D
Darren_Reed_in_ZA
Good day
I get the following message on my MIM01 dashboard under manageability, for my MIM02 server:
"The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server <MY MIM 02 SERVER>$. The target name used was HTTP/MY MIM 02 SERVER FQDN. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (DOMAIN 1) is different from the client domain (DOMAIN 1), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server."
I ran the following command to check SPN on my MIM 01 server and got the following output:
PS C:\Windows\system32> setspn -q HTTP/<MY MIM 02 SERVER FQDN>
Checking domain DC=<X>,DC=<X>,DC=<X>
CN=<MIM SharePoint service account>,OU=<X>,OU=<X>,OU=<X>,OU=<X>,DC=<X>,DC=<X>,DC=<X>
HTTP/<MY MIM 02 SERVER>
HTTP/<MY MIM 02 SERVER FQDN>
Existing SPN found!"
Would this be interfering with user registration on the registration portal and by extension the password reset portal?
I am unsure as how to proceed further to clear that Kerberos error on the dashboard.
Kindest regards
Darren
EDIT
I also ran the setspn -x command on both MIM 01 and MIM 02 servers, and both show zero duplicate SPN's.
EDIT V2.0
I have also just used the adfind tool, and ran two commands as per this article (adapted), output as follows:
Query 1:
PS C:\Users\<USER ACCOUNT>\Downloads> .\adfind -f "servicePrincipalName=http/<MIM 02 FQDN>" -gcb
AdFind V01.51.00cpp Joe Richards (support@joeware.net) October 2017
Using server: <CURRENT DC RUNNING QUERY OFF FQDN>:3268
Directory: Windows Server 2016
dn:CN=<MIM SharePoint service account>,OU=<X>,OU=<X>,OU=<X>,OU=<X>,DC=<X>,DC=<X>,DC=<X>
>objectClass: top
>objectClass: person
>objectClass: organizationalPerson
>objectClass: user
>cn: <MIM SharePoint service account>
>description: Microsoft Identity Manager SharePoint Farm Account
>distinguishedName: CN=<MIM SharePoint service account>,OU=<X>,OU=<X>,OU=<X>,OU=<X>,DC=<X>,DC=<X>,DC=<X>
>instanceType: 4
>whenCreated: <X>
>whenChanged: <X>
>displayName: Microsoft Identity Manager SharePoint Farm Account
>uSNCreated: <X>
>uSNChanged: <X>
>name: <MIM SharePoint service account>
>objectGUID: <X>
>userAccountControl: <X>
>primaryGroupID: <X>
>objectSid: <X>
>sAMAccountName: <MIM SharePoint service account>
>sAMAccountType: <X>
>userPrincipalName: <MIM SharePoint service account>@<X>
>servicePrincipalName: HTTP/<MIM 02>
>servicePrincipalName: HTTP/<MIM 02 FQDN>
>objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=<X>,DC=<X>,DC=<X>
>dSCorePropagationData: <X>
>dSCorePropagationData: <X>
>dSCorePropagationData: <X>
>dSCorePropagationData: <X>
>dSCorePropagationData: <X>
>lastLogonTimestamp: <X>
1 Objects returned
Query 2:
PS C:\Users\<USER ACCOUNT>\Downloads> .\adfind -f "servicePrincipalName=host/<MIM 02 FQDN>" -gcb
AdFind V01.51.00cpp Joe Richards (support@joeware.net) October 2017
Using server: <CURRENT DC RUNNING QUERY OFF FQDN>:3268
Directory: Windows Server 2016
dn:CN=<MIM 02>,OU=<X>,OU=<X>,OU=<X>,DC=<X>,DC=<X>,DC=<X>
>objectClass: top
>objectClass: person
>objectClass: organizationalPerson
>objectClass: user
>objectClass: computer
>cn: <MIM 02>
>distinguishedName: CN=<MIM 02>,OU=<X>,OU=<X>,OU=<X>,DC=<X>,DC=<X>,DC=<X>
>instanceType: 4
>whenCreated: <X>
>whenChanged: <X>
>displayName: <MIM 02>$
>uSNCreated: <X>
>memberOf: CN=<X>,CN=<X>,DC=<X>,DC=<X>,DC=<X>
>uSNChanged: <X>
>name: <MIM 02>
>objectGUID: <X>
>userAccountControl: <X>
>primaryGroupID: <X>
>objectSid: <X>
>sAMAccountName: <MIM 02>$
>sAMAccountType: <X>
>dNSHostName: <MIM 02 FQDN>
>servicePrincipalName: tapinego/<MIM 02>
>servicePrincipalName: tapinego/<MIM 02 FQDN>
>servicePrincipalName: WSMAN/<MIM 02 FQDN>
>servicePrincipalName: CmRcService/<MIM 02 FQDN>
>servicePrincipalName: TERMSRV/<MIM 02 FQDN>
>servicePrincipalName: RestrictedKrbHost/<MIM 02 FQDN>
>servicePrincipalName: HOST/<MIM 02 FQDN>
>servicePrincipalName: WSMAN/<MIM 02>
>servicePrincipalName: CmRcService/<MIM 02>
>servicePrincipalName: TERMSRV/<MIM 02>
>servicePrincipalName: RestrictedKrbHost/<MIM 02>
>servicePrincipalName: HOST/<MIM 02>
>objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=<X>,DC=<X>,DC=<X>
>dSCorePropagationData: <X>
>dSCorePropagationData: <X>
>dSCorePropagationData: <X>
>dSCorePropagationData: <X>
>dSCorePropagationData: <X>
>lastLogonTimestamp: <X>
1 Objects returned
I don't know what to make of the data - it looks like everything is saying that there are no duplicates? I can't see where an SPN issue and subsequently Kerberos issue comes in.
Continue reading...
I get the following message on my MIM01 dashboard under manageability, for my MIM02 server:
| “<MIM02 SERVER> - Kerberos security error <date and time>” The following message is recorded in the Event Viewer on MIM01: |
"The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server <MY MIM 02 SERVER>$. The target name used was HTTP/MY MIM 02 SERVER FQDN. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (DOMAIN 1) is different from the client domain (DOMAIN 1), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server."
I ran the following command to check SPN on my MIM 01 server and got the following output:
PS C:\Windows\system32> setspn -q HTTP/<MY MIM 02 SERVER FQDN>
Checking domain DC=<X>,DC=<X>,DC=<X>
CN=<MIM SharePoint service account>,OU=<X>,OU=<X>,OU=<X>,OU=<X>,DC=<X>,DC=<X>,DC=<X>
HTTP/<MY MIM 02 SERVER>
HTTP/<MY MIM 02 SERVER FQDN>
Existing SPN found!"
Would this be interfering with user registration on the registration portal and by extension the password reset portal?
I am unsure as how to proceed further to clear that Kerberos error on the dashboard.
Kindest regards
Darren
EDIT
I also ran the setspn -x command on both MIM 01 and MIM 02 servers, and both show zero duplicate SPN's.
EDIT V2.0
I have also just used the adfind tool, and ran two commands as per this article (adapted), output as follows:
Query 1:
PS C:\Users\<USER ACCOUNT>\Downloads> .\adfind -f "servicePrincipalName=http/<MIM 02 FQDN>" -gcb
AdFind V01.51.00cpp Joe Richards (support@joeware.net) October 2017
Using server: <CURRENT DC RUNNING QUERY OFF FQDN>:3268
Directory: Windows Server 2016
dn:CN=<MIM SharePoint service account>,OU=<X>,OU=<X>,OU=<X>,OU=<X>,DC=<X>,DC=<X>,DC=<X>
>objectClass: top
>objectClass: person
>objectClass: organizationalPerson
>objectClass: user
>cn: <MIM SharePoint service account>
>description: Microsoft Identity Manager SharePoint Farm Account
>distinguishedName: CN=<MIM SharePoint service account>,OU=<X>,OU=<X>,OU=<X>,OU=<X>,DC=<X>,DC=<X>,DC=<X>
>instanceType: 4
>whenCreated: <X>
>whenChanged: <X>
>displayName: Microsoft Identity Manager SharePoint Farm Account
>uSNCreated: <X>
>uSNChanged: <X>
>name: <MIM SharePoint service account>
>objectGUID: <X>
>userAccountControl: <X>
>primaryGroupID: <X>
>objectSid: <X>
>sAMAccountName: <MIM SharePoint service account>
>sAMAccountType: <X>
>userPrincipalName: <MIM SharePoint service account>@<X>
>servicePrincipalName: HTTP/<MIM 02>
>servicePrincipalName: HTTP/<MIM 02 FQDN>
>objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=<X>,DC=<X>,DC=<X>
>dSCorePropagationData: <X>
>dSCorePropagationData: <X>
>dSCorePropagationData: <X>
>dSCorePropagationData: <X>
>dSCorePropagationData: <X>
>lastLogonTimestamp: <X>
1 Objects returned
Query 2:
PS C:\Users\<USER ACCOUNT>\Downloads> .\adfind -f "servicePrincipalName=host/<MIM 02 FQDN>" -gcb
AdFind V01.51.00cpp Joe Richards (support@joeware.net) October 2017
Using server: <CURRENT DC RUNNING QUERY OFF FQDN>:3268
Directory: Windows Server 2016
dn:CN=<MIM 02>,OU=<X>,OU=<X>,OU=<X>,DC=<X>,DC=<X>,DC=<X>
>objectClass: top
>objectClass: person
>objectClass: organizationalPerson
>objectClass: user
>objectClass: computer
>cn: <MIM 02>
>distinguishedName: CN=<MIM 02>,OU=<X>,OU=<X>,OU=<X>,DC=<X>,DC=<X>,DC=<X>
>instanceType: 4
>whenCreated: <X>
>whenChanged: <X>
>displayName: <MIM 02>$
>uSNCreated: <X>
>memberOf: CN=<X>,CN=<X>,DC=<X>,DC=<X>,DC=<X>
>uSNChanged: <X>
>name: <MIM 02>
>objectGUID: <X>
>userAccountControl: <X>
>primaryGroupID: <X>
>objectSid: <X>
>sAMAccountName: <MIM 02>$
>sAMAccountType: <X>
>dNSHostName: <MIM 02 FQDN>
>servicePrincipalName: tapinego/<MIM 02>
>servicePrincipalName: tapinego/<MIM 02 FQDN>
>servicePrincipalName: WSMAN/<MIM 02 FQDN>
>servicePrincipalName: CmRcService/<MIM 02 FQDN>
>servicePrincipalName: TERMSRV/<MIM 02 FQDN>
>servicePrincipalName: RestrictedKrbHost/<MIM 02 FQDN>
>servicePrincipalName: HOST/<MIM 02 FQDN>
>servicePrincipalName: WSMAN/<MIM 02>
>servicePrincipalName: CmRcService/<MIM 02>
>servicePrincipalName: TERMSRV/<MIM 02>
>servicePrincipalName: RestrictedKrbHost/<MIM 02>
>servicePrincipalName: HOST/<MIM 02>
>objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=<X>,DC=<X>,DC=<X>
>dSCorePropagationData: <X>
>dSCorePropagationData: <X>
>dSCorePropagationData: <X>
>dSCorePropagationData: <X>
>dSCorePropagationData: <X>
>lastLogonTimestamp: <X>
1 Objects returned
I don't know what to make of the data - it looks like everything is saying that there are no duplicates? I can't see where an SPN issue and subsequently Kerberos issue comes in.
Continue reading...