none
Kerberos Event ID 4 (KRB_AP_ERR_Modified)

    Question

  • HI hope you can help,

    We have a site office with a AD server (2008 server) that unfortunately had to be switched off for about 6 weeks.

    We have just powered the server back on and we are getting Error (event id 4)

    "The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server server1$. The target name used was cifs/server1.domain.local This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server.

    Active directory is not replicating with this server.

    The server is an Active directory server, bridgehead server, Global catalogue, DNS and DHCP.

    I have gone through active directory and DNS and cannot see any duplicate entries for the server.

    Also if I try and browse one of the other servers (server2 – server 1)file share i get an error .

    Logon Failure: The target account name is incorrect

    But it works fine the other way (server 1 – server 2)

    I assume something is out of sync with it being switched off for 6 weeks.

    Many thanks for any help

     

     

     

     

    Sunday, February 05, 2012 8:55 PM

Answers

All replies

  • Hello,

    please start with the following and make sure the DNS settings are correct:

    http://support.microsoft.com/kb/558115

    http://technet.microsoft.com/en-us/library/cc733987(WS.10).aspx

    http://msmvps.com/blogs/vandooren/archive/2009/04/02/the-kerberos-client-received-a-krb-ap-err-modified-error.aspx

    Please post an unedited ipconfig /all from the restarted server and a running one. Be aware that 6 weeks are not a problem with the tombstone lifetime but you should try to have all DCs up and running always.


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    Sunday, February 05, 2012 9:13 PM
  • HI Thanks for the reply,

    I have been through the links and see nothing amiss

    This is an IP config from the server that is not working. In DNS the primary dns is that of our working DNS \ AD server

    Many Thanks

     

    Sunday, February 05, 2012 9:30 PM
  • Hello,

    i would add also the real ip address from itself as DNS server and not only the loopback ip address.

    Please check with:

    setspn -L Servername

    for the SPNs.


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    Sunday, February 05, 2012 9:40 PM
  • HI Thanks for the quick replies

    When i run that command i get

    FindDomainForAccount: DsGetDcNameWithAccountW Failed!

    Could not find account Servername

     

     

    Sunday, February 05, 2012 9:50 PM
  • Hello,

    you have to use YOUR servername.

    setspn -L SL1


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    Sunday, February 05, 2012 9:59 PM
  • Sorry that was a bit thick of me..

    Hopefully this still makes sences with the domain name removed

     

    • Proposed as answer by Ko4evneG Thursday, June 26, 2014 2:25 PM
    Sunday, February 05, 2012 10:05 PM
  • You are getting error "Logon Failure: target account name is incorrect" this indicates that the secure channel between the DC's are broken.

    Refer below link to fix the issue:

    http://sandeshdubey.wordpress.com/2011/10/02/secure-channel-between-the-dcs-broken/

    http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/e9c162cb-1e26-43e0-80df-73c491c22aac/

    http://social.technet.microsoft.com/Forums/ar/winserverDS/thread/61841544-ac49-49cc-8db0-ecc511941c95

    I also would recommend to remove the loopback IP address(127.0.0.1) and enter the IP address of the server as a dns entries.


    Hope this helps

    Regards,
    Sandesh Dubey.
    -------------------------------
    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator
    My Blog: http://sandeshdubey.wordpress.com
    This posting is provided AS IS with no warranties, and confers no rights.


    • Edited by Sandesh Dubey Monday, February 06, 2012 2:17 AM
    • Marked as answer by people3 Friday, February 10, 2012 9:52 PM
    Monday, February 06, 2012 2:15 AM
  • HI Sandesh,

     

    Thanks for the reply, If i follow the steps in the fist link (and second) if i run step 4 -

    "4. Reset the Server domain controller account password on Server1 (the PDC
    emulator).

    To do so, open a command prompt and type: netdom /resetpwd /server:server2
    /userd:domain.com\administrator /passwordd:password, and then press Enter"

    Will this impact on any of our other DC's and it may seam like a daft question but is the domain controller account password the same as our Administrator account password?

    Cheers

     

     

    Monday, February 06, 2012 8:54 AM
  • Sorry also, can i use the 2003 version of Kerbtray on a 2008 server as i am unable to find a 2008 version of this tool?
    Monday, February 06, 2012 8:57 AM
  • Q.Reset the Server domain controller account password on Server1 (the PDC
    emulator .Will this impact on any of our other DC's and it may seam like a daft question but is the domain controller account password the same as our Administrator account password?

    ANS.This will not have any impact on other DC.

    Hope this helps

    Regards,
    Sandesh Dubey.
    -------------------------------
    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator
    My Blog: http://sandeshdubey.wordpress.com
    This posting is provided AS IS with no warranties, and confers no rights.

    Monday, February 06, 2012 8:59 AM
  • To purge the ticket you can use resource kit tool.It is same for Win2k8 & Win2k3.

    http://www.microsoft.com/download/en/details.aspx?id=17657

    Hope this helps

    Regards,
    Sandesh Dubey.
    -------------------------------
    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator
    My Blog: http://sandeshdubey.wordpress.com
    This posting is provided AS IS with no warranties, and confers no rights.

    Monday, February 06, 2012 9:05 AM
  • Thanks sandesh, one final question if i may before doing the procedure.

    Do i need to run the purge and stop the KDC serivce on all the other DCs or just the one that is not syncing.

    Will reseting the password with Netdom automaticaly sync with the working DC's?

    Many Thanks

    Monday, February 06, 2012 9:13 AM
  • HI,

    I am about to run the Netdom command, but unsure which server to run it from, The Blog article above implies that i run it on our working DC (SW1) and specify the faulty one (SL1)

    However I came across this from Microsoft which runs the command on the faulty DC specifying the working one

    "Make sure that the netdom command is returned as completed successfully. If it is not, the command did not work. For the domain Contoso, where the affected domain controller is DC1, and a working domain controller is DC2, you run the following netdom command from the console of DC1:
    netdom resetpwd /server:DC2 /userd:contoso\administrator /passwordd:administrator password"

    Does it matter which server I run Netdom on?

     

    Monday, February 06, 2012 1:28 PM
  • You need to purge ticket on problametic DC and stop kdc of all DC except the PDC role holder server and run the netdom command on PDC role holder server.

    Once the command is executed sucessfully run repadmin /syncall /AdeP on problematic DC and PDC role holder server.Start the KDC on all DC and the try to access the share if the sysvol share is available  this indicates that secure channel is reset correctly.Also force the replication between DC's and check if you are facing any issue.Run dcdiag /q and repadmin /replsum to check for any errors on problematic DC.

    Hope this helps

    Regards,
    Sandesh Dubey.
    -------------------------------
    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator
    My Blog: http://sandeshdubey.wordpress.com
    This posting is provided AS IS with no warranties, and confers no rights.



    Tuesday, February 07, 2012 1:29 AM
  • Hi,

    How is everything going after reset machine account passwords of a Windows Server domain controller via Netdom? Any update?

    Please turn off Kerberos service on the offending DC. Cleared the cached tickets out and ran this command
     
    netdom resetpwd /s:server /ud:domain\User /pd:*

    from the other working DC listing the offending DC as the server.

    Restart Kerberos service.

    Hope this helps!

    Best Regards
    Elytis Cheng

     


    Please remember to click “Mark as Answer” on the post that

    Elytis Cheng

    TechNet Community Support

    Tuesday, February 07, 2012 7:33 AM
    Moderator
  • Hi Thanks for the replys, I'm going to run this on Friday and i'll let you know how i get on

    Many thanks for the help

    Tuesday, February 07, 2012 12:15 PM
  • HI Thanks for all the help here, it worked a treat.

    The only issue we had was that when we reset the password using netdom and stopped the KDC service on SL1 we were unable to run repadmin /syncall we got an error:

    CALLBACK MESSAGE: Error contacting server

    SyncAll exited with fatal Win32 error :8440

    We left the server with KDC stopped on SL1 for about 30min and when we tried again all was fine - restarted KDC on SL1 and AD syncing fine

    Thanks the the help

    Friday, February 10, 2012 9:57 PM
  • Hi,

    You can use powershells Test-ComputerSecureChannel to test this.

    On PDC it will throw an error but on all other DCs you will be able to check.

    BR

    Thursday, February 11, 2016 4:11 PM
  • HI Thanks for all the help here, it worked a treat.

    The only issue we had was that when we reset the password using netdom and stopped the KDC service on SL1 we were unable to run repadmin /syncall we got an error:

    CALLBACK MESSAGE: Error contacting server

    SyncAll exited with fatal Win32 error :8440

    We left the server with KDC stopped on SL1 for about 30min and when we tried again all was fine - restarted KDC on SL1 and AD syncing fine

    Thanks the the help

    i have exactly the same problem, but it doesn't fix.

    when i using command netdom resetpwd /server:DC2 /userd:contoso\administrator /passwordd:administrator password, it show 

    The machine account password for the local machine could not be reset.

    Logon Failure: The target account name is incorrect.

    The command failed to complete successfully.


    but if i using command like this,The command completed successfully.

    netdom /resetpwd /Server:10.1.2.1 /u
    serd:abc.com.hk\administrator /passwordd:Qwerty1234
    The machine account password for the local machine has been successfully reset.

    The command completed successfully.

    And then repadmin /syncall shows:

    CALLBACK MESSAGE: Error contacting server 1960ac4d-b193-4eda-991f-8a23f4d24fe0._
    msdcs.abc.com.hk (network error): -2146893022 (0x80090322):
        The target principal name is incorrect.
    CALLBACK MESSAGE: Error contacting server 5b2a453f-3a50-4a15-9099-41070c1b2b60._
    msdcs.abc.com.hk (network error): -2146893022 (0x80090322):
        The target principal name is incorrect.
    CALLBACK MESSAGE: SyncAll Finished.

    SyncAll reported the following errors:
    Error contacting server 1960ac4d-b193-4eda-991f-8a23f4d24fe0._msdcs.abc.com.hk (
    network error): -2146893022 (0x80090322):
        The target principal name is incorrect.
    Error contacting server 5b2a453f-3a50-4a15-9099-41070c1b2b60._msdcs.abc.com.hk (
    network error): -2146893022 (0x80090322):
        The target principal name is incorrect.

    Anyone help?

    • Edited by lobilly Wednesday, February 07, 2018 10:04 AM additional information
    Wednesday, February 07, 2018 9:59 AM