Kerberos Errors - KRB5KDC_ERR_BADOPTION

Giganews Newsgroups
Subject: Kerberos Errors - KRB5KDC_ERR_BADOPTION
Posted by:  Reeves (Reev…@discussions.microsoft.com)
Date: Tue, 21 Jul 2009

I have configured the environment with Kerberos constrained delagation and it
is working fine. I was running packet captures as I was getting intermittent
authenication errors. My environment is using a service account on the IIS
application pool and I have not configured server001 to delegate because the
service account is set to delegate.

I'm getting two errors that I would like to get more information on.

All of the SPNs have been set and there is an spn set for host by default,
but I am not able to figure out what service is trying to make the call with
host/server001.test.com.

Status Not Supported
------------------------------------------------------------------------
Kerberos KRB-ERROR
    Record Mark: 150 bytes
        0... .... .... .... .... .... .... .... = Reserved: Not Set
        .000 0000 0000 0000 0000 0000 1001 0110 = Record Length: 150
    Pvno: 5
    MSG Type: KRB-ERROR (30)
    stime: 2009-07-14 18:37:49 (UTC)
    susec: 624858
    error_code: KRB5KDC_ERR_BADOPTION (13)
    Realm: TEST.COM
    Server Name (Service and Host): host/server001.test.com
        Name-type: Service and Host (3)
        Name: host
        Name: server001.test.com
    e-data PA-PW-SALT
        Type: PA-PW-SALT (3)
            Value: BB0000C00000000003000000
                NT Status: STATUS_NOT_SUPPORTED (0xc00000bb)
                Unknown: 0x00000000
                Unknown: 0x00000003

Status No Match
------------------------------------------------------------------------
Kerberos KRB-ERROR
    Record Mark: 150 bytes
        0... .... .... .... .... .... .... .... = Reserved: Not Set
        .000 0000 0000 0000 0000 0000 1001 0110 = Record Length: 150
    Pvno: 5
    MSG Type: KRB-ERROR (30)
    stime: 2009-07-14 18:43:24 (UTC)
    susec: 435209
    error_code: KRB5KDC_ERR_BADOPTION (13)
    Realm: TEST.COM
    Server Name (Service and Host): host/server001.test.com
        Name-type: Service and Host (3)
        Name: host
        Name: server001.test.com
    e-data PA-PW-SALT
        Type: PA-PW-SALT (3)
            Value: 720200C00000000003000000
                NT Status: STATUS_NO_MATCH (0xc0000272)
                Unknown: 0x00000000
                Unknown: 0x00000003

Replies