Microsoft KB Archive/311060

= Cannot Connect to a Domain When You Manually Configure a Windows-Based Computer to Interoperate with a Kerberos Realm =

PSS ID Number: 311060

Article Last Modified on 6/6/2003

-

The information in this article applies to:


 * Microsoft Windows 2000 Server SP1
 * Microsoft Windows 2000 Server SP2
 * Microsoft Windows 2000 Advanced Server SP1
 * Microsoft Windows 2000 Advanced Server SP2
 * Microsoft Windows 2000 Professional SP1
 * Microsoft Windows 2000 Professional SP2
 * Microsoft Windows XP Professional
 * Microsoft Windows Server 2003, Enterprise Edition
 * Microsoft Windows Server 2003, Standard Edition

-



This article was previously published under Q311060



IMPORTANT: This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows Registry



SYMPTOMS
If you use the Kerberos Setup tool (Ksetup.exe) to manually configure a Windows Server-based or a Windows XP-based computer to interoperate with a Kerberos realm, you may not be able to connect to your Windows Server-based domain. When you perform a network trace of the Kerberos protocol, the following error message may be logged:

0x6 (KRB_ERR_C_PRINCIPAL_UNKNOWN) &quot;Client not found in Kerberos database&quot;



CAUSE
This problem can occur because when you use Ksetup.exe, which is included in Windows Server Support Tools, if you use the /setrealm switch to create a Kerberos realm, a non-Windows realm is added to the registry. Kerberos Security Provider in Windows Server uses the data to locate the non-Windows Kerberos Key Distribution Center (KDC) and interoperate with the Kerberos realm. When you use Ksetup.exe with the /mapuser switch, the Kerberos principal is mapped to a local account. If you join the computer to a domain and you do not remove these mappings, the computer cannot authenticate to the Windows KDC because the computer account cannot obtain a ticket-granting ticket (TGT) from its domain KDC.



RESOLUTION
WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

To resolve this problem:  Remove the computer from the non-Windows Kerberos realm (if it still exists). To do so, use Ksetup.exe with the both the /removerealm switch and the name of the non-Windows Kerberos realm. Remove the user mappings for the Kerberos realm from the registry. To do so:  Start Registry Editor (Regedt32.exe). Locate and click the following registry key:

HKEY_LOCAL_Machine\System\CurrentControlSet\Control\LSA\Kerberos

 Double-click the UserList value, remove all of the entries from it, and then click OK. Quit Registry Editor.</li></ol> </li></ol>

<div class="status_section">

STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.

<div class="moreinformation_section">

MORE INFORMATION
For more information about Ksetup.exe, refer to Tools Help in Windows Server Support Tools. You can also type ksetup /? from a command prompt to view the Ksetup.exe command line help.

For more information about Kerberos interoperability features, refer to the following Microsoft Web site:

Step-by-Step Guide to Kerberos 5 (krb5 1.0) Interoperability

Additional query words: Kerberos ksetup MIT

Keywords: kbenv kbprb KB311060

Technology: kbwin2000AdvServ kbwin2000AdvServSearch kbWin2000AdvServSP1 kbWin2000AdvServSP2 kbwin2000Pro kbwin2000ProSearch kbWin2000ProSP1 kbWin2000ProSP2 kbwin2000Search kbwin2000Serv kbwin2000ServSearch kbwin2000ServSP1 kbwin2000ServSP2 kbWinAdvServSearch kbWinServ2003Ent kbWinServ2003EntSearch kbWinServ2003Search kbWinServ2003St kbWinXPPro kbWinXPProSearch kbWinXPSearch

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© 2004 Microsoft Corporation. All rights reserved.