Hi:
In our Active Directory environment, any new AD user who has "user must change password at next logon" , cannot login to the domain, the strange thing is when the AD user attempted to login , the KDC return KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN to our application, while we are pretty sure that the AD user exist in the server .
In the AD environment, there are 2 DCs in the domain, the issue only exist when our application attempted to login to a particular DC.The issue does not exist on another DC. And, we are pretty sure that it is not due to replication issue.
Just wondering why KDC would returnKRB5KDC_ERR_C_PRINCIPAL_UNKNOWN error code, after we check "user must change password at next logon" ? Is it due to configuration issue ?
Note: The "password to remembered" GP was set to 0 on the domain.
This is what we did :
1. Join machine to AD domain
2. On DC, create new AD user using ADUC. 3. login as the new ad user on the client machine login OK. 4. At the ADUC, check "User Must change password at next logon" of the newly created AD user. 5. Login again using same ad user on the client machine. Login failed immediately , from network trace, KDC (same DC as where we just created the AD user in ) returned "KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN" error to our AS_REQ request.
Following network trace show that we are able to modify this user in the DC, to proof that the user actually exist.
Then later, attempt the login as the same user, KDC said user is unknown.
why KDC would return principal unknown after forcing user to change password at next login ?
Any help is appreciated.
Thank you!
Yen
Yen