none
Security-kerberos problem with event id 4

    Question

  • We have a Dynamic CRM running on server ZCRM in local domain zcrm.mydomain.local.

    The developer run this command:

    “setspn -a HTTP/ZCRM ZMZM\CRMAPPSRV”

    and after that we were not be able to access CRM url using server name (http://czcrm:8888) but we access the server using IP (http://172.10.10.34:8888)

    Then we got Security-kerberos problem with event id 4

    This is the message:

    The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server zcrm$. The target name used was HTTP/ZCRM.zmzm.local. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (mydomain.LOCAL) is different from the client domain (mydomain.LOCAL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

     

    Thursday, March 21, 2013 7:48 AM

Answers

  • We have a Dynamic CRM running on server ZCRM in local domain zcrm.mydomain.local.

    The developer run this command:

    “setspn -a HTTP/ZCRM ZMZM\CRMAPPSRV”

    and after that we were not be able to access CRM url using server name (http://czcrm:8888) but we access the server using IP (http://172.10.10.34:8888)

    Then we got Security-kerberos problem with event id 4

    This is the message:

    The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server zcrm$. The target name used was HTTP/ZCRM.zmzm.local. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (mydomain.LOCAL) is different from the client domain (mydomain.LOCAL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

    To me the problem appears to be because of the duplicate SPN issues. Refer the below link to troubleshoot duplicate SPN as well as kerberos issues.

    http://blog.joeware.net/2008/07/17/1407/

    http://blogs.technet.com/b/askds/archive/2008/06/09/kerberos-authentication-problems-service-principal-name-spn-issues-part-2.aspx


    Awinish Vishwakarma - MVP

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Thursday, March 21, 2013 8:25 AM
    Moderator

All replies

  • Event ID 4 — Kerberos Client Configuration

    http://technet.microsoft.com/en-us/library/cc733987(WS.10).aspx

    Regards
    Biswajit Biswas
    My Blogs|TechnetWiki Ninja


    Best regards Biswajit Biswas Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin

    Thursday, March 21, 2013 8:06 AM
  • We have a Dynamic CRM running on server ZCRM in local domain zcrm.mydomain.local.

    The developer run this command:

    “setspn -a HTTP/ZCRM ZMZM\CRMAPPSRV”

    and after that we were not be able to access CRM url using server name (http://czcrm:8888) but we access the server using IP (http://172.10.10.34:8888)

    Then we got Security-kerberos problem with event id 4

    This is the message:

    The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server zcrm$. The target name used was HTTP/ZCRM.zmzm.local. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (mydomain.LOCAL) is different from the client domain (mydomain.LOCAL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

    To me the problem appears to be because of the duplicate SPN issues. Refer the below link to troubleshoot duplicate SPN as well as kerberos issues.

    http://blog.joeware.net/2008/07/17/1407/

    http://blogs.technet.com/b/askds/archive/2008/06/09/kerberos-authentication-problems-service-principal-name-spn-issues-part-2.aspx


    Awinish Vishwakarma - MVP

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Thursday, March 21, 2013 8:25 AM
    Moderator
  • Agree with other experts, in addition I would suggest you to check the DNS settings using following link and correct them if you see any misconfigurations.

    DNS Best Practices

    Thursday, March 21, 2013 8:31 AM
  • Thanks to you all.
    Thursday, March 21, 2013 4:32 PM