Re: KRB_AP_ERR_MODIFIED Error on Windows2003 Server
- From: briandel@xxxxxxxxxxxxxxxxxxxx (Brian Delaney [MSFT])
- Date: Wed, 13 Sep 2006 23:47:50 GMT
Hi,
DNS problems can cause this error as well. This is because a client is
attempting to contact systema so the Kerberos Key Distribution Center
encrypts the service ticket with systema's password but poor DNS causes the
query to actually go to systemb and therefore it is encrypted with the
wrong password and generates the error.
Hope this helps,
Brian Delaney
Microsoft Canada
--
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
From: "kcsteele" <k.c.steele@xxxxxxxxx>and
Newsgroups: microsoft.public.windows.server.general
Subject: Re: KRB_AP_ERR_MODIFIED Error on Windows2003 Server
Date: 13 Sep 2006 06:16:16 -0700
Organization: http://groups.google.com
I had a similar issue earlier this year, from what I remember it was
caused by incorrect PTR entries in DNS. I would check your reverse DNS
records.
nobody wrote:
Thanks for the info - I will try to get access to the domain controller
thesesee what ldif shows. No, this is not causing any problems, but out of the
100+ servers I support, it seems odd to have just this one reporting
incorrectlyerrors.
"Brian Delaney [MSFT]" wrote:
Is this causing any problems?
This usually means, the password used to encrypt the kerberos service
ticket is wrong. This is typically caused by an incorrect
serviceprincipalname (SPN) registration. In this case the SPN
seeregistered would be host/xyz666.nobody.corp.priv (as cifs/ is rolled up
under the host/ SPN)
You can take an ldif dump on one of the DCs of the domain partition to
Ldifwhere this SPN has been registered to see if it is correct or not.
serviceprincipalnamesyntax is:
ldifde -f dumpfile.txt -d DC=nobody,DC=corp,DC=priv -l
rights.
In some cases this error can also be a result of Kerberos packet
fragmentation.
Hope this helps,
Brian Delaney
Microsoft Canada
--
This posting is provided "AS IS" with no warranties, and confers no
strange--------------------
Thread-Topic: KRB_AP_ERR_MODIFIED Error on Windows2003 Server
thread-index: AcbWlhvN7IX5bJ4DRAqlb3FL2AVtzw==
X-WBNR-Posting-Host: 64.91.16.96
From: =?Utf-8?B?bm9ib2R5?= <nobody@xxxxxxxxxxxxxxxxxxxxxxxxx>
Subject: KRB_AP_ERR_MODIFIED Error on Windows2003 Server
Date: Tue, 12 Sep 2006 11:06:02 -0700
On a Windows2003 Server Standard Edition without SP#1, I am seeing
serverKerberos errors:
9/11/2006 8:35:01 AM
Event Type: Error
Event Source: Kerberos
Event Category: None
Event ID: 4
Date: 9/11/2006
Time: 7:27:24 AM
User: N/A
Computer: xyz123
Description:
The kerberos client received a KRB_AP_ERR_MODIFIED error from the
ThisMARIOTTI$. The target name used was cifs/xyz666.nobody.corp.priv.
ticket isindicates that the password used to encrypt the kerberos service
notdifferent than that on the target server. Commonly, this is due to(nobody.CORP.PRIV),
identically named machine accounts in the target realm
and the client realm. Please contact your system administrator.
Note that the server referenced in the description [Mariotti$] does
domainexist anywhere on our domains. This member/resource server is not a
Morecontroller or exchange server. Just a simple file and print server.
existerrors appeared this morning referencing 2 more servers that do not
travelled.anywhere. User workstations are all laptops that have recently
What the heck ?
.
- References:
- Re: KRB_AP_ERR_MODIFIED Error on Windows2003 Server
- From: kcsteele
- Re: KRB_AP_ERR_MODIFIED Error on Windows2003 Server
- Prev by Date: Roaming profile save as problem
- Next by Date: Windows 2003 server becomes unresponsive
- Previous by thread: Re: KRB_AP_ERR_MODIFIED Error on Windows2003 Server
- Next by thread: Windows cannot determine the user or computer name
- Index(es):
Relevant Pages
|
