2-8a57a7c48ccc/error-for-active-directory?forum=winserverDS
  Best Regards,
  Amy
  Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
  [email protected]

• Server log having multiple Kerberos Authentication failed events

  I my windows server log i  can see so many Kerberos Authentication failure Events, Could you please explain why this is happening and how to resolve this?

  Hello Friend,
  here is the log
  Time of Day
  Name
  Source Country
  Destination IP
  Destination Country
  Destination Port
  Event Count
  2014-12-10 09
  4624: An Account Was Successfully Logged On
  N/A
  0.0.0.0
  N/A
  Not Reported
  2
  2014-12-10 08
  4624: An Account Was Successfully Logged On
  N/A
  0.0.0.0
  N/A
  Not Reported
  6
  2014-12-10 08
  4768: A Kerberos Authentication Ticket (tgt) Was Requested
  N/A
  Not Reported
  N/A
  Not Reported
  2
  2014-12-10 08
  4771: Kerberos Pre-authentication Failed
  N/A
  Not Reported
  N/A
  Not Reported
  2
  2014-12-10 07
  4624: An Account Was Successfully Logged On
  N/A
  0.0.0.0
  N/A
  Not Reported
  14
  2014-12-10 07
  4768: A Kerberos Authentication Ticket (tgt) Was Requested
  N/A
  Not Reported
  N/A
  Not Reported
  1
  2014-12-10 06
  4624: An Account Was Successfully Logged On
  N/A
  0.0.0.0
  N/A
  Not Reported
  12
  2014-12-10 06
  4768: A Kerberos Authentication Ticket (tgt) Was Requested
  N/A
  Not Reported
  N/A
  Not Reported
  2
  2014-12-10 05
  4624: An Account Was Successfully Logged On
  N/A
  0.0.0.0
  N/A
  Not Reported
  16
  2014-12-10 05
  4768: A Kerberos Authentication Ticket (tgt) Was Requested
  N/A
  Not Reported
  N/A
  Not Reported
  1
  2014-12-10 04
  4624: An Account Was Successfully Logged On
  N/A
  0.0.0.0
  N/A
  Not Reported
  22
  2014-12-10 03
  4624: An Account Was Successfully Logged On
  N/A
  0.0.0.0
  N/A
  Not Reported
  8
  2014-12-10 03
  4768: A Kerberos Authentication Ticket (tgt) Was Requested
  N/A
  Not Reported
  N/A
  Not Reported
  1
  2014-12-10 02
  4624: An Account Was Successfully Logged On
  N/A
  0.0.0.0
  N/A
  Not Reported
  11
  2014-12-10 02
  4768: A Kerberos Authentication Ticket (tgt) Was Requested
  N/A
  Not Reported
  N/A
  Not Reported
  4

• Kerberos Authentication fails two hours before TGT expires

  Hi,
  We have implemented a Sinlge Sign On solution based on Kerberos and the Java GSS-API. The implementation pretty much follows the
  examples given in the JAAS Tutorials. It is now running
  in my company and it works fine except until there are less than two hours until your TGT expires. Then an exception is thrown
  in the call to InitSecContext with the error "No valid credentials provided (Mechanism level: Attempt to obtain new INITIATE
  credentials failed! (null))". Here is a transcript of the debug output:
  Debug is  true storeKey false useTicketCache true useKeyTab false doNotPrompt true ticketCache is null KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false
  Acquire TGT from Cache
  KinitOptions cache name is C:\Documents and Settings\PWL\krb5cc_pwlAcquire default native Credentials
  Obtained TGT from LSA: Credentials:
  [email protected]
  server=krbtgt/[email protected]
  authTime=20061024024852Z
  startTime=20061024024852Z
  endTime=20061024124852Z
  renewTill=20061031024852Z
  flags: FORWARDABLE;RENEWABLE;INITIAL;PRE-AUTHENT
  EType (int): 23
  Using builtin default etypes for default_tgs_enctypes
  default etypes for default_tgs_enctypes: 3 1 23 16 17.
  CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
  EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
  KrbKdcReq send: kdc=dc2 UDP:88, timeout=30000, number of retries =3, #bytes=1307
  KDCCommunication: kdc=dc2 UDP:88, timeout=30000,Attempt =1, #bytes=1307
  KrbKdcReq send: #bytes read=1292
  KrbKdcReq send: #bytes read=1292
  EType: sun.security.krb5.internal.crypto.ArcFourHmacETypeTicket could not be renewed : Message stream modified (41)
  Principal is null
  null credentials from Ticket Cache
            [Krb5LoginModule] authentication failed
  Unable to obtain Princpal Name for authentication
  GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new INITIATE credentials failed! (null))
       at sun.security.jgss.krb5.Krb5InitCredential.getTgtFromSubject(Unknown Source)
       at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Unknown Source)
       at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Unknown Source)
       at sun.security.jgss.GSSManagerImpl.getCredentialElement(Unknown Source)
       at sun.security.jgss.GSSCredentialImpl.add(Unknown Source)
       at sun.security.jgss.GSSCredentialImpl.<init>(Unknown Source)
       at sun.security.jgss.GSSCredentialImpl.<init>(Unknown Source)
       at sun.security.jgss.GSSManagerImpl.createCredential(Unknown Source)
       at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
       at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
       at com.maconomy.gss.MKerberosSingleLoginCredentials.getTicket(MKerberosSingleLoginCredentials.java:102)
       at com.maconomy.gss.MKerberosSingleLoginCredentials.getTicket(MKerberosSingleLoginCredentials.java:30)
       at com.maconomy.client.portal.SingleLoginApplet$SingleLoginThread.run(SingleLoginApplet.java:97)
  Caused by: javax.security.auth.login.LoginException: Unable to obtain Princpal Name for authentication
       at com.sun.security.auth.module.Krb5LoginModule.promptForName(Unknown Source)
       at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Unknown Source)
       at com.sun.security.auth.module.Krb5LoginModule.login(Unknown Source)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
       at java.lang.reflect.Method.invoke(Unknown Source)
       at javax.security.auth.login.LoginContext.invoke(Unknown Source)
       at javax.security.auth.login.LoginContext.access$000(Unknown Source)
       at javax.security.auth.login.LoginContext$4.run(Unknown Source)
       at java.security.AccessController.doPrivileged(Native Method)
       at javax.security.auth.login.LoginContext.invokePriv(Unknown Source)
       at javax.security.auth.login.LoginContext.login(Unknown Source)
       at sun.security.jgss.LoginUtility.login(Unknown Source)
       at sun.security.jgss.krb5.Krb5Util.getTicketFromSubject(Unknown Source)
       at sun.security.jgss.krb5.Krb5InitCredential$1.run(Unknown Source)
       at java.security.AccessController.doPrivileged(Native Method)
       ... 13 moreI've also used the Klist (Microsoft) tool to get information about the tickets and the information about the TGT looks like this:
  Cached TGT:
  ServiceName: krbtgt
  TargetName: krbtgt
  FullServiceName: pwl
  DomainName: MACONOMY.COM
  TargetDomainName: MACONOMY.COM
  AltTargetDomainName: MACONOMY.COM
  TicketFlags: 0x40e00000
  KeyExpirationTime: 1/1/1601 2:00:00
  StartTime: 10/24/2006 5:48:52
  EndTime: 10/24/2006 15:48:52
  RenewUntil: 10/31/2006 5:48:52
  TimeSkew: 1/1/1601 2:00:00          Now we also have a C implemtation we use for our native Windows client, which uses the Microsoft version of GSS (SSPI),
  and it works fine, so the problem must be connected to the Java implementation. I've used Ethereal to find out what happens
  when login fails and I can see that two requests are send to the KDC and that the last one is a request for the renewal of the TGT.
  The replies from the KDC looks fine and doesn't contain any error messages.
  If anyone has an idea as to what is causing this problem I would be very grateful. I should mention that the KDC is Active Directory
  running on a Windows 2003 server, and that we use JRE version 1.5_08. We haven't changed the default parameters in AD, so the default life time for a TGT is 10 hours.
  Message was edited by:
  peter_waern
  Message was edited by:
  peter_waern stack traces updated
  peter_waern

  Hi again,
  In connection with changing from daylight saving time I found out some more about this problem.
  It seems like the Java interpretation of the TGT expiration time is dependent on the time zone of the client computer.
  I set up my Active Directory to have a service ticket lifetime of 4 hours and then tried to change the
  time zone on my client computer with the following results:
  GMT+01:00
  TGT information from klist.exe:
  ServiceName: krbtgt
  TargetName: krbtgt
  FullServiceName: pwaern
  DomainName: EXAMPLE.MAC
  TargetDomainName: EXAMPLE.MAC
  AltTargetDomainName: EXAMPLE.MAC
  TicketFlags: 0xe00000
  KeyExpirationTime: 1/1/1601 1:00:00
  StartTime: 11/1/2006 10:20:22
  EndTime: 11/1/2006 14:20:22
  RenewUntil: 11/8/2006 10:20:22
  TimeSkew: 1/1/1601 1:00:00
  Java debug output:
  Debug is true storeKey false useTicketCache true useKeyTab false doNotPrompt true ticketCache is null KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false
  Acquire TGT from Cache
  KinitOptions cache name is C:\Documents and Settings\pwaern\krb5cc_pwaernAcquire default native Credentials
  Obtained TGT from LSA: Credentials:
  [email protected]
  server=krbtgt/[email protected]
  authTime=20061101082022Z
  startTime=20061101082022Z
  endTime=20061101122022Z
  renewTill=20061108082022Z
  flags: RENEWABLE;INITIAL;PRE-AUTHENT
  EType (int): 3
  Principal is [email protected]
  Commit Succeeded
  Found ticket for [email protected] to go to krbtgt/[email protected] expiring on Wed Nov 01 13:20:22 CET 2006
  GMT+03:30
  TGT information from klist.exe:
  ServiceName: krbtgt
  TargetName: krbtgt
  FullServiceName: pwaern
  DomainName: EXAMPLE.MAC
  TargetDomainName: EXAMPLE.MAC
  AltTargetDomainName: EXAMPLE.MAC
  TicketFlags: 0xe00000
  KeyExpirationTime: 1/1/1601 3:30:00
  StartTime: 11/1/2006 12:41:02
  EndTime: 11/1/2006 16:41:02
  RenewUntil: 11/8/2006 12:41:02
  TimeSkew: 1/1/1601 3:30:00
  Java debug output:
  Debug is true storeKey false useTicketCache true useKeyTab false doNotPrompt true ticketCache is null KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false
  Acquire TGT from Cache
  KinitOptions cache name is C:\Documents and Settings\pwaern\krb5cc_pwaernAcquire default native Credentials
  Obtained TGT from LSA: Credentials:
  [email protected]
  server=krbtgt/[email protected]
  authTime=20061101054102Z
  startTime=20061101054102Z
  endTime=20061101094102Z
  renewTill=20061108054102Z
  flags: RENEWABLE;INITIAL;PRE-AUTHENT
  EType (int): 3
  Principal is [email protected]
  Commit Succeeded
  Found ticket for [email protected] to go to krbtgt/[email protected] expiring on Wed Nov 01 13:11:02 IRST 2006
  GMT-08:00
  TGT information from klist.exe:
  ServiceName: krbtgt
  TargetName: krbtgt
  FullServiceName: pwaern
  DomainName: EXAMPLE.MAC
  TargetDomainName: EXAMPLE.MAC
  AltTargetDomainName: EXAMPLE.MAC
  TicketFlags: 0xe00000
  KeyExpirationTime: 0/41/4 0:00:10776
  StartTime: 11/1/2006 1:16:56
  EndTime: 11/1/2006 5:16:56
  RenewUntil: 11/8/2006 1:16:56
  TimeSkew: 11/8/2006 1:16:56
  Java debug output:
  Debug is true storeKey false useTicketCache true useKeyTab false doNotPrompt true ticketCache is null KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false
  Acquire TGT from Cache
  KinitOptions cache name is C:\Documents and Settings\pwaern\krb5cc_pwaernAcquire default native Credentials
  Obtained TGT from LSA: Credentials:
  [email protected]
  server=krbtgt/[email protected]
  authTime=20061101171759Z
  startTime=20061101171759Z
  endTime=20061101181759Z
  renewTill=20061108171656Z
  flags: RENEWABLE;PRE-AUTHENT
  EType (int): 3
  Principal is [email protected]
  Commit Succeeded
  Found ticket for [email protected] to go to krbtgt/[email protected] expiring on Wed Nov 01 10:17:59 PST 2006
  As you can see the exiration time found by the Java application is highly dependent on the time zone.
  I should add that if you are at GMT the Java expiration time matches the one from klist.exe.
  So clearly there is a problem somewhere.
  The question is whether it is something in my setup or it is a bug in either Active Directory or Java. Can anyone help?
  Thanks,

• Kerberos authentication fail on ASA 5505 -Decrypt integrity-

  Hi,
  I'm trying to configure Kerberos authentication on ipsec-l2tp vpn tunnel. However, when I use my domain user to establish a connection I get this error:
  ASA-Oslo# kerberos mkreq: 0x176
  kip_lookup_by_sessID: kip with id 374 not found
  alloc_kip 0xd9b9bdf0
      new request 0x176 --> 11 (0xd9b9bdf0)
  add_req 0xd9b9bdf0 session 0x176 id 11
  In kerberos_build_request
  In kerberos_open_connection
  In kerberos_send_request
  ********** START: KERBEROS PACKET DECODE ************
  Kerberos: Message type KRB_AS_REQ
  Kerberos: Option forwardable
  Kerberos: Option renewable
  Kerberos: Option renewable accepted
  Kerberos: Client Name antonio.torres
  Kerberos: Client Realm IBISTIC.LOCAL
  Kerberos: Server Name krbtgt
  Kerberos: Start time 0
  Kerberos: End time -643858960
  Kerberos: Renew until time -653409600
  Kerberos: Nonce 0x5242a360
  Kerberos: Encryption type rc4-hmac-md5
  Kerberos: Encryption type des-cbc-md5
  Kerberos: Encryption type des-cbc-crc
  Kerberos: Encryption type des-cbc-md4
  Kerberos: Encryption type des3-cbc-sha1
  Kerberos: Address 10.40.49.1
  ********** END: KERBEROS PACKET DECODE ************
  In kerberos_recv_msg
  In kerberos_process_response
  ********** START: KERBEROS PACKET DECODE ************
  Kerberos: Message type KRB_AS_REP
  Kerberos: Client Name antonio.torres
  Kerberos: Client Realm IBISTIC.LOCAL
  ********** END: KERBEROS PACKET DECODE ************
  Kerberos library reports: "Decrypt integrity check failed"
  In kerberos_close_connection
  remove_req 0xd9b9bdf0 session 0x176 id 11
  free_kip 0xd9b9bdf0
  kerberos: work queue empty
  I've been looking for documentation about this error but I was not able to figure out what's wrong. I've already also turned off 'Do not require pre-authentication' on account option.
  Some one get also this error?
  Any help will be more than welcome,
  Thanks in advance,
  Antonio

  Hi,
  I'm trying to configure Kerberos authentication on ipsec-l2tp vpn tunnel. However, when I use my domain user to establish a connection I get this error:
  ASA-Oslo# kerberos mkreq: 0x176
  kip_lookup_by_sessID: kip with id 374 not found
  alloc_kip 0xd9b9bdf0
      new request 0x176 --> 11 (0xd9b9bdf0)
  add_req 0xd9b9bdf0 session 0x176 id 11
  In kerberos_build_request
  In kerberos_open_connection
  In kerberos_send_request
  ********** START: KERBEROS PACKET DECODE ************
  Kerberos: Message type KRB_AS_REQ
  Kerberos: Option forwardable
  Kerberos: Option renewable
  Kerberos: Option renewable accepted
  Kerberos: Client Name antonio.torres
  Kerberos: Client Realm IBISTIC.LOCAL
  Kerberos: Server Name krbtgt
  Kerberos: Start time 0
  Kerberos: End time -643858960
  Kerberos: Renew until time -653409600
  Kerberos: Nonce 0x5242a360
  Kerberos: Encryption type rc4-hmac-md5
  Kerberos: Encryption type des-cbc-md5
  Kerberos: Encryption type des-cbc-crc
  Kerberos: Encryption type des-cbc-md4
  Kerberos: Encryption type des3-cbc-sha1
  Kerberos: Address 10.40.49.1
  ********** END: KERBEROS PACKET DECODE ************
  In kerberos_recv_msg
  In kerberos_process_response
  ********** START: KERBEROS PACKET DECODE ************
  Kerberos: Message type KRB_AS_REP
  Kerberos: Client Name antonio.torres
  Kerberos: Client Realm IBISTIC.LOCAL
  ********** END: KERBEROS PACKET DECODE ************
  Kerberos library reports: "Decrypt integrity check failed"
  In kerberos_close_connection
  remove_req 0xd9b9bdf0 session 0x176 id 11
  free_kip 0xd9b9bdf0
  kerberos: work queue empty
  I've been looking for documentation about this error but I was not able to figure out what's wrong. I've already also turned off 'Do not require pre-authentication' on account option.
  Some one get also this error?
  Any help will be more than welcome,
  Thanks in advance,
  Antonio

• Exchange 2010 sp2 emc initialization error using "kerberos" authentication failed

  We use exchange 2010 SP2.
  We have 2 management stations, both w2k8 R2 SP1.
  I have one mangement station on which the emc and ems works ok.
  On the other management staiton (which is also in another ad site) the emc and ems don't work.
  I get the following error message : The attempt to connect to
  http://fqdnCasServer/PowerShell using "Kerberos" authentication failed: Connecting to remote server failed with the following error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic.
  I have checked the time on the management station and on the exchange server and this is ok.
  It is not a permissions issue because the user functions ok on the other management station.
  On the bad management station I can open the emc once and after a minute I get an error message and the message access denied. From then on I can't connect any more.
  What am I doing wrong?
  Anyone any tips?
  Thanks,
  JB 

  This is what I get in the eventlog of the bad management station.
  Log Name:      MSExchange Management
  Source:        MSExchange CmdletLogs
  Date:          1/10/2012 11:39:27
  Event ID:      6
  Task Category: (1)
  Level:         Error
  Keywords:      Classic
  User:          N/A
  Computer:      Server.domain.com
  Description:
  The description for Event ID 6 from source MSExchange CmdletLogs cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.
  If the event originated on another computer, the display information had to be saved with the event.
  The following information was included with the event:
  Get-ExchangeServer
  {Identity=Servername}
  Domain/ou/ou/ou/ou/username
  Exchange Management Console-Local
  3080
  22
  00:00:00.3593888
  View Entire Forest: 'True', Configuration Domain Controller: 'FQDN DC', Preferred Global Catalog: 'FQDN DC', Preferred Domain Controllers: '{ FQDN DN }'
  Microsoft.Exchange.Configuration.Tasks.ManagementObjectNotFoundException: The operation couldn't be performed because object 'FQDN MGMTSTATION' couldn't be found on 'FQDN DC'.
  Context
  the message resource is present but the message is not found in the string/message table
  Event Xml:
  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
      <Provider Name="MSExchange CmdletLogs" />
      <EventID Qualifiers="49152">6</EventID>
      <Level>2</Level>
      <Task>1</Task>
      <Keywords>0x80000000000000</Keywords>
      <TimeCreated SystemTime="2012-10-01T09:39:27.000000000Z" />
      <EventRecordID>11</EventRecordID>
      <Channel>MSExchange Management</Channel>
      <Computer>FQDN MGMT STATION</Computer>
      <Security />
    </System>
    <EventData>
      <Data>Get-ExchangeServer</Data>
      <Data>{Identity=MGMT STATION}</Data>
      <Data>domain/ou/ou/ou/ou/username</Data>
      <Data>
      </Data>
      <Data>
      </Data>
      <Data>Exchange Management Console-Local</Data>
      <Data>3080</Data>
      <Data>
      </Data>
      <Data>22</Data>
      <Data>00:00:00.3593888</Data>
      <Data>View Entire Forest: 'True', Configuration Domain Controller: 'FQDN DC', Preferred Global Catalog: 'FQDN DC', Preferred Domain Controllers: '{ FQDN DC }'</Data>
      <Data>Microsoft.Exchange.Configuration.Tasks.ManagementObjectNotFoundException: The operation couldn't be performed because object 'FQDN MGMT STATION' couldn't be found on 'FQDN DC'.</Data>
      <Data>Context</Data>
      <Data>
      </Data>
    </EventData>
  </Event>

• Remote PowerShell Connection to Lync Server With Kerberos authentication Fails

  Hi everyone ,
  Remote PowerShell to Lync Server With Kerberos authentication Fails .. Is there any reason for not being able to connect when authentication specified as Kerberos . But exactly same code works when Authentication is specified as "Negotiate"
  E.g :
  Error -
  $session=New-PSSession -ConfigurationName Microsoft.Powershell -ConnectionUri https://serverName.lync.com/ocspowershell/ -Credential $cred -Authentication Kerberos
  [serverName.lync.com] Connecting to remote server failed with the following error message : The WinRM client cannot process the request. The authentication mechanism requested by the client is not supported by the server or unencrypted traffic is disabled in
  the service configuration. Verify the unencrypted traffic setting in the service configuration or specify one of the authentication mechanisms supported by the server.  To use Kerberos, specify the computer name as the remote destination. Also verify
  that the client computer and the destination computer are joined to a domain.To use Basic, specify the computer name as the remote destination, specify Basic authentication and provide user name and password. Possible authentication mechanisms reported by
  server:   Digest Negotiate For more information, see the about_Remote_Troubleshooting Help topic.
      + CategoryInfo          : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [], PSRemotingTransportExc
     eption
      + FullyQualifiedErrorId : PSSessionOpenFailed
  Works  -
  $session=New-PSSession -ConfigurationName Microsoft.Powershell -ConnectionUri https://serverName.lync.com/ocspowershell/ -Credential $cred -Authentication Negotiate

  Hi,
  Please double check if Windows Update is the latest version, if not, please update and then test again.
  Please also ensure that the workstation you are using has network access to the Certificate Authority that signed the certificate.
  Best Regards,
  Eason Huang
  Eason Huang
  TechNet Community Support

• Exchange Management Console couldn't start with Kerberos authentication failed

  When I was making changes to Client Access\owa settings, chaning from Basic authentication to Form authentication (upn name) then changed to Basic again. It was ok after changing to Form authentication but moment after changing back to Basic, I couldn't
  no longer access owa (blank page when one vertical line) and in Exchange Management Console, I got "Initialization failed" - The following error occured while attempting to connect to the specified Exchange server 'sgp-ex1.mydomain.com':
  The attempt to connect to http://sgp-ex1.mydomain.com/powershell using "Kerberos" authentication failed: Connecting to the remote server failed with the following error message: The WinRM client cannto process
  the request. It cannot determine the content type of the HTTP response from the destination computer. The content type is absent or invalid. For more information, see the about_Remote_Troubleshooting Help topic.
  I tried the troubleshooting tool from Exchange team blog:
  http://blogs.technet.com/b/exchange/archive/2010/12/07/3411644.aspx. It give 3 possible causes for this error: 1. WSMan module entry is missing from global module section of c:\Windows\System32\InetSrv\Config\ApplicationHost.config; 2. Kerbauth module shows
  up as Managed module or has been loaded in the Default Web Site Level; 3. The Path of the Powershell virtual directory has been modified.
  I checked carefully, all the 3 causes do not apply to my situation as WSman entry is in order, the Kerbauth is native and local and the path of Powershell virtual directory is correct.
  I find that in Application log, there are Event 2297 and 2307 dumped at the time of failure:
  The worker process for application pool 'MSExchangeSyncAppPool' encountered an error 'Confiugration file in not well-formed XML' trying to read configuration data from file '\\?\C:\inetpubl\temp\apppools\MSExchangeSyncAppPool\MSExchangeSyncAppPool.config',
  line number '2'. The data field contains the error code.
  Help is very much appreciated.
  Valuable skills are not learned, learned skills aren't valuable.

  Unfortunately, all the links you provided didn't help.
  The first link contains 3 methods:1 Removing WinRM feature and reinstalling. 2 Rename the web.config file in location C:\inetpub\wwwroot 3 Have you installed Microsoft Dynamics CRM 4. I?
  As my server is Windows 2008 R2, the first method does not apply. I couldn't find any web.config in c:\Inetpub\wwwroot. The web.config however is found in many times in .netframework and winsxs directories. The 3rd method doesn't apply as I don't have CRM.
  The 2nd link contains 3 possible causes. The first 2 are the same as the ones I mentioned in my initial post. I couldn't verify the last cause because when open Exchange Management Shell, I got this error: [sgp.ex1.mydomain.com] connecting to remote server
  failed with the following server failed with the following error message: The WinRM client cannot process the request, it cannot determine the content type of the HTTP response from the destination computer. The content type is absent or invalide. For more
  information, see the about_Remote_Troubleshooting Help topic.
  I do not think the user is not remote powershell enabled because the problem happened suddenly, while I was making changes to Authentication settings of OWA(default) in Client Access in Exchange Management Console. If the user account is not remote powershell
  enabled, then I couldn't event connect to EMC in the first place.
  The last link didn't help because I could open up modules under PowerShell virtual directory in IIS.
  I think since the event log is saying MSExchangeSyncAppPool.config and DefaultAppPool.config not well-formed XML, that might be a clue.
  In the event id 2307 this is the message:
  The worker process for application pool 'DefaultAppPool' encountered an error 'Configuration file is not well-formed XML
  ' trying to read configuration data from file '\\?\C:\inetpub\temp\apppools\DefaultAppPool\DefaultAppPool.config', line number '2'.  The data field contains the error code.
  Valuable skills are not learned, learned skills aren't valuable.

• "Kerberos" authentication failed while trying to access EMC or EMS

  Salam,
  I have successfully installed Exchange 2010 SP1 on a transitional environment, the installation went smooth without any problem and I've done most of the trasitioning configuration from Exchange Server 2003 to Exchange Server 2010.
  Currently we're in the process of moving the mailboxes, but I've come across a problem recently which stopped all my work and I can no longer commence with this transition unless its solved.
  Sometimes when I try to access EMC or EMS I get the hereunder error:
  The following error occurred while attempting to connect to the specified Exchange server 'afhmail.arabfinancehouse.com.lb':
  The attempt to connect to http://afhmail.arabfinancehouse.com.lb/PowerShell using "Kerberos" authentication failed: Connecting to remote server failed
  with the following error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic.
  I've read most of the articles found on the internet including
  http://msexchangeteam.com/archive/2010/02/04/453946.aspx to try to troubleshoot this problem but nothing has worked so far, I tried removing Win RM IIS extensions as well then adding them again with a restart and nothing. I tried the Kerbauth dll removal
  also nothing and the problem keeps to occur and the situation is not stable.
  Also I read in a KB article somewhere that if we have multiple domain controllers a single domain controller should be assigned on the Exchange Server (Organization Configuration, Server Configuration, Recipient Configuration) so I assigned the PDC to be selected
  by those configurations at startup, yet I am still facing the same problem.
  Again I emphasis that the problem comes and goes, at a time I can access EMS and at another is just gives me the Kerberos error.
  Thank you very much in advance,
  Kindest Regards.
  Abdullah Abdullah

  Hi Abdullah,
  Can you open the EMS?
  If yes, please run the WinRM QC and post the results here.
  If possible, please use another admin's account to log on to Exchange to try to open EMC.
  Frank Wang
  TechNet Subscriber Support
  in forum
  If you have any feedback on our support, please contact
  [email protected]
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

• Error with Pre-Authentication for Windows Desktop SSO

  When I try to use the windows desktop sso module created in the Access Manager I get an error in the amAuthWindowsDesktopSSO file, but I don't know what I'm doing erroneous. It's not an access manager problem, I can't get kinit to work either. I think I'm following the directions correctly from the manual.
  Are these ktpass commands setup right?
  The Windows AD administrator created the accounts:
  C:\>ktpass -princ HOST/[email protected] -pass amdev -mapuser AD\amdev$ -out amdev.keytab
  Targeting domain controller: dc2.ad.tcpip.com
  Successfully mapped HOST/amdev.tcpip.com to AMDEV$.
  WARNING: Account AMDEV$ is not a user account (uacflags=0x1021).
  WARNING: Resetting AMDEV$'s password may cause authentication problems if AMDEV$ is being used as a server.
  Reset AMDEV$'s password [y/n]?  y
  Key created.
  Output keytab to amdev.keytab:
  Keytab version: 0x502
  keysize 56 HOST/[email protected] ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0x3 (DES-CBC-MD5) keylength 8 (0x023efe
  3e6846d3cd)
  Account AMDEV$ has been set for DES-only encryption.
  C:\>ktpass -princ HTTP/[email protected] -pass amdev -mapuser AD\amdev$ -out amdev-http.keytab
  Targeting domain controller: dc2.ad.tcpip.com
  Successfully mapped HTTP/amdev.tcpip.com to AMDEV$.
  WARNING: Account AMDEV$ is not a user account (uacflags=0x201021).
  WARNING: Resetting AMDEV$'s password may cause authentication problems if AMDEV$ is being used as a server.
  Reset AMDEV$'s password [y/n]?  y
  Key created.
  Output keytab to amdev-http.keytab:
  Keytab version: 0x502
  keysize 56 HTTP/[email protected] ptype 1 (KRB5_NT_PRINCIPAL) vno 4 etype 0x3 (DES-CBC-MD5) keylength 8 (0x45201c
  f4d3ec43e6)
  Account AMDEV$ has been set for DES-only encryption.
  C:\>I can read the keys with ktutil.
  ktutil:  rkt amdev-http.keytab
  ktutil:  list
  slot KVNO Principal
     1    4            HTTP/[email protected]
  ktutil:  rkt amdev.keytab
  ktutil:  list
  slot KVNO Principal
     1    4            HTTP/[email protected]
     2    3            HOST/[email protected]
  ktutil:  wkt amdev2.keytabI then try to do a kinit with the principal:
  kinit -k -t amdev2.keytab HTTP/[email protected]
  kinit(v5): Preauthentication failed while getting initial credentialsAccess Manager reports similar problem on access:
  01/17/2007 10:23:56:699 AM CST: Thread[service-j2ee-2,5,main]
  Stack trace:
  javax.security.auth.login.LoginException: Pre-authentication information was invalid (24)
          at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:652)
          at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:512)
          at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
          at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
          at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
          at java.lang.reflect.Method.invoke(Method.java:585)
  . . .

  Something deep, dark, and inside Kerberos way outside of my knowledge base was the problem.
  I could always get a kinit with the HTTP/amdev.tcpip.com service to work. I never got the keytabs from the output of ktpass to operate. I used ktutil to create keytab entries all in vain, kinit using the keytab always resulted in a PA error, although the time clocks are setup the same.
  The AD administrator created the account, this time as a user account, not a machine account, and the keytabs from the Windows domain controller finally worked.
  If anyone knows the difference between machine and user accounts are in AD, I would be obliged for his/her explanation. The UPN and SPN look the same in the directory. I'm at a loss. However, very glad to finally have this working.

• Pre-authentication information was invalid (24) authoriazation against AD

  Hi all,
  im going to be really desperate from this error message during the authentization to the Win2003 server where the Active Directory is running ... Im using Krb5LoginModule.
  - Our administrator of the AD service has enabled DES encryption at the tested account.
  - Im sure that entered password is correct, because im able to login via this password to our network.
  - Entered Kerberos realm is in upper case...in the form (COMPANY.COM)
  - Kerberos KDC contains IP adress of the Domain controller.
  I really dont know why it doesnt work....:-(( Strange is that if i enable ticketCache to the ability to use the native ticket cache it works fine.....
  My code is:
  import javax.security.sasl.*;
  import java.io.*;
  import java.util.*;
  import javax.security.auth.Subject;
  import com.sun.security.auth.callback.TextCallbackHandler;
  * This JaasAcn application attempts to authenticate a user
  * and reports whether or not the authentication was successful.
  public class JaasSample {
    public static void main(String[] args) {
          LoginContext lc = null;
       java.util.Properties p = new java.util.Properties(System.getProperties());
         try
              lc = new LoginContext("JaasSample", new TextCallbackHandler());
         catch (LoginException le)
              System.err.println("Cannot create LoginContext. "
                   + le.getMessage());
              System.exit(-1);
         catch (SecurityException se)
              System.err.println("Cannot create LoginContext. "
                   + se.getMessage());
              System.exit(-1);
         catch (Exception e)
              System.out.println("Login failer: "+e.getMessage());
        try {
                      lc.login();
                      Subject subject = lc.getSubject();
                  Iterator it = subject.getPrincipals().iterator();
                  while (it.hasNext())
                      System.out.println("Authenticated: " + it.next().toString());
                  it = subject.getPublicCredentials(Properties.class).iterator();
                  while (it.hasNext())
                      ((Properties)it.next()).list(System.out);
                  lc.logout();
        } catch (LoginException le) {
            System.err.println("Authentication failed: ");
            System.err.println("  " + le.getMessage());
            System.exit(-1);
        System.out.println("Authentication succeeded!");
  }start.bat file:
  "c:\Program Files\Java\jdk1.5.0_06\bin\java" -Djava.security.krb5.realm=BERIT.CZ -Djava.security.krb5.kdc=10.1.0.04 -Djava.security.krb5.debug=true -Djava.security.auth.login.config=jaas.conf JaasSample
  jaas.conf file:
  JaasSample {
  com.sun.security.auth.module.Krb5LoginModule required useTicketCache="false" debug="true";
  Output is:
  c:\JAAS>"c:\Program Files\Java\jdk1.5.0_06\bin\java" -Djava.security.krb5.realm=
  BERIT.CZ -Djava.security.krb5.kdc=10.1.0.04 -Djava.security.krb5.debug=true -Dja
  va.security.auth.login.config=jaas.conf JaasSample
  Debug is true storeKey false useTicketCache false useKeyTab false doNotPrompt f
  alse ticketCache is null KeyTab is null refreshKrb5Config is false principal is
  null tryFirstPass is false useFirstPass is false storePass is false clearPass is
  false
  Kerberos username [Kloucek]: User3
  Kerberos password for User3: Poiu4566
  [Krb5LoginModule] user entered username: User3
  principal is [email protected]
  Acquire TGT using AS Exchange
  EncryptionKey: keyType=3 keyBytes (hex dump)=0000: 13 A1 F4 86 B6 1C BF 85
  EncryptionKey: keyType=1 keyBytes (hex dump)=0000: 13 A1 F4 86 B6 1C BF 85
  EncryptionKey: keyType=16 keyBytes (hex dump)=0000: 01 58 6E AE EF 25 15 43 F1
  2C 40 46 7A 3D 2A B0 .Xn..%.C.,@Fz=*.
  0010: 1F 16 9E B6 19 8A 46 68
  [Krb5LoginModule] authentication failed
  Pre-authentication information was invalid (24)
  Authentication failed:
  Pre-authentication information was invalid (24)
  I tried all tips i found at this forum and other internet resources without luck...:-(((
  Please heeeeelp!!!!!!!!!!!!!!!!!

  I have solve it....The reason of this problem was this:
  Im accesing our network via this login properties:
  login: My second name
  pass: My password
  Due to this fact i had entered this login properties into the Kerberos database too..., BUT KERBEROS had been expecting my fully qualified network name which is myfirstname.myseconame@KERBEROS-REALM!!!!!!!!!!!!!!!So after i had entered [email protected] instead of [email protected] it started to work!!!!! I hope this will help many other programmers....

• Pre-authentication information was invalid (24)

  Hi all,
  im going to be really desperate from this error message during the authentization to the Win2003 server where the Active Directory is running ... Im using Krb5LoginModule.
  - Our administrator of the AD service has enabled DES encryption at the tested account.
  - Im sure that entered password is correct, because im able to login via this password to our network.
  - Entered Kerberos realm is in upper case...in the form (COMPANY.COM)
  - Kerberos KDC contains IP adress of the Domain controller.
  I really dont know why it doesnt work....:-(( Strange is that if i enable ticketCache to the ability to use the native ticket cache it works fine.....
  My code is:
  import javax.security.sasl.*;
  import java.io.*;
  import java.util.*;
  import javax.security.auth.Subject;
  import com.sun.security.auth.callback.TextCallbackHandler;
  * This JaasAcn application attempts to authenticate a user
  * and reports whether or not the authentication was successful.
  public class JaasSample {
    public static void main(String[] args) {
          LoginContext lc = null;
       java.util.Properties p = new java.util.Properties(System.getProperties());
         try
              lc = new LoginContext("JaasSample", new TextCallbackHandler());
         catch (LoginException le)
              System.err.println("Cannot create LoginContext. "
                   + le.getMessage());
              System.exit(-1);
         catch (SecurityException se)
              System.err.println("Cannot create LoginContext. "
                   + se.getMessage());
              System.exit(-1);
         catch (Exception e)
              System.out.println("Login failer: "+e.getMessage());
        try {
                      lc.login();
                      Subject subject = lc.getSubject();
                  Iterator it = subject.getPrincipals().iterator();
                  while (it.hasNext())
                      System.out.println("Authenticated: " + it.next().toString());
                  it = subject.getPublicCredentials(Properties.class).iterator();
                  while (it.hasNext())
                      ((Properties)it.next()).list(System.out);
                  lc.logout();
        } catch (LoginException le) {
            System.err.println("Authentication failed: ");
            System.err.println("  " + le.getMessage());
            System.exit(-1);
        System.out.println("Authentication succeeded!");
  }start.bat file:
  "c:\Program Files\Java\jdk1.5.0_06\bin\java" -Djava.security.krb5.realm=BERIT.CZ -Djava.security.krb5.kdc=10.1.0.04 -Djava.security.krb5.debug=true -Djava.security.auth.login.config=jaas.conf JaasSample
  jaas.conf file:
  JaasSample {
  com.sun.security.auth.module.Krb5LoginModule required useTicketCache="false" debug="true";
  Output is:
  c:\JAAS>"c:\Program Files\Java\jdk1.5.0_06\bin\java" -Djava.security.krb5.realm=
  BERIT.CZ -Djava.security.krb5.kdc=10.1.0.04 -Djava.security.krb5.debug=true -Dja
  va.security.auth.login.config=jaas.conf JaasSample
  Debug is true storeKey false useTicketCache false useKeyTab false doNotPrompt f
  alse ticketCache is null KeyTab is null refreshKrb5Config is false principal is
  null tryFirstPass is false useFirstPass is false storePass is false clearPass is
  false
  Kerberos username [Kloucek]: User3
  Kerberos password for User3: Poiu4566
  [Krb5LoginModule] user entered username: User3
  principal is [email protected]
  Acquire TGT using AS Exchange
  EncryptionKey: keyType=3 keyBytes (hex dump)=0000: 13 A1 F4 86 B6 1C BF 85
  EncryptionKey: keyType=1 keyBytes (hex dump)=0000: 13 A1 F4 86 B6 1C BF 85
  EncryptionKey: keyType=16 keyBytes (hex dump)=0000: 01 58 6E AE EF 25 15 43 F1
  2C 40 46 7A 3D 2A B0 .Xn..%.C.,@Fz=*.
  0010: 1F 16 9E B6 19 8A 46 68
  [Krb5LoginModule] authentication failed
  Pre-authentication information was invalid (24)
  Authentication failed:
  Pre-authentication information was invalid (24)
  I tried all tips i found at this forum and other internet resources without luck...:-(((
  Please heeeeelp!!!!!!!!!!!!!!!!!

  Hi all,
  im going to be really desperate from this error message during the authentization to the Win2003 server where the Active Directory is running ... Im using Krb5LoginModule.
  - Our administrator of the AD service has enabled DES encryption at the tested account.
  - Im sure that entered password is correct, because im able to login via this password to our network.
  - Entered Kerberos realm is in upper case...in the form (COMPANY.COM)
  - Kerberos KDC contains IP adress of the Domain controller.
  I really dont know why it doesnt work....:-(( Strange is that if i enable ticketCache to the ability to use the native ticket cache it works fine.....
  My code is:
  import javax.security.sasl.*;
  import java.io.*;
  import java.util.*;
  import javax.security.auth.Subject;
  import com.sun.security.auth.callback.TextCallbackHandler;
  * This JaasAcn application attempts to authenticate a user
  * and reports whether or not the authentication was successful.
  public class JaasSample {
    public static void main(String[] args) {
          LoginContext lc = null;
       java.util.Properties p = new java.util.Properties(System.getProperties());
         try
              lc = new LoginContext("JaasSample", new TextCallbackHandler());
         catch (LoginException le)
              System.err.println("Cannot create LoginContext. "
                   + le.getMessage());
              System.exit(-1);
         catch (SecurityException se)
              System.err.println("Cannot create LoginContext. "
                   + se.getMessage());
              System.exit(-1);
         catch (Exception e)
              System.out.println("Login failer: "+e.getMessage());
        try {
                      lc.login();
                      Subject subject = lc.getSubject();
                  Iterator it = subject.getPrincipals().iterator();
                  while (it.hasNext())
                      System.out.println("Authenticated: " + it.next().toString());
                  it = subject.getPublicCredentials(Properties.class).iterator();
                  while (it.hasNext())
                      ((Properties)it.next()).list(System.out);
                  lc.logout();
        } catch (LoginException le) {
            System.err.println("Authentication failed: ");
            System.err.println("  " + le.getMessage());
            System.exit(-1);
        System.out.println("Authentication succeeded!");
  start.bat file:
  "c:\Program Files\Java\jdk1.5.0_06\bin\java" -Djava.security.krb5.realm=BERIT.CZ -Djava.security.krb5.kdc=10.1.0.04 -Djava.security.krb5.debug=true -Djava.security.auth.login.config=jaas.conf JaasSample
  jaas.conf file:
  JaasSample {
  com.sun.security.auth.module.Krb5LoginModule required useTicketCache="false" debug="true";
  Output is:
  c:\JAAS>"c:\Program Files\Java\jdk1.5.0_06\bin\java" -Djava.security.krb5.realm=
  BERIT.CZ -Djava.security.krb5.kdc=10.1.0.04 -Djava.security.krb5.debug=true -Dja
  va.security.auth.login.config=jaas.conf JaasSample
  Debug is true storeKey false useTicketCache false useKeyTab false doNotPrompt f
  alse ticketCache is null KeyTab is null refreshKrb5Config is false principal is
  null tryFirstPass is false useFirstPass is false storePass is false clearPass is
  false
  Kerberos username [Kloucek]: User3
  Kerberos password for User3: Poiu4566
  [Krb5LoginModule] user entered username: User3
  principal is [email protected]
  Acquire TGT using AS Exchange
  EncryptionKey: keyType=3 keyBytes (hex dump)=0000: 13 A1 F4 86 B6 1C BF 85
  EncryptionKey: keyType=1 keyBytes (hex dump)=0000: 13 A1 F4 86 B6 1C BF 85
  EncryptionKey: keyType=16 keyBytes (hex dump)=0000: 01 58 6E AE EF 25 15 43 F1
  2C 40 46 7A 3D 2A B0 .Xn..%.C.,@Fz=*.
  0010: 1F 16 9E B6 19 8A 46 68
  [Krb5LoginModule] authentication failed
  Pre-authentication information was invalid (24)
  Authentication failed:
  Pre-authentication information was invalid (24)I tried all tips i found at this forum and other internet resources without luck...:-(((
  Please heeeeelp!!!!!!!!!!!!!!!!!

• Authentication Failed!? Can someone help please?

  Hi everyone,
  I'm in need of some real assistance. I have currently purchased and installed ARD 3.0 on my laptop. My girlfriend has just bought her first Mac computer - a new intel iMac. Wanting to help her remotely, I installed the client installer created by my ARD3 version. When I try to connect, it doesn't let me. It says "Authentication Failed". We even tried taking off the password to make it easier, but still nothing. I can connect by "Connect to Server" through the finder, but I just don't understand why it won't connect me through ARD. I've read a few forums about the intel problem, but I understood that problem is having ARD3 installed on the computer as in, "the master host" and not the client installer. Is that right?
  Can someone tell me if I am supposed to install the whole program on the iMac I am trying to connect to or does it just have to be on my computer and everyone else gets the custom "Client Installer" I've created. In her preferences under Sharing, it doesn't show Access Privileges, where as it does on mine as I have it fully installed on mine. I am very confused and feeling like a total newbie. Any assistance would be greatly appreciated. Thank you.

  Same issue here. I have 25 nodes (mix of Pmacs 2x/4x) and am trying to get imaging going as we're replacing some of the 2x with 4x, Using NetRestore and a lot of help from local experts, I've got the imaging working, but even tho the new nodes are imaged from an existing one (and then renamed), I cannot connect to them with ARD 3.0 (Authentication Failed to [node]).
  The nodes are set up to get IPs based on MAC addresses from a MacOSX Server running DHCP and this part works well - they're getting the right IP #s, but not connecting via ARD. They show up in the ARD panel with the correct IP number and ARD version #, but the DNS name is missing (should be 'Q2L1.local' and is blank.)
  What kind of auth is being sought? Is it trying to get kerberos authentication via the Server? That service is on and appears to be working fine, altho I could imagine that since it's running off an imaged disk, there might be some kind of auth invalidation occuring.
  However, in checking the Server Open Directory logs, I see:
  Jul 20 2006 11:59:31 AUTH2: {0x446d07630c6cdd5e0000000f0000000f, hjm} DHX authentication failed, SASL error -13 (password incorrect).
  Jul 20 2006 11:59:31 QUIT: {0x446d07630c6cdd5e0000000f0000000f, hjm} disconnected.
  Jul 20 2006 11:59:32 RSAVALIDATE: success.
  Jul 20 2006 11:59:32 AUTH2: {0x446d07630c6cdd5e0000000f0000000f, hjm} DHX authentication failed, SASL error -13 (password incorrect).
  Jul 20 2006 11:59:32 QUIT: {0x446d07630c6cdd5e0000000f0000000f, hjm} disconnected.
  I'm logged into the server as 'hjm' but I don't have an account on the target machine (nor the image source machine which works just fine).
  The above errors suggest that it's a DHX key problem, but why should it involve 'hjm' and not the user logged in, or the user trying to log in?
  Incidentally, resetting the passwd for the logged in user does not work.
  ***? (Why The Failure?)
  Harry