ITsVISTA
Information that makes life easier when it comes to installing, managing, and using Windows Vista.
Start About FAQ Blogroll Shop

ITsVISTA KB-Link: KB961302

Vista and Windows Server 2008 clients are unable to access cluster names with AES-encrypted Kerberos tickets

Consider the following scenario, with all machines in the same domain:

  • Windows Server 2008 domain controller
  • Windows Vista or Windows Server 2008 client
  • Windows Server 2008 failover cluster

Client tries to access the cluster name via NetBIOS or DNS name and gets an error:

“\\{cluster name} is not accessible. You might not have permission to use this network resource. Contact the administrator of this server to find out if you have access permissions.

Logon Failure: The target account name is incorrect.”

When looking at the network traffic it can be seen that the cluster returns KRB5KRB_AP_ERR_MODIFIED to the client. Microsoft-Windows-Security-Kerberos event ID 4 is also be recorded. Services relying on Kerberos communication with a cluster name will also fail with various symptoms (possibly pointing towards “access denied”). This occurs when the NetBIOS or DNS name of the cluster computer object is used. If the cluster is accessed using the IP address then there is no error displayed (as NTLM is used instead of Kerberos). If a Windows client prior to Vista is used then the problem does not occur. If any dedicated node name is entered then the problem does not occur.

For more information on this issue, including potential causes, workarounds, and resolutions, see: Microsoft KB Article KB961302.

Get notified of new posts for FREE via RSS or E-mail

Subscribe to ITsVISTA!

Related Posts