ITsVISTA
Information that makes life easier when it comes to installing, managing, and using Windows Vista.
Start About FAQ Blogroll Shop

ITsVISTA KB-Link: KB2008039

Interactive user logon over external trust fails or encounters delays

  1. Interactive logons on Windows Vista or Windows Server 2008 computers by users in trusted domains fail with the on-screen error:

    The security database on the server does not have a computer account for this workstation trust relationship.

  2. RDP logons from Windows Vista or Windows Server 2008 computers by trusted domain user accounts fail with the on-screen error:

    The security database on the server does not have a computer account for this workstation trust relationship.

  3. Network traces of scenario 2 above taken from the Windows Vista or Windows Server 2008 computer show KDC_ERR_S_PRINCIPAL_UNKNOWN in the Kerberos TGS Response:

    1457  15:56:35.4908750  22.9218750        192.168.1.10      192.168.1.99      KerberosV5  KerberosV5:TGS Request {TCP:189, IPv4:184}

    1460  15:56:35.4908750  22.9218750        192.168.1.99      192.168.1.10      KerberosV5  KerberosV5:KRB_ERROR  - KDC_ERR_S_PRINCIPAL_UNKNOWN (7)     {TCP:189, IPv4:184}

  4. Logons from computers running versions of Windows earlier than Windows Vista using trusted domain user accounts will succeed. Examining a network trace of this logon will show the same Kerberos failure. However, NTLM fallback authentication allows the user to logon.

    1750       16:40:29.2526250              21.2656250                          192.168.1.11       192.168.1.78       KerberosV5                KerberosV5:KRB_ERROR  - KDC_ERR_S_PRINCIPAL_UNKNOWN (7)         {UDP:216, IPv4:201}

    1785       16:40:29.2838750              21.2968750                          192.168.1.78       192.168.1.11       SMB       SMB:C; Session Setup Andx, NTLM AUTHENTICATE MESSAGE, Domain: CONTOSO, User: admin, Workstation: TEST       {SMBOverTCP:223, TCP:220, IPv4:84}

  5. The traces may also show no response from the remote domain controllers when LDAP pings (over UDP port 389) are sent, or when the Kerberos ticket request over port UDP 88 does not see a response. You may also see there is no response to TCP SYN requests on port 88.

For more information on this issue, including potential causes, workarounds, and resolutions, see: Microsoft KB Article KB2008039.

Get notified of new posts for FREE via RSS or E-mail

Subscribe to ITsVISTA!

Related Posts