When you perform a Kerberos test by running the Netdiag.exe command-line tool on a Microsoft Windows Server 2003-based member server in a Windows 2000-based domain, you receive the following error message:
Kerberos test. . . . . . . . . . . : Failed [FATAL] Kerberos does not have a ticket for host/domain_name.
Note In this error message, domain_name is the fully qualified domain name (FQDN) of your computer.
This problem occurs because Netdiag.exe searches only for the host/domain_name kind of Kerberos ticket. Netdiag.exe does not search for the computer_name$ kind of Kerberos ticket.
Microsoft has confirmed that this is a problem in Netdiag.exe.
The Kerberos protocol lets you send private information across an otherwise open network. Kerberos tickets are unique keys that are assigned to users and computers when they log on to a network. A Kerberos ticket includes all the user credentials or computer credentials in an encrypted format. These credentials are used to identify a specific user or a specific computer on a network for access to Kerberos services. The following list describes the two types of Kerberos tickets:
Ticket-granting ticket When you log on to a server, the central Key Distribution Center (KDC) generates a Ticket-Granting Ticket (TGT). You use the TGT as a master ticket to access all Kerberos services on a network.
Service ticket When you try to access a service that requires Kerberos for authentication, the service uses the ticket that you received from the KDC to authenticate you. After the service verifies your identity and authenticates you, the service issues a service ticket.
To verify whether your member server computer has Kerberos tickets, you can use the Klist.exe command-line tool or the Kerbtray.exe command-line tool. These tools are included in Windows Server 2003 Resource Kit Tools.
For additional information about Kerberos, visit the following Microsoft Web site: