Web Analytics Made Easy -
StatCounter
Tuesday, December 17, 2024 9:52:20 AM

Event ID: 4 - The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server server$. The target name used was cifs/DOMAIN.local. This indicates that the target server failed to decrypt the ticket provided by the client.

5 years ago
#194 Quote
What does this message mean when seen on an Windows 2016 server?:

Log Name:      System
Source:        Microsoft-Windows-Security-Kerberos
Date:          29/09/2019 04:11:24
Event ID:      4
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      %computername%.DOMAIN.local
Description:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server server$. The target name used was cifs/DOMAIN.local. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (DOMAIN.local) is different from the client domain (DOMAIN.local), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Kerberos" Guid="{98E6CFCB-EE0A-41E0-A57B-622D4E1B30B1}" EventSourceName="Kerberos" />
    <EventID Qualifiers="16384">4</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2019-09-29T03:11:24.715683800Z" />
    <EventRecordID>23157</EventRecordID>
    <Correlation />
    <Execution ProcessID="0" ThreadID="0" />
    <Channel>System</Channel>
    <Computer>%computername%.DOMAIN.local</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="Server">server$</Data>
    <Data Name="TargetRealm">DOMAIN.local</Data>
    <Data Name="Targetname">cifs/DOMAIN.local</Data>
    <Data Name="ClientRealm">DOMAIN.local</Data>
    <Binary>
    </Binary>
  </EventData>
</Event>

Where do we look for this duplicate name - ADSIEdit? Is there a way to easily decide which the troublesome record is? The server computer in question is obviously the domain DC so do we need to check the DNS?
0
5 years ago
#195 Quote
I think this was a federation service added by someone at some point as there was an account called FS under 'Managed Service Accounts' in our AD.

We renamed the SPN/host from domain.local to FS.domain.local and kept in min d that if we decided to relight the federation services in the future, we would be careful about what name we gave it! SPN/host should not hold the same value as anything else important.
0