"Jag" <Jag@discussions.microsoft.com> wrote in message
news:C71C8A46-B0D2-4DE6-9561-01E879127644@microsoft.com...
> We have the following configuration...
> several 2000 ADS servers
> several NT4 BDC domain servers
> several IIS 6 on a 2003 member server
> several IIS 5 on a 2000 member server
>
> The problem is that intermittantly we will fail to authenticate via
Kerberos
> to a web site that pulls up a list of options in IE based upon NT group
> membership.
> The end user with IE receives an access denied permission error and the
web
> server logs the following event.
> A Kerberos Error Message was received: on logon session
> Client Time:
> Server Time: 18:47:1.0000 9/17/2004 Z
> Error Code: 0x7 KDC_ERR_S_PRINCIPAL_UNKNOWN
> Extended Error:
> Client Realm:
> Client Name:
> Server Realm: USXPRESS.COM
> Server Name: krbtgt/USXPRESS.COM
> Target Name: host/xgsthlweb.usxpress.com@USXPRESS.COM
> Error Text:
> File: 9
> Line: ab8
> Error Data is in record data.
> For more information, .....
>
> The problem will go away for about a week then come back. When we get the
> error it happens to all users even admins regardless of what computer they
> are using or what version of IE they are useing. In the past I was able
to
> set the application pool identity from predefined "network service" to
"local
> service" and it would work for a few days no problems then when it fails
> again I can switch the application pool identity from predefined "local
> service" to "network service" and it will work for a while then fail
again.
> I never have any problems with the web site on the 2000 server with IIS 5,
> only with the 2003 server with IIS 6. I have gone through all the docs on
> troubleshooting Kerberos issues and everything looks good.
> The fact that it works for a while and then fails has me confused... I
could
> understand it not working but to work and then stop when no changes were
made
> is beyond me. Anyone have any idea what might be causing this?
>
> Thanks
>