locked
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server adfs. The target name used was HTTP/fs.domain.com RRS feed

  • Question

  • HI,

    I got the below error when i tried to access my ADFS URl

    The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server adfs. The target name used was HTTP/fs.domain.com. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (Domain.COM) is different from the client domain (Domain.COM), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server

    Thursday, March 24, 2016 5:05 AM

Answers

  • Check the following:

    1. Ensure that the name of your server is not the same name as the name of your farm. If your farm is called fs.domain.com in the AD domain domain.com, your server cannot be named FS.
    2. Ensure that the DNS record for your farm: fs.domain.com is a A record, not a CNAME.
    3. Ensure the DNS record point in fact to the IP address corresponding to your actual ADFS server or the virtual IP of your load balancer if you use any.
    4. Ensure that the servicePrincipalName HTTP/fs.domain.com is configured only on the service account used by your ADFS farm, nowhere else.

    Let us know how it goes!


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Thursday, March 24, 2016 10:34 PM

All replies

  • Check the following:

    1. Ensure that the name of your server is not the same name as the name of your farm. If your farm is called fs.domain.com in the AD domain domain.com, your server cannot be named FS.
    2. Ensure that the DNS record for your farm: fs.domain.com is a A record, not a CNAME.
    3. Ensure the DNS record point in fact to the IP address corresponding to your actual ADFS server or the virtual IP of your load balancer if you use any.
    4. Ensure that the servicePrincipalName HTTP/fs.domain.com is configured only on the service account used by your ADFS farm, nowhere else.

    Let us know how it goes!


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Thursday, March 24, 2016 10:34 PM
  • Any luck?

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Tuesday, March 29, 2016 4:29 PM
  • Ensure the Federation service identifier entered when configuring ADFS matches the host name and domain names including case as configured in the application. In one case, i saw this error when the Federation Service Identifier has the host name in uppercase (if it is this cause, the error will show you the URL) but he application settings were all lower case problem. Edit it  by opening ADFS management and selecting AD FS right click and choose or in the Action menu select Edit Federation Service Properties. Restart ADFS service and try the application. If that is your issue it will solve it. it did for me.
    Thursday, January 17, 2019 3:38 PM
  • Check the following:

    1. Ensure that the name of your server is not the same name as the name of your farm. If your farm is called fs.domain.com in the AD domain domain.com, your server cannot be named FS.
    2. Ensure that the DNS record for your farm: fs.domain.com is a A record, not a CNAME.
    3. Ensure the DNS record point in fact to the IP address corresponding to your actual ADFS server or the virtual IP of your load balancer if you use any.
    4. Ensure that the servicePrincipalName HTTP/fs.domain.com is configured only on the service account used by your ADFS farm, nowhere else.

    Let us know how it goes!


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    I had the same issue with the error, ADFS was not working internally but working outside the network.

    Step 4 fixed my issue.


    Thanks.

    Friday, June 14, 2019 1:45 AM