0

Over the last months, I've had the same problem on three different machines (Windows Server 2016, Windows 10, Windows Server 2008R2) in our domain. The symptoms are always the same:

  • You cannot connect to shares on the affected PC (let's call it FOO). If you try, you get the following error (in the command line as well as with Windows Explorer):

    C:\>dir \\FOO\c$
The target account name is incorrect.

  • You can no longer log in with a domain (let's call it BAR.LOCAL) account on the PC. If you try, you get the following error: The user name or password is incorrect.

  • The event log on the affected PC shows the following error (Event ID: 4, Source: Security-Kerberos) when trying to apply the group policy:

The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server foo$. The target name used was FOO$. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (BAR.LOCAL) is different from the client domain (BAR.LOCAL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

  • It can be fixed by restarting the affected PC.

  • So far, it only happened once on each machine.

I'm now restarting the machine, since I need to use it, i.e. "try this" answers won't help me, since I won't be able to reproduce the problem any more (until it happens again on another machine). Still, I'm curious if anyone has an idea about the cause.

Googling for KRB_AP_ERR_MODIFIED yields a lot of results, but in all of them the server name differs from the target name, so the solutions don't apply.

(PS: A few months ago, we migrated AD from a Windows Server 2003 R2 server to a new Windows Server 2016. This might or might not be related.)

Heinzi
  • 2,138
  • 5
  • 30
  • 51
  • If you want to get the correct answer, raise a support incident with Microsoft. Get an action plan to use when you next reproduce the issue. Microsoft will review that and explain the conclusions. – maweeras Mar 06 '17 at 04:56
  • @maweeras: I remember the last times I raised support incidents with Microsoft. You might get lucky, but usually it takes me forever to get them to follow simple repro instructions and then the result is usually something along the lines of: *"Yes, it's probably a bug, so we'll close your support case for free. Yes, we'll forward it to the developers, but, no, we won't tell you what they said. If you are lucky, it might be fixed someday. Have nice day."* So, unless you can tell me some [shibboleth](https://xkcd.com/806/) to get to someone sitting next to the devs, I won't waste my time again. – Heinzi Mar 06 '17 at 07:54
  • @maweeras: I think the exact wording was: "Root cause analysis is only available for Premier Support". So no, even according to MS itself, raising a support incident is not the correct procedure to find the cause of an issue with an MS product. – Heinzi Mar 06 '17 at 08:18
  • 1
    Incidentally I work for Microsoft in premier support. There is a difference between break/fix cases and root cause analysis. And it may well turn out that commercial support do not do root cause analysis. I was suggesting you raise an incident where Microsoft collects traces to troubleshoot authentication issues and determine where and why the Kerberos errors are bubbled up. KRB_AP_ERR_MODIFIED can be raised for many reasons. This is why we cant give an immediate answer. It needs investigating to give the correct answer. – maweeras Mar 06 '17 at 08:45
  • @maweeras: I see, sorry for the rant and thanks for the information! Should the problem bother us again, I will consider doing that. – Heinzi Mar 06 '17 at 09:17

0 Answers0