Kerberos Service Principal Name on Wrong Account

Applies to: Windows Server 2008 R2 DatacenterWindows Server 2008 R2 EnterpriseWindows Server 2008 R2 for Itanium-Based Systems


A System event log has shown at least one Kerberos event 4. This an event on a server indicating that a client has given the server a ticket for access to a resource which the server cannot decrypt.

The true symptom is that a user failed to get access to a resource. The most likely error they received was an access denied or error 5.


Kerberos service tickets are obtained by a client and passed to a server in order to gain access to resources on that server. They are signed using a secret which only that server which has the resouce being requested can decrypt. When the SPN is on the wrong account in Active Directory the secret which is used is the one of the account the SPN is on instead of the one of the server.

As a result the server cannot decrypt the ticket and gives back an error to the client.


To resolve this issue the service principal name must be searched for and removed from the alternative account and then it must be added to the correct account in Active Directory. To do that follow these steps:

  1. At an elevated command prompt and using Enterprise Administrator credentials, run the command "setspn -Q <SPN>". This will return a computer name. SetSPN.exe is installed with the Active Directory Directory Services role or with RSAT.
  2. Remove the incorrectly registered SPN by going to the command prompt and running the command "setspn -D <SPN> <computername>".
  3. Add the SPN to the correct account at the command prompt by running the command "setspn -A <SPN> <computername of computer which had the System event 4>".

More Information

When a client requests a service ticket that it can pass along the DC issues it. The client then sends it to the remote host it is trying to authenticate to.

This problem may appear in a network trace with an error response from the resource server showing the error KRB_AP_ERR_MODIFIED.

In this scenario the remote server cannot decrypt the ticket the client sent to it since the password used to encrypt it is not the right one. That, in turn, is the result of the SPN for that service and ticket being on the incorrect object in AD. It is that other obkects password that is used instead.In this scenario the server who cannot decrpyt the ticket responds to the client. The client then puts Kerberos event 4 (example below) in its System event log. Less commonly this is caused by network problems between client and server where the ticket is truncated.

Event Type: Error
Event Source: Kerberos
Event Category: None
Event ID: 4
Date: 8/17/2004
Time: 1:30:00 PM
User: N/A
Computer: MACHINENAMEDescription:
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server
host/ The target name used was
cifs/ This indicates that the password used to encrypt the
kerberos service ticket is different than that on the target server. Commonly, this
is due to identically named machine accounts in the target realm
(childdomain.rootdomain.COM), and the client realm. Please contact your system