KCD: KRB_AP_ERR_MODIFIED

Error/Symptom:

"KRB_AP_ERR_MODIFIED

This error can be witnessed in both same domain and cross domain KCD configuration. It is observed in the event viewer of the SEG server or on the Exchange Server that has the CAS role.

Sample error:

Log Name: System
Source: Microsoft-Windows-Security-Kerberos
Date: 11/9/2015 9:02:16 AM
Event ID: 4
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: Test
Description:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server TEST$. The target name used was HTTP/test. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (global.internal) is different from the client domain (GLOBAL.INTERNAL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

 

Cause:

This error could be because of the following reasons

1. Assuming that you have a CAS Array (version 2010 sp1 and above) and an additional server/node with the role CAS was added which does not have the password to open the Kerberos tickets.

2. If you are on Exchange 2013 then if another server was added that has the CAS role. (From 2013 and above we do not use the term CAS Array) which does not have the password to open the Kerberos tickets.

3. The current ASA account that was used, had its password changed by running the script. And that script was not run against all members. 

4. A change made to the DNS of their exchange. So all the members that correspond to the prior DNS do not know the password to open the Kerberos tickets.

5. The ASA account was deleted accidentally.

 

Resolution:

 1. Confirm if any changes were made to exchange.

 2. Rerun script against all servers/members.

 3. Clarify if the DNS of exchange was changed, so then we would have to recreate the SPN and then rerun the script.

4. Confirm that the ASA account is present and was not accidentally deleted.

 

Have more questions? Submit a request

0 Comments

Article is closed for comments.