Authentication and KDC Problems

  • Thread starter Thread starter K
  • Start date Start date
K

K

Guest
I have a 2k3 native domain with 2 DCs.

DC 1 has all FSMO roles and DNS installed
DC 2 also has DNS installed

DC 2 did have the windows CA installed, although it was never used to issue
certificates. When rationalising our services the CA was uninstalled and
reinstalled on a member server on the domain.

The last week or so users have been experiencing problems with their home
drive mapping. Randomly, some users will get the map, where others will get
it but will get access denied if they try to open it. If they log off, wait
2 mins and log back on they can access the home drive. Home drives are a
share on DC 1.

Whilst trawling through the event logs yesterday I noticed the following
error:

KCD - Evend ID 20

The currently selected KDC certificate was once valid, but now is invalid
and no suitable replacement was found. Smartcard logon may not function
correctly if this problem is not remedied. Have the system administrator
check on the state of the domain's public key infrastructure. The chain
status is in the error data.

I did a bit of research and found a suggestion that this was due to
uninstalling the CA from the server and that deleting any certificated
relating to that CA would solve the issue. I deleted all certificates
issued by DC 2 and restarted the KDC and have not received this error since.

This morning I rebooted the entire server farm for a clean start and checked
the event logs. DC 2 is now logging LsaSrv Event 40960 (SPNEGO Negotiator)
several times (all relating in one way of another to DC 2).

In the hope of trying top resolve this I reinstalled the CA onto DC2 (so I
now have an enterprise root CA on both DC 2 (where there was originally one)
and a member server (as I don't know if uninstalling this will cause further
problems).

I rebooted DC 2 and the member server the other CA is on and there were no
errors logged on either.

However, I am still experiencing some odd authentication problems.

It has not been long enough in the day yet to see if users are having home
drive problems so we will have to see about that, but one application which
I use (installed on the same member server as the CA) is giving access
denied messages when trying to run certain parts of it, which the developers
tell me is possibly due to problems with the account the service runs under
authenticating.

Can ayone help with this?

What is the best way of removing the CA from BOTH servers it is on now (the
DC and the member server) - neither has issued any certificated (other than
the ones it does automatically). And will this clear up my authentication
issues or is this something else?
 
Anyone?

>I have a 2k3 native domain with 2 DCs.
>
> DC 1 has all FSMO roles and DNS installed
> DC 2 also has DNS installed
>
> DC 2 did have the windows CA installed, although it was never used to
> issue certificates. When rationalising our services the CA was
> uninstalled and reinstalled on a member server on the domain.
>
> The last week or so users have been experiencing problems with their home
> drive mapping. Randomly, some users will get the map, where others will
> get it but will get access denied if they try to open it. If they log
> off, wait 2 mins and log back on they can access the home drive. Home
> drives are a share on DC 1.
>
> Whilst trawling through the event logs yesterday I noticed the following
> error:
>
> KCD - Evend ID 20
>
> The currently selected KDC certificate was once valid, but now is invalid
> and no suitable replacement was found. Smartcard logon may not function
> correctly if this problem is not remedied. Have the system administrator
> check on the state of the domain's public key infrastructure. The chain
> status is in the error data.
>
> I did a bit of research and found a suggestion that this was due to
> uninstalling the CA from the server and that deleting any certificated
> relating to that CA would solve the issue. I deleted all certificates
> issued by DC 2 and restarted the KDC and have not received this error
> since.
>
> This morning I rebooted the entire server farm for a clean start and
> checked the event logs. DC 2 is now logging LsaSrv Event 40960 (SPNEGO
> Negotiator) several times (all relating in one way of another to DC 2).
>
> In the hope of trying top resolve this I reinstalled the CA onto DC2 (so I
> now have an enterprise root CA on both DC 2 (where there was originally
> one) and a member server (as I don't know if uninstalling this will cause
> further problems).
>
> I rebooted DC 2 and the member server the other CA is on and there were no
> errors logged on either.
>
> However, I am still experiencing some odd authentication problems.
>
> It has not been long enough in the day yet to see if users are having home
> drive problems so we will have to see about that, but one application
> which I use (installed on the same member server as the CA) is giving
> access denied messages when trying to run certain parts of it, which the
> developers tell me is possibly due to problems with the account the
> service runs under authenticating.
>
> Can ayone help with this?
>
> What is the best way of removing the CA from BOTH servers it is on now
> (the DC and the member server) - neither has issued any certificated
> (other than the ones it does automatically). And will this clear up my
> authentication issues or is this something else?
>
 
Anyone at all?

> Anyone?
>
>>I have a 2k3 native domain with 2 DCs.
>>
>> DC 1 has all FSMO roles and DNS installed
>> DC 2 also has DNS installed
>>
>> DC 2 did have the windows CA installed, although it was never used to
>> issue certificates. When rationalising our services the CA was
>> uninstalled and reinstalled on a member server on the domain.
>>
>> The last week or so users have been experiencing problems with their home
>> drive mapping. Randomly, some users will get the map, where others will
>> get it but will get access denied if they try to open it. If they log
>> off, wait 2 mins and log back on they can access the home drive. Home
>> drives are a share on DC 1.
>>
>> Whilst trawling through the event logs yesterday I noticed the following
>> error:
>>
>> KCD - Evend ID 20
>>
>> The currently selected KDC certificate was once valid, but now is invalid
>> and no suitable replacement was found. Smartcard logon may not function
>> correctly if this problem is not remedied. Have the system administrator
>> check on the state of the domain's public key infrastructure. The chain
>> status is in the error data.
>>
>> I did a bit of research and found a suggestion that this was due to
>> uninstalling the CA from the server and that deleting any certificated
>> relating to that CA would solve the issue. I deleted all certificates
>> issued by DC 2 and restarted the KDC and have not received this error
>> since.
>>
>> This morning I rebooted the entire server farm for a clean start and
>> checked the event logs. DC 2 is now logging LsaSrv Event 40960 (SPNEGO
>> Negotiator) several times (all relating in one way of another to DC 2).
>>
>> In the hope of trying top resolve this I reinstalled the CA onto DC2 (so
>> I now have an enterprise root CA on both DC 2 (where there was originally
>> one) and a member server (as I don't know if uninstalling this will cause
>> further problems).
>>
>> I rebooted DC 2 and the member server the other CA is on and there were
>> no errors logged on either.
>>
>> However, I am still experiencing some odd authentication problems.
>>
>> It has not been long enough in the day yet to see if users are having
>> home drive problems so we will have to see about that, but one
>> application which I use (installed on the same member server as the CA)
>> is giving access denied messages when trying to run certain parts of it,
>> which the developers tell me is possibly due to problems with the account
>> the service runs under authenticating.
>>
>> Can ayone help with this?
>>
>> What is the best way of removing the CA from BOTH servers it is on now
>> (the DC and the member server) - neither has issued any certificated
>> (other than the ones it does automatically). And will this clear up my
>> authentication issues or is this something else?
>>
>
>
 
You must log in or register to reply here.

Similar threads

P
windows11 vpn authentication fails.
Replies
0
Views
3
Pan Li3
P
P
windows11 vpn authentication fails.
Replies
0
Views
5
Pan Li3
P
P
windows11 vpn authentication fails.
Replies
0
Views
4
Pan Li3
P
V
DNS Server on Windows Server 2012 does not pass basic, delegations, dynamic updates, and records registration tests upon running DCDiag /c /v
Replies
0
Views
11
Vincent Badenhorst
V
K
CPU spiking suddenly on games that worked fine before and BSODs
Replies
0
Views
4
KetchupInMyShoe
K
Back
Top