The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server. The target name used was HTTP/
After a few days troubleshooting on this one I think I've just cracked it by switching off the Windows firewall. However we need this enabled. Can anyone quick advise which setting needs to be enabled on the Windows firewall to allow this through?
Cheers
March 8th, 2012 1:59pm
After a few days troubleshooting on this one I think I've just cracked it by switching off the Windows firewall. However we need this enabled. Can anyone quick advise which setting needs to be enabled on the Windows firewall to allow this through?
Cheers
Free Windows Admin Tool Kit Click here and download it now
March 11th, 2012 6:10am
Hi there. I'm running an NLB on the MP. No clients are auto approving - mode set to auto approve from the start. I have regsitered an SPN and followed the details outlined by Microsoft - eg adding account to run CCM
Windows Auth Server Framework Pool.
I'm getting the following error on the DC
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server <>$. The target name used was HTTP/<SPNName>. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server
principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service
is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If
the server name is not fully qualified, and the target domain (DOMAIN) is different from the client domain (DOMAIN), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
I've made sure that only one account is using the SPN and followed all forum post here on how to resolve.
I get constant 'MP has rejected a policy request from GUID:<GUID> because it was not approved. The operating system reported error 2147942405: Access is denied.' I've checked to make sure only one GUID per device.
I'm baffled at this stage. Can anyone throw anything in to assist on this?
Cheers
March 11th, 2012 6:23am
Just a thought. Does IIS authentication need to be set so Windows Authentication is Enabled?
Free Windows Admin Tool Kit Click here and download it now
March 11th, 2012 6:35am
Make sure that the computer account for the SCCM server is in the local admins group on the client. Also, I believe SCCM primarily uses 135, 445, RPC range, and 80 to do it's communication. Generally this is initiated from the client so make sure you take
note of any outbound rules on your client's windows firewall.
March 31st, 2012 2:42pm
You may refer to the following links to configure the firewall:
Windows Firewall Settings for Configuration Manager Clients
Ports Used by Configuration ManagerSabrina
TechNet Community Support
Free Windows Admin Tool Kit Click here and download it now
April 1st, 2012 3:15am