Error: 'The Directory and Resource Administrator Server cannot identify the client.' (NETIQKB14935)

  • 7714935
  • 02-Feb-2007
  • 03-Dec-2010

Environment

Directory and Resource Administrator 6.x
Directory and Resource Administrator 7.x
Directory and Resource Administrator 8.x

Situation

The following error message occurs when modifying object properties in Directory and Resource Administrator (DRA) or when launching the DRA Microsoft Management Console (MMC) interface:

Error C00444A8: The server cannot identify the client
Error: 'The Directory and Resource Administrator Server cannot identify the client.'

Resolution

Some of the causes listed above can be resolved by making changes to the environment configuration.  The solutions provided below correspond to the causes as numbered above:.

  1. Ensure the computer account for the machine the IIS services are running on has the Trusted for delegation flag set in the computer account properties.  A reboot of the IIS server may be required after setting this flag.  For more information regarding this setting, please refer to the following Microsoft Knowledge Base articles:

    • 283201: HOW TO: Use Delegation in Windows 2000 with COM+
    • 326089: HOW TO: Enable Kerberos on a Non-Domain Controller for IIS Web Applications

  2. Ensure the Enable Integrated Windows Authentication option under the Advanced tab in the Internet Explorer Internet Options is enabled (requires restart).  For more information regarding this setting, please refer to the following Microsoft Knowledge Base article:

    • 299838: Unable to Negotiate Kerberos Authentication After Upgrading to Internet Explorer 6

  3. For more information regarding IIS authentication across forests (Cause 3 above), please refer to the following Microsoft Knowledge Base article:

    • 274438: Cannot Use Kerberos Trust Relationships Between Two Forests in Windows 2000

  4. For more information regarding Kerberos and FQDN resolution (Cause 4 above), please refer to the following Microsoft Knowledge Base article:

    • 326089: HOW TO: Enable Kerberos on a Non-Domain Controller for IIS Web Applications

  5. For more information on clock synchronization and how it affects Kerberos authentication (Cause 5 above), please refer to the following Microsoft Knowledge Base article:

    • 232386: Cannot Log On If Time and Date Are Not Synchronized 


note

The following troubleshooting steps may assist in isolating the specific cause of Kerberos issues that may be occurring:

  • Disable Integrated Windows authentication and use Basic authentication only to access the Web Console on a temporary basis.  If Basic authentication allows access and Integrated Windows authentication does not, the cause of the problem is most likely a failure to delegate credentials.  Basic authentication allows IIS to pass to DRA the userID and password of the requesting client without relying on Kerberos.  Note:  Keep in mind, when using Basic authentication, the user's password is passed to the DRA server in clear text.

  • Enable logon/logoff auditing on the DRA server and monitor the event logs for failed Kerberos events, followed by events of successful NTLM authentication.

  • Enable additional Kerberos logging.  For more details regarding this option, please refer to the following Microsoft Knowledge Base article:

    • 262177: HOW TO: Enable Kerberos Event Logging

  • Ensure authentication is enabled for IIS.  To verify this, execute the following command from the inetpub\AdminScripts directory: 

    • cscript adsutil.vbs get w3svc/NTAuthenticationProviders

    The output of the command should contain the following information:

    • NTAuthenticationProviders       :(STRING) "Negotiate,NTLM"

    If the output string is "NTLM" only, IIS will not attempt to use Kerberos authentication and the delegation of credential authentication will fail.  Because the default setting is "Negotiate,NTLM", this should not be the cause of the error unless it was reconfigured after installation.  For more details regarding this test, please refer to the following Microsoft Knowledge Base Article:

    • 215383: How to Ensure Windows Integrated Logons in Internet Information Services 5.0

  • Use the Windows 2000 NetDiag utility to verify DNS registrations and to test certain Kerberos parameters.  The command syntax is as follows:

    • NetDiag /v >C:\NetDiagOutput.txt

    To download this utility, please click on the link below:

Cause

If Kerberos is not properly configured or if it fails due to another condition, the Microsoft Internet Information Services (IIS) server reverts to NTLM authentication, which is incapable of delegating credential authentication.  The logon will actually succeed but the credentials will not be passed to the DRA server, which will then return the above error to the client. 

This error message can have different causes as follows:

  1. The most common situation in which this error occurs is when the DRA Administration server component is installed on one computer, and the Web Component and the supporting IIS services are installed on another.  When configured in this manner, the delegation of Kerberos credential authentication fails.  Please refer to Solution 1 below to correctly configure this environment.
  2. Even if the above configuration is corrected to allow delegation of credential authentication, DRA may still generate this error if the client workstation has Microsoft Internet Explorer 6.0 loaded on its default configuration.  Internet Explorer 6 for Microsoft Windows 2000 does not respond to a negotiate challenge and defaults to NTLM (or Windows NT Challenge/Response) authentication by default.  Please refer to Solution 2 below to correctly configure Internet Explorer 6 in this environment.
  3. Verifying the information provided in both Solution 1 and Solution 2 below may not correct this error if the computer with the DRA Administration server component, and the computer with the Web Component and IIS services loaded, are in different forests.
  4. A different reason for this error is DNS issues on the network.  Kerberos uses Fully Qualified Domain Names (FQDN) to resolve authentication requests and, if any of the computers involved in the authentication transaction are not available via FQDN, Kerberos authentication will fail.
  5. This error may occur if the clocks are not synchronized between the computers involved in the transaction.  For Kerberos authentication to pass, the clocks on all computers involved must be synchronized within five minutes of each other.

Additional Information

Formerly known as NETIQKB14935

In addition to the steps above, the following Microsoft Knowledge Base article can assist in further troubleshooting Kerberos and IIS authentication issues:

  • 230476: Description of Common Kerberos-Related Errors in Windows 2000