locked
Windows Server 2012 R2 "The password is incorrect. Try again." RRS feed

  • Question

  • Hi,

    I tried to login to my Windows Server 2012 R2 and I got this message "The password is incorrect. Try again." Although the username and password are absolutely correct.

    Any thoughts. Thanks.


    • Edited by rak01 Tuesday, May 27, 2014 11:01 AM
    Tuesday, May 27, 2014 11:00 AM

Answers

  • Hi,

    Have you tried to shut down the DC, then start it?

    If you can log on after a reboot, I suggest you check the System log to find if Event 5823 and Event 4 are logged.

    Best Regards,

    Amy

    • Marked as answer by rak01 Friday, May 30, 2014 6:57 AM
    Thursday, May 29, 2014 9:17 AM

All replies

  • HI

    If this is a domain joined PC, ensure you have proper network connection to DC

    Tuesday, May 27, 2014 12:03 PM
  • Actually, this is the Domain Controller and I'm connected to it directly via keyboard and mouse and got this password error message.
    Wednesday, May 28, 2014 3:57 AM
  • What username are you using? Any chance you are trying to log on with a local account? Once a server becomes a Domain Controller the local accounts are no longer usable. You would need to make sure you are logging in with <domainname>\<username>. Windows 2012 R2 will cache the local administrator account from a prior reboot and can be confusing if you dont choose to log on as another user.

    Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years.

    Wednesday, May 28, 2014 5:02 AM
  • This is the way I normally use to login to my DC: domainname\DomainAdminUsername then the domain admin password. Actually, I already have the RSAT installed in my Windows 8.1 machine and I noticed some Kerberos authentication error messages appear in the Event section within Server Manager console and this is the error description:

    "The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server dc$. The target name used was LDAP/DC.mydomain.com/mydomain.com@MYDOMAIN.COM. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (MYDOMAIN.COM) is different from the client domain (MYDOMAIN.COM), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server."

    • Edited by rak01 Wednesday, May 28, 2014 7:48 AM
    Wednesday, May 28, 2014 7:22 AM
  • Are you able to log onto another DC with the same username/password combo?

    Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years.

    Wednesday, May 28, 2014 9:25 PM
  • Yes, I'm able to login to the Additional Domain Controller with same username/password.

    Now i'm getting this red notification error in my RSAT Server Manager console (0x80090322 Kerberos Authentication Error) and not be able to connect to the primary DC.

    Wednesday, May 28, 2014 10:59 PM
  • Hi,

    Have you tried to shut down the DC, then start it?

    If you can log on after a reboot, I suggest you check the System log to find if Event 5823 and Event 4 are logged.

    Best Regards,

    Amy

    • Marked as answer by rak01 Friday, May 30, 2014 6:57 AM
    Thursday, May 29, 2014 9:17 AM
  • I have not tried to shutdown the DC before, and when I forced it to shutdown as you suggested I was able to login successfully. I kept monitoring the event viewer for 20 Hours and no more Kerberos authentication error messages popped up. I got the following events right away after i restarted the DC:

    Event ID: 5823
    The system successfully changed its password on the domain controller .  This event is logged when the password for the computer account is changed by the system.
    It is logged on the computer that changed the password.

    Event ID: 4
    The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server dc$. The target name used was LDAP/DC.mydomain.com/mydomain.com@MYDOMAIN.COM. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (MYDOMAIN.COM) is different from the client domain (MYDOMAIN.COM), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

    Could you please explain what was happening.

    Thank you all for the help.

    • Edited by rak01 Friday, May 30, 2014 7:06 AM
    Friday, May 30, 2014 6:57 AM
  • Hi,

    I have been investigating this behavior for a while, I am wondering that have you migrated your domain from 2003 to 2012 recently?

    Because I can reproduce this issue by migrating a Windows Server 2003 domain to Windows Server 2012 domain, after the Domain Controller changes its password.

    Here are some similar threads below about this issue, which got me testing this behavior in the first place:

    DC - refuses administrator log on

    http://social.technet.microsoft.com/Forums/windowsserver/en-US/e16fcdda-8e5a-4b30-bbe0-d847bcb68b4e/dc-refuses-administrator-log-on?forum=winserverDS

    KRB_AP_ERR_MODIFIED 4 Random on Member Server in upgraded Domain 2003 to 2012 R2

    http://social.technet.microsoft.com/Forums/windowsserver/en-US/4d8a4018-5969-4c6c-99b1-b446711e1dd4/krbaperrmodified-4-random-on-member-server-in-upgraded-domain-2003-to-2012-r2?forum=winserverDS

    I am still trying to figure out how and why this issue happens, and consulting with some experts. I will keep you posted once I have progress.

    Have a nice day!

    Amy

    • Edited by Amy Wang_ Friday, May 30, 2014 7:18 AM
    Friday, May 30, 2014 7:16 AM
  • Yes I just migrated our domain from 2003 32bit to 2012 R2 some weeks ago.

    Do Primary DC and Additional DC have to have the same Windows version for example both OSes must be 2012 R2 to avoid any domain problems?

    Thanks.


    • Edited by rak01 Sunday, June 1, 2014 6:27 AM
    Sunday, June 1, 2014 6:27 AM
  • Hi,

    Not necessarily, because I re-produced the issue with the exact same Operating System machines.

    If you are talking about other issues, there is no issue caused by different Operating Systems in a domain that I am aware of.

    Regards,

    Amy

    Tuesday, June 3, 2014 9:08 AM
  • Hello all,

    Just so you know... you are not alone!

    We are experiencing this exact same issue. Domain in mixed mode with 2003 R2 DC and 2012 R2 DC.

    We have a case with MS.

    It seems the issue occurs on Windows 2008 R2 only (in fact it happened to a Windows 8.1 also)

    It occurs after computer account reset password and the only way to fix is a reboot.

    We are working with MS at the time and they tell us they have other case in progress with same issue. But that it is really difficult to reproduce. In fact, in our environnement, we are not able to reproduce. It happens here and there without warning.

    So if any of you have a step-by-step recipe we can follow to reproduce each and every time.... please share! It could help a lot MS engineers.

    I'll try to keep you posted.

    David

    Thursday, June 19, 2014 1:20 PM
  • Just wanted to add my two cents in.

    A client had this exact issue occur this weekend after windows updates were downloaded. Updates were not applied until I had to reboot their server.Server rejected login attempts for both the "administrator" DomainAdmin account and one that my company had set up as a backup DomainAdmin account.

    The client had their DC upgraded from Win2k3 32-bit server to Win2k12 R2 64-bit on 5/27/2014. They have had some client related issues tied in with this upgrade but nothing with the server until now.

    Event 5823 occurred at 11:56 p.m.  on the day in question with an Event 4 Kerberos error occuring at 12:21 a.m. thereafter.

    I have not had another occurrence of this so far, but I am monitoring. I hope that a hotfix or explanation is forthcoming from MS.

    Monday, July 14, 2014 4:27 PM
  • I have the same exact problem as well.  It is very random.  I thought it was a time issue but that is not the case.  It seem to have occurred after a windows update not sure which one it effects Server 2012R2 and Windows 7 and 8 Clients.

    I recently migrated 4 DCs that were Server 2003 /R2 x86 to 2012R2 x64

    Tuesday, July 22, 2014 8:11 PM
  • Hi All,

    There is a blog published by now:

    It turns out that weird things can happen when you mix Windows Server 2003 and Windows Server 2012 R2 domain controllers

    http://blogs.technet.com/b/askds/archive/2014/07/23/it-turns-out-that-weird-things-can-happen-when-you-mix-windows-server-2003-and-windows-server-2012-r2-domain-controllers.aspx 

    Best Regards,

    Amy

    Wednesday, July 30, 2014 2:10 AM
  • I have experiencing the same issue and i can't duplicate it. it is so random.

    any update on this issue?

    Wednesday, January 27, 2016 3:26 PM
  • We have same logon error... our host is hyper-v with production VMs and it's complicated to restart it.. any update?
    Thursday, March 3, 2016 9:33 AM
  • Hi,

    I faced like that problem, I tried to login a new user by the following information

    user name : administrator

    password : ***********

    means, write the username 'administrator' and the password of your self that you was trying to login.

    I think it's best solution.

    Monday, May 21, 2018 7:37 AM
  • I'd like to add that this happened on a Windows 2019 Server also that was migrated in steps from a WS2003. I thought I was losing my mind that it made me think I forgot the administrator password!
    Tuesday, May 14, 2019 1:11 AM
  • Did you ever get a resolution to this on a DC newer than 2012?

    Just migrated from 2003 to 2016 (Forest and Domain functional level 20016).
    As we're on 2016 functional level, all 2003 DC's have been decommissioned as per the supported requirements.

    Started seeing: The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server in the event logs once a machine had changed its password

    Following a machine password change and then a reboot machines do work and continue to work after an additional password reset.

    We've got a call logged with MS but if anyone else has had this on a 2016 DC and has a solution that would be grand.

    Monday, September 23, 2019 12:45 PM
  • Well at least I don't feel alone.. Migrated from Server 2003 to 2K16. Intermittently various machines will just not allow a login until a reboot. Usually not a big deal until it happens to the DC. Is the only solution still to just reboot the machine?
    Monday, November 4, 2019 1:44 PM
  • The same issue i'm facing right now can you explain how to resolve it.
    Sunday, July 26, 2020 9:33 AM