Kerberos error - EventID 4 on 1 server in forest

Torsten · Guest

"The kerberos client received a KRB_AP_ERR_MODIFIED error from the server
host/ADM1.loca1.deso1.com The target name used was
ldap/ADM2.loca1.deso1.com. This indicates that the password used to encrypt
the kerberos service ticket is different than that on the target server.
Commonly, this is due to identically named machine accounts in the target
realm (LOCA1.DESO1.COM), and the client realm. Please contact your system
administrator."

Does anybody can tell me, what I have to do on this DC.

Paul Williams [MVP] · Guest

Looks like you are trying to access ADM1 with the hostname ADM2. If you
want to achieve this, Google strictnamechecking.

--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net

Torsten · Guest

Oh, sorry. It must be:

"The kerberos client received a KRB_AP_ERR_MODIFIED error from the server
host/ADM1.loca1.deso1.com The target name used was
ldap/ADM1.loca1.deso1.com. This indicates that the password used to encrypt
the kerberos service ticket is different than that on the target server.
Commonly, this is due to identically named machine accounts in the target
realm (LOCA1.DESO1.COM), and the client realm. Please contact your system
administrator."

"Paul Williams [MVP]" schrieb:

Jorge Silva · Guest

Hi

Possible Causes and Resolutions
Some encrypted Kerberos authentication data sent by the client did not
decrypt properly at the server because:

. A service ticket is issued to the local computer account, for which
a host/ SPN is automatically created, instead of to the service account, for
which no SPN has been created. The reason for this is that a service does
not register an SPN for itself, yet the service belongs to a service class
for which the computer will automatically map the SPN to a host/service
class. (Examples of this are the HTTP and Common Internet File System (CIFS)
service classes.) The result is that the service cannot decrypt the
resultant ticket.

Resolution

If the root cause appears to be that an SPN has not been set, verify
that each service running on the target computer has an SPN set. Those
services that do not have SPNs set might have had their SPNs remapped to the
computer's host SPN. For more information about SPNs and how to set them,
see Need an SPN Set earlier in this white paper.

. The authentication data was encrypted with the wrong key for the
intended server.

. The authentication data was modified in transit by a hardware or
software error, or by an attacker.

. The client sent the authentication data to the wrong server because
incorrect DNS data caused the client to send the request to the wrong
server.

Resolution

Verify that DNS is functioning properly.

. The client sent the authentication data to the wrong server because
DNS data was out-of-date on the client.

Resolution

Verify that DNS is functioning properly.

. Two computers in different domains have the same name and the client
sent the authentication data to the wrong computer.

Resolution

Verify that there are not multiple computers with the same name,
including NetBIOS names, anywhere on the network.

--
I hop that helps

Good Luck
Jorge Silva
MCSA
Systems Administrator

"Torsten" <Torsten@discussions.microsoft.com> wrote in message
news:E0166CE6-8F83-4236-BFC3-F95604116226@microsoft.com...