locked
KRB5KRB_AP_ERR_MODIFIED error when running DHCP service in "Network Serivce" account RRS feed

  • Question

  • Hi Professors:

    We have a Windows server 2008 R2 SP1 Domain controller (Production), has DHCP and DNS installed.

    When you try to connect DHCP remotely through DHCP management console, the connection will fail, error says DHCP does not exist.

    But the actual error I got from Wireshark is KRB5KRB_AP_ERR_MODIFIED.

    I've tried reset DC machine password, didn't help.

    But finally, I found after switch DHCP server service from Logon as "Network service" to "Local System account", we can connect to DHCP remote without issue.

    So there is something wrong with the network service account itself. All services run under that account are affected. 

    How can we start a troubleshooting about network service account?

    Thanks,

    Tuesday, September 29, 2015 7:26 PM

Answers

  • Hi Lawrence,

    >>But the actual error I got from Wireshark is KRB5KRB_AP_ERR_MODIFIED

    The actual error is KRB_AP_ERR_MODIFIED. It is shown as KRB5KRB_AP_ERR_MODIFIED in some network analysis tools. Basically this is stating that the Account that is running the service could not decrypt the Kerberos ticket that the KDC gave to the client.

    Here is the reference for the error:
    https://technet.microsoft.com/en-us/library/cc733987(v=ws.10).aspx

    On the client you are connecting from, we could enable Kerberos event logging to trace detailed kerberos events. 

    Here is the guide:
    https://support.microsoft.com/en-us/kb/262177

    Best Regards,

    Leo


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    • Proposed as answer by Leo Han Tuesday, October 13, 2015 2:32 AM
    • Marked as answer by Leo Han Tuesday, October 13, 2015 5:03 AM
    Wednesday, September 30, 2015 8:17 AM