kerberos authentication error

Russell Ang 66 Reputation points
2021-09-30T06:15:45.843+00:00

Hi,

I can login to any server with authentication successfully. But when come to launch or run cmd or powershell with admin privileges' access. Will throw out error with access denied. Even i'm enterprise admin or domain admin doesn't seem to have access. Only need to try authentication as different user using same account it's successfully.

Below is the screenshot without authenticate, but i ready have enterprise admin seem not able to manage the remote server. 136469-1.jpg

Anyone encounter for kerberos authentication error?

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,155 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,881 questions
0 comments

6 answers

Sort by: Newest
Most helpful Newest Oldest
  1. Gary Reynolds 9,391 Reputation points
    2021-10-26T07:43:06.88+00:00

    Hi @Russell Ang

    I thought I would jump in and give a few pointers to check that Kerberos is working as expected. These test are using NetTools, however, some of the functionality is available in other MS tools, but NetTools makes it easier to jump between tests.

    Go to Authentication -> Sessions - confirm that the active session is Kerberos or Negotiate in the Auth column

    143659-image.png

    In the Quick Search bar enter the name of the server logged onto and click search
    143722-image.png

    In the search view double click on the server, In the Properties dialog, select the Delegation tab and right click on one of the Service Principal Names and select Request SPN

    143660-image.png

    This will select the Kerberos Tickets option and display all the Kerberos tickets that have been cache, confirm that the selected SPN is in the list and also check the bottom area of screen for any error messages.

    143704-image.png

    Select Authentication -> User Rights and click refresh - check the administrators group to see if the Attribute are set to D, this means that you have a restricted token and UAC is enabled for privileged users.

    143620-image.png

    0 comments
  2. Russell Ang 66 Reputation points
    2021-10-01T01:05:33.667+00:00

    Hello @Limitless Technology

    The issues is I'm getting kerbose authentication error, to any domain servers.

    0 comments
  3. Limitless Technology 39,356 Reputation points
    2021-09-30T13:03:57.953+00:00

    Hello @Russell Ang

    I agree that besides checking if Enterprise Admin or Domain Admin is member of the local Administrators group, you may be using an account added in "Protected Users" group.

    Since local Admin security is a concern nowadays I would recommend you to implement LAPS as a solution for centralized Local Administrator management of your environment without exposing your domain Admins groups.

    LAPS:
    https://www.microsoft.com/en-us/download/details.aspx?id=46899
    LAPS Guide:
    https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/local-administrator-password-solution-laps-implementation-hints/ba-p/258296

    Hope this helps with your query,

    --------------

    --If the reply is helpful, please Upvote and Accept as answer--

    0 comments
  4. Thameur-BOURBITA 32,586 Reputation points
    2021-09-30T12:16:42.477+00:00

    Did you check SPN configuration ?

    Please don't forget to mark helpful reply as answer

  5. Russell Ang 66 Reputation points
    2021-09-30T11:31:52.03+00:00

    @Thameur-BOURBITA

    I've checked security group doesn't not have protected user.

    0 comments