0

I have a situation where Kerberos authentication is failing.

I have checked that the SPN is registered under the correct AD user account that runs the service that needs to use Kerberos to authenticate the user, and not the host itself.

The password for the user account has never had its password changed and there is no duplication of the service server's name in DNS or lias registered for the server that would require another SPN to be registered.

The strange (to me) item I notice is that in the event viewer of one of the client machines where authentication fails, I see that the AD user name that runs the application service is being returned as the server

The Kerberos client received a KRB_AP_ERR_MODIFIED error from server TUR_ServKebProd. The target name used was HTTP /testserver.test.testdom.com. This indicates that the destination server was unable to decrypt the client-supplied token.

I'm going to have the SPN/service run under the host itself as a test as per Kerberos Event 4 servername showing username

But in case this does not work, has anyone seen the above scenario where the account name is returned as the server name and what the solution was?

Ringo
  • 121
  • 5
  • Any chance the service principal is configured for AES? If the receiving server can't derive the right secrets from the password it should return that error. – Steve May 10 '19 at 18:02
  • @steve I'm checking up on your suggestion and awaiting confirmation as to the encryption used. The PDC in this case is running Windows 2012 R2, while the server for which the SPN is registered for is Windows 2016. I've tried to reproduce on a very simple test environment but cannot do so and in the test environment AES is used for the SPN – Ringo May 16 '19 at 08:30

0 Answers0