The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server. The target name used was HTTP/


  • Hi there. I'm running an NLB on the MP. No clients are auto approving - mode set to auto approve from the start. I have regsitered an SPN and followed the details outlined by Microsoft - eg adding account to run CCM Windows Auth Server Framework Pool. 

    I'm getting the following error on the DC

    The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server <>$. The target name used was HTTP/<SPNName>. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (DOMAIN) is different from the client domain (DOMAIN), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

    I've made sure that only one account is using the SPN and followed all forum post here on how to resolve.

    I get constant 'MP has rejected a policy request from GUID:<GUID> because it was not approved. The operating system reported error 2147942405: Access is denied.' I've checked to make sure only one GUID per device.

    I'm baffled at this stage. Can anyone throw anything in to assist on this?


    Thursday, March 08, 2012 10:12 AM


All replies