Kerberos Service Principal Name on Wrong Account

Article ID: 2706695 - View products that this article applies to.
Expand all | Collapse all

Symptoms

A System event log has shown at least one Kerberos event 4. This an event on a server indicating that a client has given the server a ticket for access to a resource which the server cannot decrypt.

The true symptom is that a user failed to get access to a resource. The most likely error they received was an access denied or error 5.

Cause

Kerberos service tickets are obtained by a client and passed to a server in order to gain access to resources on that server. They are signed using a secret which only that server which has the resouce being requested can decrypt. When the SPN is on the wrong account in Active Directory the secret which is used is the one of the account the SPN is on instead of the one of the server.

As a result the server cannot decrypt the ticket and gives back an error to the client.

Resolution

To resolve this issue the service principal name must be searched for and removed from the alternative account and then it must be added to the correct account in Active Directory. To do that follow these steps:

  1. At an elevated command prompt and using Enterprise Administrator credentials, run the command "setspn -Q <SPN>". This will return a computer name. SetSPN.exe is installed with the Active Directory Directory Services role or with RSAT.
  2. Remove the incorrectly registered SPN by going to the command prompt and running the command "setspn -D <SPN> <computername>".
  3. Add the SPN to the correct account at the command prompt by running the command "setspn -A <SPN> <computername of computer which had the System event 4>".


More information

When a client requests a service ticket that it can pass along the DC issues it. The client then sends it to the remote host it is trying to authenticate to.

This problem may appear in a network trace with an error response from the resource server showing the error KRB_AP_ERR_MODIFIED.

In this scenario the remote server cannot decrypt the ticket the client sent to it since the password used to encrypt it is not the right one. That, in turn, is the result of the SPN for that service and ticket being on the incorrect object in AD. It is that other obkects password that is used instead.In this scenario the server who cannot decrpyt the ticket responds to the client. The client then puts Kerberos event 4 (example below) in its System event log. Less commonly this is caused by network problems between client and server where the ticket is truncated.



KERBEROS Event ID 4
====================
Event Type: Error
Event Source: Kerberos
Event Category: None
Event ID: 4
Date: 8/17/2004
Time: 1:30:00 PM
User: N/A
Computer: MACHINENAMEDescription:
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server
host/machinename.childdomain.rootdomain.com. The target name used was
cifs/machinename.domain.com. This indicates that the password used to encrypt the
kerberos service ticket is different than that on the target server. Commonly, this
is due to identically named machine accounts in the target realm
(childdomain.rootdomain.COM), and the client realm. Please contact your system
administrator.

Note This is a "FAST PUBLISH" article created directly from within the Microsoft support organization. The information contained herein is provided as-is in response to emerging issues. As a result of the speed in making it available, the materials may include typographical errors and may be revised at any time without notice. See Terms of Use for other considerations.

Properties

Article ID: 2706695 - Last Review: August 8, 2012 - Revision: 3.0
Applies to
  • Windows Server 2008 R2 Datacenter
  • Windows Server 2008 R2 Datacenter without Hyper-V
  • Windows Server 2008 R2 Enterprise
  • Windows Server 2008 R2 Enterprise without Hyper-V
  • Windows Server 2008 R2 for Embedded Systems
  • Windows Server 2008 R2 for Itanium-Based Systems
  • Windows Server 2008 R2 Foundation
  • Windows Server 2008 R2 Service Pack 1
  • Windows Server 2008 R2 Standard
  • Windows Server 2008 R2 Standard without Hyper-V
  • Windows Server 2008 Service Pack 2
  • Windows Server 2008 Standard
  • Windows Server 2008 Standard without Hyper-V
  • Microsoft Windows Server 2003 R2 Datacenter x64 Edition
  • Microsoft Windows Server 2003 R2 Datacenter x64 Edition with Service Pack 2
  • Microsoft Windows Server 2003 R2 Enterprise Edition (32-Bit x86)
  • Microsoft Windows Server 2003 R2 Enterprise Edition KN
  • Microsoft Windows Server 2003 R2 Enterprise x64 Edition
  • Microsoft Windows Server 2003 R2 Standard Edition (32-bit x86)
  • Windows Server 2008 Datacenter
  • Windows Server 2008 Datacenter without Hyper-V
  • Windows Server 2008 Enterprise
  • Windows Server 2008 Enterprise without Hyper-V
  • Windows Server 2008 for Itanium-Based Systems
  • Windows Server 2008 for Windows Essential Server Solutions
  • Windows Server 2008 for Windows Essential Server Solutions without Hyper-V
  • Windows Server 2008 Foundation
Keywords: 
KB2706695

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com