Hi all,
on a Server 2008R2 Sp1 with IIS installed in Netmon trace I see that a new TGT for the IIS WEB Pool account is requested aboutevery 60 seconds. Sometimes also in the range of 100 ms. The WEB application is working fine.
usually the flow is as follows:
- Server --> DC: AS-REQ
- DC --> Server: KRB Error: KRB5DDC_ERR_PREAUTH_REQUIRED
- Server -- DC: AS-REQ
- DC --> Server: AS-REP
- Server --> DC: TGS-REQ
- DC --Server: TGS-REP
The first AS-REQ fails due to missing time stamp in the request. In the AS-REP I can see in padat that PA-ENC-TIMESTAMP, PA-DAS and PA-PK-AS-REP are missing. In second AS-REQ PA-ENC-TIMESTAMP is insertet in padata.
Client name in the AS-REQ is the name of the account the WEB service is running. Kerberos request Server (service) name is krbtgt/domain-name.
I wonder why TGT is requested at least every minute, as Kerberos ticket TTL is 10 hours per default in domain and can't even be set even below one hour.
Probably as a side effect we notice "RPC Server unavailable" in the event log with clients failing to connect to IIS twice a week.
Around the time of "RPC failure" I see a TGS-REP "KRB5KDC_ERR_BADOPTION" for an TGS-REQ with kerberos server (service) name: "server-name$@domain-name" and KDC option "constrained-delegation".
Questions are:
Can the "KRB5KDC_ERR_BADOPTION" invalid the server's TGT and shut down the RPC service for ever (until reboot?
Where to start troubleshooting this (I know the IIS server should be configured for delegation). But for days the server and WEB service runs without problems, and I wonder wether just a "KRB5KDC_ERR_BADOPTION" can shut down the RPC Service and
the server at all?
(Also is it possible to start kerbtray in the Kontext of IIS and server?)
Thank You
Jochen