I have a network of Server 2008R2 servers consisting of Windows 7 X64 SP1 Pro / Enterprise clients. Every once in a while, a huge chunk of computers on my network will all freeze. During this freezing behavior, any programs that are trying to read / write to the file server lock up, such as word, explorer, Internet explorer, etc. This freezing behavior doesn't occur if I use an account that doesn't map drives or use folder redirection.
I have two file servers that use DFS-R to replicate files between them, however do not use DFS namespaces. I have used a DNS alias to refer to them (eg fileserver.local), and have registered the SPN's to the server. I have tried changing my group
policys for folder redirection and mapping to use the fqdn of the server (server1.local). At one point I had accidentally registered the SPN's on both file servers, but I have corrected this and rebooted all computers. The output of "setspn
-l server1: is as follows, with the DFSR, TERMSRV, WSMAN and RestrictedKrbHost omitted;
host/fileserver
host/fileserver.local
host/server1
host/server1.local
I have also applied the "DisableStrictNameChecking" and "DNSOnWire" as directed in this article
http://chenz.azurewebsites.net/?p=101
In the eventlog on the file server, I periodically see the following error messages.
A Kerberos Error Message was received:
on logon session
Client Time:
Server Time: 18:37:45.0000 8/5/2014 Z
Error Code: 0xd KDC_ERR_BADOPTION
Extended Error: 0xc00000bb KLIN(0)
Client Realm:
Client Name:
Server Realm: domain.LOCAL
Server Name: hrlscsv001fp$@domain.LOCAL
Target Name: hrlscsv001fp$@domain.LOCAL@domain.LOCAL
Error Text:
File: 9
Line: f09
Error Data is in record data.
I also see the following problems in a wireshark capture, it will appear for hundreds of files for a specific client at once;
The client sends an Ioctl request FILE_SYSTEM function:0x006b. Some scripts describe that error as this ("STATUS_ILL_FORMED_PASSWORD","Unable to update the password. The value provided for the new password contains values that are not allowed in passwords."),
The server sends back Ioctl response, Error: STATUS_NOT_SUPPORTED
http://i.imgur.com/Jf17Vs8.png
I also see tons of failed kerberos authentication failures where the status is KRB5KRB_AP_ERR_MODIFIED. It seems like computers freeze when this happens and eventually resort back to NTLMv2 authentication. These error will occur for 5+ min on individual clients. Other clients can authenticate properly when this happens.
http://i.imgur.com/h2WBAUx.png
This allows happens, and after this the client authenticates via NTLM instead of kerberos
http://i.imgur.com/vYV4yBz.png