The Kerberos client received a KRB_AP_ERR_MODIFIED error RRS feed

  • Question

  • Hi,

    since one night i receive the following error message on all member Server in a branch office for a special subent.
    Other Member server i a different subnet are not getting these errors. Before those member servers (new setup)
    worked fine for about 2-3 Month:

    Log Name:      System
    Source:        Microsoft-Windows-Security-Kerberos
    Date:          09.10.2013 02:47:27
    Event ID:      4
    Task Category: None
    Level:         Error
    Keywords:      Classic
    User:          N/A
    Computer:      server
    The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server dc01$.
    The target name used was cifs/dc01.local. This indicates that the target server
    failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN)
    is registered on an account other than the account the target service is using. Please ensure that the target SPN
    is registered on, and only registered on, the account used by the server. This error can also happen when the target
    ervice is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC)
    has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password.
    If the server name is not fully qualified, and the target domain (domain.local) is different from the client domain (domain.local),
    check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

    These servers have no routing to the local Domain Controllers, instead they contact the DCs at the main office. So the
    KRB_AP_ERR_MODIFIED error is coming from both DCs at the main office, not specific to one pc.

    Effects that i have:
    - no logon with RDP possible (wrong username or password)
    - Service which Relay on Kerberos Auth have Problems

    So when i reboot the server in most cases its working again for some time. I also find out, when deleting the cached
    Kerberos Tickets with kerbtray its working.

    Any ideas what could cause the problem. As mentioned, it happend for all member servers in this subnet starting in the
    same night. As always, nothing was changed ;)


    • Edited by travelfreak Wednesday, October 9, 2013 12:41 PM
    Wednesday, October 9, 2013 12:41 PM


All replies