Remove From My Forums

Can't access File Server

Question
0

Sign in to vote

One of the computers we have can't access File server. I checked the event viewer and saw this error.

The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server wsbby132$. The target name used was cifs/fsbby02. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (ACTEQUIPMENT.COM) is different from the client domain (ACTEQUIPMENT.COM), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

Hoping someone can help me to figure this out. Thanks

Tuesday, July 7, 2020 7:23 PM

Answers

0

Sign in to vote
did the unregister cifs/fsbby02 in fsbby02 and register cifs/fsbby02 in WSBBY132.

I no longer have access to an AD environment that I can test with, but I don't think that you want to do that.

In your naming standard, is WS = Work Station and FS = File Server?

It's been years since I had to run setspn to register a name. I think that the last time was on Win Server 2003 and we wanted to run an IIS worker process under an Active Directory account. Normal Windows setup has taken care of everything since then.

If you run setspn -L against other "FS" and "WS" machines, does the output look similar?

If nothing else works, then maybe try removing WSBBY132 from the domain. Put it in a workgroup. Then delete the computer account from AD. Check each DC and verify that WSBBY132 is gone. Then re-add it to the domain.
- Marked as answer by JeffGueco Monday, July 20, 2020 5:43 PM
Saturday, July 11, 2020 1:07 AM

All replies

0

Sign in to vote

Is that one computer able to see the shares on other servers?

Try running DCdiag on the machines.

https://networkproguide.com/using-dcdiag-check-domain-controller-health/

Wednesday, July 8, 2020 12:56 AM
0

Sign in to vote
Hello,
Thank you for posting in our TechNet forum.

Based on the information we provided, is the file server wsbby132$?

If so, the machine wsbby132$ should be using cifs/fsbby02, maybe now there is no such SPN on wsbby132$, but there is such SPN on fsbby02; Or both wsbby132$ and fsbby02 are using the same SPN----cifs/fsbby02.

1. We can check on DC by running setspn -q cifs/fsbby02 fsbby02 and setspn -q cifs/fsbby02 wsbby132 and run setspn -x to check if there are duplicated SPNs.

2. Unregister the bad service entry from fsbby02:
setspn –D cifs/fsbby02 fsbby02

3. Register the service entry with the right information on wsbby132:
setspn -A cifs/fsbby02 wsbby132

Fixing the Security-Kerberos / 4 error
https://docs.microsoft.com/en-us/archive/blogs/dcaro/fixing-the-security-kerberos-4-error

Best Regards,
Daisy Zhou

Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.
- Edited by Daisy ZhouMicrosoft contingent staff Monday, July 13, 2020 10:04 AM
Wednesday, July 8, 2020 3:40 AM
0

Sign in to vote

Hi,
Would you please tell me how things are going on your side. If you have any questions or concerns about the information I provided, please don't hesitate to let us know.
Again thanks for your time and have a nice day!

Best Regards,
Daisy Zhou
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

Friday, July 10, 2020 3:30 AM
0

Sign in to vote

yes, only share drive in FSBBY02 can't access. I ran DCdiag and there is no error relataed to this.

Saturday, July 11, 2020 12:30 AM
0

Sign in to vote

I follow your instruction, there is no duplicate SPN.

I did the unregister cifs/fsbby02 in fsbby02 and register cifs/fsbby02 in WSBBY132.

Still didn't relove the issue.

This what I get when I registered it.
C:\>setspn -q cifs/fsbby02
Checking domain DC=actequipment,DC=com
CN=WSBBY132,OU=Windows 10 Laptops,DC=actequipment,DC=com
cifs/FSBBY02
WSMAN/WSBBY132
WSMAN/WSBBY132.actequipment.com
TERMSRV/WSBBY132.actequipment.com
TERMSRV/WSBBY132
RestrictedKrbHost/WSBBY132
HOST/WSBBY132
RestrictedKrbHost/WSBBY132.actequipment.com
HOST/WSBBY132.actequipment.com

Existing SPN found!

Saturday, July 11, 2020 12:33 AM
0

Sign in to vote
did the unregister cifs/fsbby02 in fsbby02 and register cifs/fsbby02 in WSBBY132.

I no longer have access to an AD environment that I can test with, but I don't think that you want to do that.

In your naming standard, is WS = Work Station and FS = File Server?

It's been years since I had to run setspn to register a name. I think that the last time was on Win Server 2003 and we wanted to run an IIS worker process under an Active Directory account. Normal Windows setup has taken care of everything since then.

If you run setspn -L against other "FS" and "WS" machines, does the output look similar?

If nothing else works, then maybe try removing WSBBY132 from the domain. Put it in a workgroup. Then delete the computer account from AD. Check each DC and verify that WSBBY132 is gone. Then re-add it to the domain.
- Marked as answer by JeffGueco Monday, July 20, 2020 5:43 PM
Saturday, July 11, 2020 1:07 AM
0

Sign in to vote
yes, only share drive in FSBBY02 can't access. I ran DCdiag and there is no error relataed to this.

Hello,
So now we are accessing file server fsbby02 (not wsbby132), it that right? If so, register cifs/fsbby02 in fsbby02 and unregister cifs/fsbby02 in WSBBY132.

Then we can check if nslookup return two result.
Open CMD(run as Administrator), and type nslookup fsbby02, and click Enter.

For example:

Best Regards,
Daisy Zhou

Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.
- Edited by Daisy ZhouMicrosoft contingent staff Tuesday, July 14, 2020 9:23 AM
Monday, July 13, 2020 9:59 AM
0

Sign in to vote

I registered cifs/fsbby02 in fsbby02 and unregistered cifs/fsbby02 in WSBBY132.

Still didn't work.

I ran the nslookup fsbby02, it shows only one result.

Tuesday, July 14, 2020 7:15 PM
0

Sign in to vote

I ran the setspn -L to the other machines, their output look similar with wsbby132.

I already done removing the computer to the domain and add it again. I even try to change the computer name.

Still didn't resolve the issue.

Tuesday, July 14, 2020 7:17 PM
0

Sign in to vote

Check the time of day clock on both machines. Same day/time?

Did you run the Shared Folders troubleshooter from settings?

If nothing else works, you can try to run the Powershell script that I wrote to try and help other forum users who had problems with network shares. Copy and paste the SMBtest.ps1 into Powershell_ise and run it. It will prompt you for computer name and userid+pswd if necessary. It might point you to your problem.

The script is in this thread.

https://social.technet.microsoft.com/Forums/en-US/f19af453-d2b3-47ba-86ba-0833d87c9d80/unable-to-map-network-drive

Tuesday, July 14, 2020 11:31 PM
0

Sign in to vote

Hi,
As MotoX80 mentioned, we check if machine time is correct. Because if time is not correct, Kerberos authentication will fail.

How are things going on your end? Please keep me posted on this issue.
If you have any further questions or concerns about this question, please let us know.
I appreciate your time and efforts.

Best Regards,
Daisy Zhou

Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

Thursday, July 16, 2020 5:06 AM
0

Sign in to vote
Hi
How are things going on your end? Please keep me posted on this issue.
If you have any further questions or concerns about this question, please let us know.
I appreciate your time and efforts.

This "Group Policy" Forum will be migrating to a new home on Microsoft Q&A, please refer to this sticky post for more details.

Best Regards,
Daisy Zhou

Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

"Group Policy" forum will be migrating to a new home on Microsoft Q&A!

We invite you to post new questions in the "Group Policy" forum's new home on Microsoft Q&A!
For more information, please refer to the sticky post.
- Edited by Daisy ZhouMicrosoft contingent staff Monday, July 20, 2020 3:46 AM
Monday, July 20, 2020 3:46 AM
0

Sign in to vote

I try again to remove the computer in domain, remove the object in AD then Add again the computer with different name. I works now.

Monday, July 20, 2020 5:43 PM
0

Sign in to vote
Hi,
Thank you for your update and sharing. I am so glat that the problem has been resolved.

As always, if there is any question in future, we warmly welcome you to post in this forum again. We are happy to assist you!

Best Regards,
Daisy Zhou

Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

"Group Policy" forum will be migrating to a new home on Microsoft Q&A!

We invite you to post new questions in the "Group Policy" forum's new home on Microsoft Q&A!
For more information, please refer to the sticky post.
- Edited by Daisy ZhouMicrosoft contingent staff Friday, July 24, 2020 5:00 AM
Friday, July 24, 2020 5:00 AM

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support options

More support

Not an IT pro?

Answered by:

Can't access File Server

Question

Answers

All replies