Kerberos errors while modelling

i'm wondering if anyone has seen this issue with WINRM devices returning errors. it only happens on some servers, and i have not been able to figure out why. i'm thinking it's an issue with either the configuration on some servers (despite it being put out by GPO), or in some cases it appears zenoss is passing the ip address instead of the hostname Any ideas

2015-07-01 20:41:12,301 INFO zen.ZenModeler: Connecting to localhost:8789
2015-07-01 20:41:12,312 INFO zen.ZenModeler: Connected to ZenHub
2015-07-01 20:41:12,472 INFO zen.ZenModeler: Collecting for device appserver.conus.com
2015-07-01 20:41:12,575 INFO zen.ZenModeler: skipping WMI-based collection, PySamba zenpack not installed
2015-07-01 20:41:12,580 INFO zen.ZenModeler: Python collection device appserver.conus.com
2015-07-01 20:41:12,580 INFO zen.ZenModeler: plugins: zenoss.winrm.OperatingSystem, zenoss.winrm.CPUs, zenoss.winrm.FileSystems, zenoss.winrm.Interfaces, zenoss.winrm.Services, zenoss.winrm.Processes, zenoss.winrm.Software, zenoss.winrm.IIS
2015-07-01 20:41:12,586 ERROR zen.PythonClient: Error on appserver.conus.com: Server not found in Kerberos database: HTTP@172.17.10.45
2015-07-01 20:41:12,590 ERROR zen.PythonClient: Error on appserver.conus.com: Server not found in Kerberos database: HTTP@172.17.10.45
2015-07-01 20:41:12,594 ERROR zen.PythonClient: Error on appserver.conus.com: Server not found in Kerberos database: HTTP@172.17.10.45
2015-07-01 20:41:12,598 ERROR zen.PythonClient: Error on appserver.conus.com: Server not found in Kerberos database: HTTP@172.17.10.45
2015-07-01 20:41:12,601 ERROR zen.PythonClient: Error on appserver.conus.com: Server not found in Kerberos database: HTTP@172.17.10.45
2015-07-01 20:41:12,605 ERROR zen.PythonClient: Error on appserver.conus.com: Server not found in Kerberos database: HTTP@172.17.10.45
2015-07-01 20:41:12,609 ERROR zen.PythonClient: Error on appserver.conus.com: Server not found in Kerberos database: HTTP@172.17.10.45
2015-07-01 20:41:12,612 ERROR zen.PythonClient: Error on appserver.conus.com: Server not found in Kerberos database: HTTP@172.17.10.45
2015-07-01 20:41:12,616 ERROR zen.PythonClient: Error on appserver.conus.com: Server not found in Kerberos database: HTTP@172.17.10.45
2015-07-01 20:41:12,620 ERROR zen.PythonClient: Error on appserver.conus.com: Server not found in Kerberos database: HTTP@172.17.10.45
2015-07-01 20:41:12,624 ERROR zen.PythonClient: Error on appserver.conus.com: Server not found in Kerberos database: HTTP@172.17.10.45
2015-07-01 20:41:12,628 ERROR zen.PythonClient: Error on appserver.conus.com: Server not found in Kerberos database: HTTP@172.17.10.45
2015-07-01 20:41:12,628 INFO zen.PythonClient: Python client finished collection for appserver.conus.com
2015-07-01 20:41:12,628 WARNING zen.ZenModeler: The plugin zenoss.winrm.OperatingSystem returned no results.
2015-07-01 20:41:12,628 WARNING zen.ZenModeler: The plugin zenoss.winrm.CPUs returned no results.
2015-07-01 20:41:12,628 WARNING zen.ZenModeler: The plugin zenoss.winrm.FileSystems returned no results.
2015-07-01 20:41:12,628 WARNING zen.ZenModeler: The plugin zenoss.winrm.Interfaces returned no results.
2015-07-01 20:41:12,628 WARNING zen.ZenModeler: The plugin zenoss.winrm.Services returned no results.
2015-07-01 20:41:12,628 WARNING zen.ZenModeler: The plugin zenoss.winrm.Processes returned no results.
2015-07-01 20:41:12,628 WARNING zen.ZenModeler: The plugin zenoss.winrm.Software returned no results.
2015-07-01 20:41:12,628 WARNING zen.ZenModeler: The plugin zenoss.winrm.IIS returned no results.
2015-07-01 20:41:12,628 INFO zen.ZenModeler: No change in configuration detected
2015-07-01 20:41:12,629 INFO zen.ZenModeler: No command plugins found for appserver.conus.com
2015-07-01 20:41:12,629 INFO zen.ZenModeler: SNMP monitoring off for appserver.conus.com
2015-07-01 20:41:12,629 INFO zen.ZenModeler: No portscan plugins found for appserver.conus.com
2015-07-01 20:41:12,629 INFO zen.ZenModeler: Scan time: 0.16 seconds
2015-07-01 20:41:12,630 INFO zen.ZenModeler: Daemon ZenModeler shutting down
2015-07-01 20:41:12,634 INFO zen.publisher: publishing failed: Connection was closed cleanly.

---

Subject:	i'm at a loss yet again. in
Author:	[Not Specified]
Posted:	2015-07-02 08:46

i'm at a loss yet again. in researching this problem i can setspn -l appserver and i get the list of acceptable SPNs. this implies to me that the entries are correctly in the database, at least at my DC. so what is generating this message is it the zenoss VM in this particular servers case the problem didn't start until i changed it's ip address. is there a way to completely clear any trace of the device from zenoss for example, if i delete it and then add it back it retains it's local zproperties, leading me to believe it's not truly removed from Zenoss perhaps since this ip address existed on a different server before this one that is my issue is there anyone out there that can answer any of these questions

---

Subject:	Problem solved, although
Author:	[Not Specified]
Posted:	2015-08-28 09:46

Problem solved, although probably not a great method. switching to using basic local authentication gets aroudn this issue.

For now, what i understand you must do:

Individual Machine configuration:
Open ports 5985 (http)/5986(https) for WinRM
winrm quickconfig
winrm s winrm/config/service @{MaxConcurrentOperationsPerUser="4294967295"}
winrm s winrm/config/winrs @{MaxShellsPerUser="2147483647"}
winrm s winrm/config/winrs @{IdleTimeout="7200000"}

Basic Authentication (Windows default is Kerberos see note below for more information):
winrm s winrm/config/service/auth @{Basic="true"}
winrm s winrm/config/service @{AllowUnencrypted="true"}

You are forced yo enable Basic, and use local users.

---

Subject:	Sorry to resurrect this thread, but it is the top of the search
Author:	[Not Specified]
Posted:	2017-02-15 15:40

I ran into this same issue and it ended up being a PTR issue in DNS. There were 2 listings for this one server and it looks like when it pulls the PTR record it only pulls one. If you get this error check to see if you have multiple PTR records for the server you are having issues with. As soon as I changed to the other PTR that was also listed it modeled correctly.

---

Subject:	RE: Sorry to resurrect this thread, but it is the top of the search
Author:	Devon Solomon
Posted:	2017-08-29 08:45

I am having the same issue on our 5.2.2 instance. I have tried the PTR and still get the same error. what else can i try?

------------------------------
Devon Solomon
------------------------------

---

Subject:	RE: Sorry to resurrect this thread, but it is the top of the search
Author:	Chris Gregors
Posted:	2017-08-29 10:13

I had a similar problem across a lot of machines.  I worked with Zenoss on finding an answer and they came up with setting this config property:


It seems it overrides the name that is used during the auth exchange.  It fixed my problem.

------------------------------
Chris Gregors
The secrets of the universe are simple. I just can't figure them out!
------------------------------

---

Subject:	RE: Sorry to resurrect this thread, but it is the top of the search
Author:	R S
Posted:	2017-10-13 12:42

Crazy old thread here. But I just went through something similar. I had to remove and re-join a server to AD, and use netdom to reset the machine password back on the AD controller. The device was deleted from zenoss, but when I re-added it to zenoss I was getting a bunch of "Kerberos error code -1765328343" when modelling the device. Like it was using the wrong kerberos ticket or something. And the device still had all the old archived events, so it was never really removed. 

Anyway, using this page Windows ZenPack - ZenPackers Documentation

I ended up deleting the kerberos ticket for my winrm user that is used in zenoss and rebooting the zenoss server. It was located in/opt/zenoss/var/krb5cc/user\@domain.com

------------------------------
R S
------------------------------