Sign in
 
Home2012Previous VersionsLibraryForumsGallery
System Center TechCenter >
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server. The target name used was HTTP/

Answered The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server. The target name used was HTTP/

  • Thursday, March 08, 2012 10:12 AM
     
     
    Sign In to Vote
    0

    Hi there. I'm running an NLB on the MP. No clients are auto approving - mode set to auto approve from the start. I have regsitered an SPN and followed the details outlined by Microsoft - eg adding account to run CCM Windows Auth Server Framework Pool. 

    I'm getting the following error on the DC

    The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server <>$. The target name used was HTTP/<SPNName>. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (DOMAIN) is different from the client domain (DOMAIN), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

    I've made sure that only one account is using the SPN and followed all forum post here on how to resolve.

    I get constant 'MP has rejected a policy request from GUID:<GUID> because it was not approved. The operating system reported error 2147942405: Access is denied.' I've checked to make sure only one GUID per device.

    I'm baffled at this stage. Can anyone throw anything in to assist on this?

    Cheers


     

All Replies

  • Thursday, March 08, 2012 10:24 AM
     
     
    Sign In to Vote
    0
    Just a thought. Does IIS authentication need to be set so Windows Authentication is Enabled?
     
  • Thursday, March 08, 2012 10:59 AM
     
     Answered
    Sign In to Vote
    0

    After a few days troubleshooting on this one I think I've just cracked it by switching off the Windows firewall. However we need this enabled. Can anyone quick advise which setting needs to be enabled on the Windows firewall to allow this through?

    Cheers

     
  • Wednesday, March 14, 2012 6:30 PM
     
     
    Sign In to Vote
    0
    Make sure that the computer account for the SCCM server is in the local admins group on the client. Also, I believe SCCM primarily uses 135, 445, RPC range, and 80 to do it's communication. Generally this is initiated from the client so make sure you take note of any outbound rules on your client's windows firewall.
     
  • Tuesday, March 20, 2012 7:03 AM
    Moderator
     
     Answered
    Sign In to Vote
    0

    You may refer to the following links to configure the firewall:

    Windows Firewall Settings for Configuration Manager Clients

    Ports Used by Configuration Manager

    Sabrina

    TechNet Community Support