RE: KRB_AP_ERR_MODIFIED Error on Windows2003 Server

Is this causing any problems?

This usually means, the password used to encrypt the kerberos service
ticket is wrong. This is typically caused by an incorrect
serviceprincipalname (SPN) registration. In this case the SPN incorrectly
registered would be host/xyz666.nobody.corp.priv (as cifs/ is rolled up
under the host/ SPN)

You can take an ldif dump on one of the DCs of the domain partition to see
where this SPN has been registered to see if it is correct or not. Ldif
syntax is:
ldifde -f dumpfile.txt -d DC=nobody,DC=corp,DC=priv -l serviceprincipalname

In some cases this error can also be a result of Kerberos packet
fragmentation.

Hope this helps,

Brian Delaney
Microsoft Canada
--

This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
Thread-Topic: KRB_AP_ERR_MODIFIED Error on Windows2003 Server
thread-index: AcbWlhvN7IX5bJ4DRAqlb3FL2AVtzw==
X-WBNR-Posting-Host: 64.91.16.96
From: =?Utf-8?B?bm9ib2R5?= <nobody@xxxxxxxxxxxxxxxxxxxxxxxxx>
Subject: KRB_AP_ERR_MODIFIED Error on Windows2003 Server
Date: Tue, 12 Sep 2006 11:06:02 -0700

On a Windows2003 Server Standard Edition without SP#1, I am seeing strange
Kerberos errors:

9/11/2006 8:35:01 AM
Event Type: Error
Event Source: Kerberos
Event Category: None
Event ID: 4
Date: 9/11/2006
Time: 7:27:24 AM
User: N/A
Computer: xyz123
Description:
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server
MARIOTTI$. The target name used was cifs/xyz666.nobody.corp.priv. This
indicates that the password used to encrypt the kerberos service ticket is
different than that on the target server. Commonly, this is due to
identically named machine accounts in the target realm
(nobody.CORP.PRIV),
and the client realm. Please contact your system administrator.

Note that the server referenced in the description [Mariotti$] does not
exist anywhere on our domains. This member/resource server is not a domain
controller or exchange server. Just a simple file and print server. More
errors appeared this morning referencing 2 more servers that do not exist
anywhere. User workstations are all laptops that have recently travelled.

What the heck ?


.

Relevant Pages

  • Re: Kerberos Authentication to VWMare...
    ... A Kerberos Error Message was received: ... Server Realm: ... We have checked the SPN using SetSPN with -L option and see that both MOSS ...
    (microsoft.public.windows.server.security)
  • Re: Delegation: IIS Server setup in typical 3-tier scenario.
    ... doesn't already have an SPN and/or you need to change the existing SPN. ... Kerberos is being used - it just means that an API is used to determine what ... so I'm trying to set up delegation. ... Authenticated using NTLM not Kerberos on the Web Server. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Kerberos NTLM
    ... I'll assume it was just a typo, and you do have an SPN registered for your IIS computer account as HTTP/server1.domain.com. ... you want to follow some basic Kerberos troubleshooting steps (like making sure the time is correct on both client and server). ... Joseph T. Corey MCSE, Security+ ...
    (microsoft.public.windows.server.active_directory)
  • Re: Kerberos w/ SQL and WIN2000
    ... are not using Linked Servers then you don't need to set up an SPN AFAIK ... Win2000 will default to using kerberos to connect to the server anyway ... For my server called sqlnlb01 in domain domsql.com using a service account ...
    (microsoft.public.sqlserver.security)
  • Re: Cannot telnet some ports
    ... Some with remote administration feature I believe. ... POP3 Server 110 ... # Network services, Internet style ... kerberos 750/udp kdc # Kerberos udp ...
    (microsoft.public.windows.server.general)