Authentication failure IIS 6

I am having an authentication failure, this may take a while so bear
with me:

IIS 6 on WS2003 installed as domain member.
Default Web Site (ASP and .NET installed and authorized)
Sharepoint 2 Services
Exchange Front-End Server
Certificate Server (Root Enterprise CA)
Sharepoint Admin Website
Office Communicator Web Access Website

Now all of these were running last night, for at least 10 hours, not a
problem.

Technical: In order to get Exchange and Sharepoint to work together, I
had to reset the NTAuthenticationProviders back to "Negotiate,NTLM" on
the FE Server, every application on IIS seems to create its own pool,
and everything looks correct, well nothing has changed.

Netdiag: No errors, No warnings, No Problem
DCDiag:
Starting test: Services
* Checking Service: Dnscache
* Checking Service: NtFrs
* Checking Service: IsmServ
IsmServ Service is stopped on [HQ-MAN-SRV-03]
* Checking Service: kdc
* Checking Service: SamSs
* Checking Service: LanmanServer
* Checking Service: LanmanWorkstation
* Checking Service: RpcSs
* Checking Service: w32time
* Checking Service: NETLOGON
......................... HQ-MAN-SRV-03 failed test Services

Thats the only error in DCDiag, but the lsmServ service will not start,
error 1053 failed to start in a timely manner

Event Logs: Event 4

The kerberos client received a KRB_AP_ERR_MODIFIED error from the
server host/hq-man-srv-01.DomainA.com. The target name used was
HTTP/hq-man-srv-01.DomainA.com. This indicates that the password used
to encrypt the kerberos service ticket is different than that on the
target server. Commonly, this is due to identically named machine
accounts in the target realm (DOMAINA.COM), and the client realm.
Please contact your system administrator.

That appears twice in the event log (in the last 8 weeks) and the 2
event are 14 hours and 8 minutes apart, so really no pattern.

Registered ServicePrincipalNames for
CN=HQ-MAN-SRV-01,CN=Computers,DC=domainA,DC=com:
HOST/hq-man-srv-01$
HOST/hq-man-srv-01$.DomainA
exchangeMDB/hq-man-srv-01.DomainA.com
exchangeMDB/HQ-MAN-SRV-01
exchangeRFR/hq-man-srv-01.DomainA.com
exchangeRFR/HQ-MAN-SRV-01
SMTPSVC/HQ-MAN-SRV-01
SMTPSVC/hq-man-srv-01.DomainA.com
HOST/HQ-MAN-SRV-01
HOST/hq-man-srv-01.DomainA.com


That pretty much covers it, if you could take a look, I have downloaded
the IIS resource kit, and documentation. It was recommended that I look
at this:
18_CHAPTER_5_Managing_a_Secure_IIS_6.0_Solution.doc -
Section: Kerberos Authentication Requires SPNs for Multiple Worker
Processes

But, honestly I have no idea what I'm doing with it, and I dont want to
make it worse.

So please help

Shaine

processendnow
Sat Jan 28 09:05:23 CST 2006

Oh yeah, so the problem.
http://www.domainA.com (which should take me to the sharepoint site)
Asks for credentials, which it takes 3 times, and then tells me I am
not authorized (as the Admin)

https://www.domainA.com/exchnage (works all users) (Secure) (Exchange)

http://www.domainA.com/certsrv (works all users) (Certificates)

https://www.domainA.com:444 (works all users) (Secure Office
Communicator WA)

http://www.domainA.com:24575 (works: SharePoint Admin)

So, all that effort, and still no nearer.

Shaine

processendnow
Sat Jan 28 09:10:35 CST 2006

Rebooted, against my better judgement.

At least one driver of service failed to start, please check the event
logs for details:

The Intersite Messaging service failed to start due to the following
error:
The service did not respond to the start or control request in a timely
fashion.

So there is one problem solved, I wil look at that, no idea how to get
it started again, but I'll look.

The other error, some people need to not give advice, is one I've seem
before

#50070: Unable to connect to the database STS_Config_16682 on
HQ-MAN-SRV-01\SharePoint. Check the database connection information
and make sure that the database server is running.

And I know how to fix this, so thanks all

Shaine

processendnow
Sat Jan 28 10:38:05 CST 2006

The service error, no problem, shouldn't have been running on a non DC
anyway.

The other errors, totally confused now, I still cannot log in to
SharePoint.
I can connect to the admin site, see the database, add a new one and
generally mess with all the settings, so I'm inclined to go with its
working, I just can't sign in to this site, what could be the problem.
Remember, I can connect to every other service on the machine, and all
of the virtual websites, exchange, certsrv, office communicator web
access, and sharepoint admin, just not the actual sharepoint.

It has worked, last night a group of us were creating meetings and
workspaces and shared docs in Sharepoint, we sent out emails, which we
checked in OWA, OMA and Oulook, we tried Office Communicator Web Access
and Live communication server, shared calenders and address books, we
then checked all the logs on all the computers and servers, no errors.

Got up this morning, it dunt wurk, no reason
I looked for the error #50070: Unable to connect to the database
STS_Config ....
And I found this
(http://wss.collutions.com/Lists/FAQ/DispForm.aspx?ID=228) article
which mentioned:

You will see this if the Sharepoint Timer Service is not running in the
same
account as the WSS Admin App Pool account.
Mine both run under the Network Service, so it isn't that...but there
must be a problem because nobody can access SP at all.

That's all I can find, please assist
Shaine

processendnow
Sat Jan 28 11:53:46 CST 2006

Kerberos Failure, and far too diffecult for me to try playing with, ran
monitoring of the lsass process, went to the site and watched hundreds
of lines of text came out with this solution:

0x29 - KRB_AP_ERR_MODIFIED: Message stream modified
Associated internal Windows error codes
=B7 SEC_E_WRONG_PRINCIPAL

=B7 STATUS_WRONG_PASSWORD


Corresponding debug output messages
=B7 DebugLog("Failed to verify message: %x\n",Status)

=B7 DebugLog(""Failed to encrypt message: %x\n",Status)

=B7 DebugLog("Failed to encrypt message (crypto mismatch?): %x\n")

=B7 DebugLog("Checksum on TGS request body did not match\n")

=B7 D_DebugLog("Failed to create S4U checksum\n")

=B7 DebugLog("S4U PA checksum doesn't match!\n")

=B7 DebugLog("Pac was modified - server checksum doesn't
match\n")

=B7 D_DebugLog(DEB_TRACE,"Could not decrypt the ticket\n")


Possible Causes and Resolutions
Some encrypted Kerberos authentication data sent by the client did not
decrypt properly at the server because:

=B7 A service ticket is issued to the local computer account, for which
a host/ SPN is automatically created, instead of to the service
account, for which no SPN has been created. The reason for this is that
a service does not register an SPN for itself, yet the service belongs
to a service class for which the computer will automatically map the
SPN to a host/service class. (Examples of this are the HTTP and Common
Internet File System (CIFS) service classes.) The result is that the
service cannot decrypt the resultant ticket.

Resolution

If the root cause appears to be that an SPN has not been set, verify
that each service running on the target computer has an SPN set. Those
services that do not have SPNs set might have had their SPNs remapped
to the computer's host SPN. For more information about SPNs and how
to set them, see Need an SPN Set earlier in this white paper.


***This is why I dont want to start playing with it, as far as I can
see it shold be working, DNS is fine, no duplicate entries, same in AD,
here is the output of setspn

Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\Documents and Settings\Administrator.DomainA>setspn -L hq-man-srv-01
Registered ServicePrincipalNames for
CN=3DHQ-MAN-SRV-01,CN=3DComputers,DC=3DdomainA
38,DC=3Dcom:
HOST/hq-man-srv-01$
HOST/hq-man-srv-01$.DomainA
exchangeMDB/hq-man-srv-01.domainA.com
exchangeMDB/HQ-MAN-SRV-01
exchangeRFR/hq-man-srv-01.domainA.com
exchangeRFR/HQ-MAN-SRV-01
SMTPSVC/HQ-MAN-SRV-01
SMTPSVC/hq-man-srv-01.domainA.com
HOST/HQ-MAN-SRV-01
HOST/hq-man-srv-01.domainA.com

So I don't know where to start, but I know how to format, and I do it
good:
I will get all these services working together, tonight, and I will
track down the error.

Just thought I would close this thread.
Shaine