The true symptom is that a user failed to get access to a resource. The most likely error they received was an access denied or error 5.
As a result the server cannot decrypt the ticket and gives back an error to the client.
- At an elevated command prompt and using Enterprise Administrator credentials, run the command "setspn -Q <SPN>". This will return a computer name. SetSPN.exe is installed with the Active Directory Directory Services role or with RSAT.
- Remove the incorrectly registered SPN by going to the command prompt and running the command "setspn -D <SPN> <computername>".
- Add the SPN to the correct account at the command prompt by running the command "setspn -A <SPN> <computername of computer which had the System event 4>".
This problem may appear in a network trace with an error response from the resource server showing the error KRB_AP_ERR_MODIFIED.
In this scenario the remote server cannot decrypt the ticket the client sent to it since the password used to encrypt it is not the right one. That, in turn, is the result of the SPN for that service and ticket being on the incorrect object in AD. It is that other obkects password that is used instead.In this scenario the server who cannot decrpyt the ticket responds to the client. The client then puts Kerberos event 4 (example below) in its System event log. Less commonly this is caused by network problems between client and server where the ticket is truncated.
KERBEROS Event ID 4
Event Type: Error
Event Source: Kerberos
Event Category: None
Event ID: 4
Time: 1:30:00 PM
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server
host/machinename.childdomain.rootdomain.com. The target name used was
cifs/machinename.domain.com. This indicates that the password used to encrypt the
kerberos service ticket is different than that on the target server. Commonly, this
is due to identically named machine accounts in the target realm
(childdomain.rootdomain.COM), and the client realm. Please contact your system