The kerberos client received a KRB_AP_ERR_MODIFIED error from the server

Article translations Article translations
Close Close
Article ID: 558115 - View products that this article applies to.
Author: Yuval Sinay MVP
Expand all | Collapse all

SUMMARY

The following article will help you to resolve the error "The kerberos client received a KRB_AP_ERR_MODIFIED error from the server"

SYMPTOMS

 
During access to NLB virtual IP/NLB Virtual Name, the user may prompt to a username and password,
and the following error may add to the local system event log:
 
Event ID: 4
Source: Kerbeors
Type: Error
 
"The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/myserver.domain.com.  This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named  machine accounts in the target realm (domain.com), and the client realm.   Please contact your system administrator."
 
 

CAUSE

 
During access to the IIS 6 web site that support Windows Integrated Authentication, the following
issues may occur:
 
1. Mismatch DNS name resolution - The issue is very common in a NLB environment that uses a multiplies
 
            IP's or/and multiplies network adapters.
 
2. The user doesn’t have a Local NTFS access permission.
 
3. The Web Site is using Application Pool with a poor permission settings.
 
 
 

RESOLUTION

 
 
To resolve the error issue, consider to implement the following tests:
 
 
1. Verify that the IIS has been setup with correct NTFS settings.
 
Integrated Windows Authentication (IIS 6.0)
 
http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/523ae943-5e6a-4200-9103-9808baa00157.mspx?mfr=true
 
 
2. Verify that each cluster node has been setup with correct DNS settings.
 
3. Verify that the node has been setup with correct "Application Pool' settings:

Configuring Application Pool Identity with IIS 6.0 (IIS 6.0)
 
http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/f05a7c2b-36b0-4b6e-ac7c-662700081f25.mspx?mfr=true
 
4. Verify that internet explorer has been setup with a correct security settings.
 

 

MORE INFORMATION

 
Authentication and Access Control Diagnostics 1.0 (x86)
 
http://www.microsoft.com/Downloads/details.aspx?familyid=E90FE777-4A21-4066-BD22-B931F7572E9A&displaylang=en
 
Internet Information Services Diagnostic Tools

http://www.microsoft.com/windowsserver2003/iis/diagnostictools/default.mspx

Properties

Article ID: 558115 - Last Review: July 24, 2008 - Revision: 1.0
APPLIES TO
  • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
  • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
Keywords: 
kbpubmvp kbpubtypecca kbhowto KB558115
COMMUNITY SOLUTIONS CONTENT DISCLAIMER
MICROSOFT CORPORATION AND/OR ITS RESPECTIVE SUPPLIERS MAKE NO REPRESENTATIONS ABOUT THE SUITABILITY, RELIABILITY, OR ACCURACY OF THE INFORMATION AND RELATED GRAPHICS CONTAINED HEREIN. ALL SUCH INFORMATION AND RELATED GRAPHICS ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT AND/OR ITS RESPECTIVE SUPPLIERS HEREBY DISCLAIM ALL WARRANTIES AND CONDITIONS WITH REGARD TO THIS INFORMATION AND RELATED GRAPHICS, INCLUDING ALL IMPLIED WARRANTIES AND CONDITIONS OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, WORKMANLIKE EFFORT, TITLE AND NON-INFRINGEMENT. YOU SPECIFICALLY AGREE THAT IN NO EVENT SHALL MICROSOFT AND/OR ITS SUPPLIERS BE LIABLE FOR ANY DIRECT, INDIRECT, PUNITIVE, INCIDENTAL, SPECIAL, CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF USE, DATA OR PROFITS, ARISING OUT OF OR IN ANY WAY CONNECTED WITH THE USE OF OR INABILITY TO USE THE INFORMATION AND RELATED GRAPHICS CONTAINED HEREIN, WHETHER BASED ON CONTRACT, TORT, NEGLIGENCE, STRICT LIABILITY OR OTHERWISE, EVEN IF MICROSOFT OR ANY OF ITS SUPPLIERS HAS BEEN ADVISED OF THE POSSIBILITY OF DAMAGES.

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com