Discussion:
Kerberos error trying to talk to a server that no longer exists
(too old to reply)
Larry
2007-04-11 14:20:02 UTC
Permalink
Hey guys,

Here is the event log error I am getting:

Event Type: Error
Event Source: Kerberos
Event Category: None
Event ID: 4
Date: 4/11/2007
Time: 12:13:29 AM
User: N/A
Computer: DC1
Description:
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server
host/dc1.domsin.com. The target name used was DNS/nt4.domain.com. This
indicates that the password used to encrypt the kerberos service ticket is
different than that on the target server. Commonly, this is due to
identically named machine accounts in the target realm (domain.com), and the
client realm. Please contact your system administrator.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
-------------------------------------------------------------------------------------------
nt4 is a retired server that is no longer in the system. For the life of
me, I can't find where dc1 is referencing nt4. Any ideas?

Thanks a bunch.
Joe Kaplan
2007-04-11 16:35:15 UTC
Permalink
Do a search (forest wide) for an object that has that SPN. The filter would
look like:

(servicePrincipalName=DNS/nt4.domain.com)

That SPN is probably on a different account object than the one that is
actually running that service. That's the most common reason for getting
that particular Kerberos error. Essentially, the KDC created a service
ticket that was encrypted with the credentials of a specific service account
based on what's stored in AD and gave that ticket to the client. When the
client presented that ticket to the service, there was a failure because the
service was running under a different account that was was indicated in AD,
so the service could not decrypt the ticket.

This type of thing can happen if SPNs get accidentally duplicated or some
DNS trickery takes place that causes a name to resolve to a machine that
doesn't match up with how the SPNs are configured in AD.

Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
Post by Larry
Hey guys,
Event Type: Error
Event Source: Kerberos
Event Category: None
Event ID: 4
Date: 4/11/2007
Time: 12:13:29 AM
User: N/A
Computer: DC1
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server
host/dc1.domsin.com. The target name used was DNS/nt4.domain.com. This
indicates that the password used to encrypt the kerberos service ticket is
different than that on the target server. Commonly, this is due to
identically named machine accounts in the target realm (domain.com), and the
client realm. Please contact your system administrator.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
-------------------------------------------------------------------------------------------
nt4 is a retired server that is no longer in the system. For the life of
me, I can't find where dc1 is referencing nt4. Any ideas?
Thanks a bunch.
Larry
2007-04-11 18:08:05 UTC
Permalink
Joe,

Thanks for the quick replay. I did a search from Active Directory Users and
Computers. I found a computer object for nt4 and disabled it. I'm not sure
if this was what you were referring to as a forest level search. If it is
not, could you lead me in the right direction to do a higher level search?

Thanks
Post by Joe Kaplan
Do a search (forest wide) for an object that has that SPN. The filter would
(servicePrincipalName=DNS/nt4.domain.com)
That SPN is probably on a different account object than the one that is
actually running that service. That's the most common reason for getting
that particular Kerberos error. Essentially, the KDC created a service
ticket that was encrypted with the credentials of a specific service account
based on what's stored in AD and gave that ticket to the client. When the
client presented that ticket to the service, there was a failure because the
service was running under a different account that was was indicated in AD,
so the service could not decrypt the ticket.
This type of thing can happen if SPNs get accidentally duplicated or some
DNS trickery takes place that causes a name to resolve to a machine that
doesn't match up with how the SPNs are configured in AD.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
Post by Larry
Hey guys,
Event Type: Error
Event Source: Kerberos
Event Category: None
Event ID: 4
Date: 4/11/2007
Time: 12:13:29 AM
User: N/A
Computer: DC1
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server
host/dc1.domsin.com. The target name used was DNS/nt4.domain.com. This
indicates that the password used to encrypt the kerberos service ticket is
different than that on the target server. Commonly, this is due to
identically named machine accounts in the target realm (domain.com), and the
client realm. Please contact your system administrator.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
-------------------------------------------------------------------------------------------
nt4 is a retired server that is no longer in the system. For the life of
me, I can't find where dc1 is referencing nt4. Any ideas?
Thanks a bunch.
Joe Kaplan
2007-04-11 18:18:36 UTC
Permalink
So, on the computer object that you found that had that SPN, is that
computer object the same computer that logged the error? If not, then
basically the problem is that the SPN for the service is associated with the
wrong account. You may need to move the SPN to the account that is actually
running the service in question (likely the DC machine account where you saw
this event logged). Just disabling the other computer account won't fix it.

Deleting the SPN might make this error go away, but it probably isn't the
right solution. If you delete the SPN, that will just cause Kerberos to not
be available and negotiate auth will fail over to NTLM. However, you should
be using Kerb whenever possible.

The root cause of the problem is likely exactly what I described in my
previous post. The KDC found the SPN for that service on a specific
computer account, so it created the service ticket for the client encrypted
with the credentials of that machine account. However, when the client
presented that service ticket to the service for authentication, the service
could not decrypt the ticket since the service was actually running as a
different service account than what was advertised in the directory.

You can probably use setspn.exe to remove the SPN in question from the
computer account you disabled and add it to the correct account.

Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
Post by Larry
Joe,
Thanks for the quick replay. I did a search from Active Directory Users and
Computers. I found a computer object for nt4 and disabled it. I'm not sure
if this was what you were referring to as a forest level search. If it is
not, could you lead me in the right direction to do a higher level search?
Thanks
Post by Joe Kaplan
Do a search (forest wide) for an object that has that SPN. The filter would
(servicePrincipalName=DNS/nt4.domain.com)
That SPN is probably on a different account object than the one that is
actually running that service. That's the most common reason for getting
that particular Kerberos error. Essentially, the KDC created a service
ticket that was encrypted with the credentials of a specific service account
based on what's stored in AD and gave that ticket to the client. When the
client presented that ticket to the service, there was a failure because the
service was running under a different account that was was indicated in AD,
so the service could not decrypt the ticket.
This type of thing can happen if SPNs get accidentally duplicated or some
DNS trickery takes place that causes a name to resolve to a machine that
doesn't match up with how the SPNs are configured in AD.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
Post by Larry
Hey guys,
Event Type: Error
Event Source: Kerberos
Event Category: None
Event ID: 4
Date: 4/11/2007
Time: 12:13:29 AM
User: N/A
Computer: DC1
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server
host/dc1.domsin.com. The target name used was DNS/nt4.domain.com. This
indicates that the password used to encrypt the kerberos service ticket is
different than that on the target server. Commonly, this is due to
identically named machine accounts in the target realm (domain.com),
and
the
client realm. Please contact your system administrator.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
-------------------------------------------------------------------------------------------
nt4 is a retired server that is no longer in the system. For the life of
me, I can't find where dc1 is referencing nt4. Any ideas?
Thanks a bunch.
Continue reading on narkive:
Loading...