KRB_AP_ERR-MODIFIED Two client machines?

Hi all,

I am receiving the Security-Kerberos Event ID 4 error on both servers in my domain(SBS2011 and 2008r2)

The unusual thing is the error contains two client machines

The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server INTERNAL_MACHINE$. The target name used was RPCSS/VPN_CONNECTED_MACHINE.

INTERNAL MACHINE is somebody's laptop, it is NOT a server

VPN CONNECTED MACHINE is somebody who spends 99% of the time offsite and is basically on the VPN all day.

Both machines are connected to the same domain. both machines are actively used

I have got no idea where to start, I am relatively new to the industry and don't have a lot of idea in this area or RPCSS.

If someone could point me in a direction that would be great.

Thanks,

Matt 

July 24th, 2015 7:08am
> The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server > /*INTERNAL_MACHINE*/$. The target name used was > RPCSS//*VPN_CONNECTED_MACHINE*/.   Check for duplicate SPNs in your domain or wrong SPNs on those two accounts.   Setspn.exe /? is your friend :)  
Free Windows Admin Tool Kit Click here and download it now
July 24th, 2015 12:32pm

Add to martin suggestions.

Remove the old SPN
1. SETSPN D <service>/<netbios name> machinename.domain.com
2. SETSPN D <service>/<fqdn> machinename

Add the new SPN:
1. SetSPN A <service>/<netbios name> <your domain>\<domain user account>
2. SetSPN A <service>/<fqdn name> <your domain>\<domain user account>

Verifying SPN's with SETSPN
1. SETSPN -L <machinename> (SPN should NOT be listed)
2. SETSPN -L <your domain>\<domain user account> (SPN will be listed)

July 24th, 2015 12:54pm

It seem to me there is dns misconfig issue,  secure channel between client and DC is broken, etc. If duplicate record is present in DNS for client computer then delete the same. Ensure that you set correct dns setting on client and DNS as this:http://adgurus.in/2015/07/16/dns-configuration-best-practice-on-domain-controllers-clients-and-member-servers/

Rejoin the client computer to domain to fix the secure channel issue. There are also other reason refer below links.
http://blogs.msmvps.com/vandooren/2009/04/02/the-kerberos-client-received-a-krb-ap-err-modified-error/
http://blogs.technet.com/b/dcaro/archive/2013/07/04/fixing-the-security-kerberos-4-error.aspx
http://eventid.net/display-eventid-4-source-Kerberos-eventno-1968-phase-1.htm

Free Windows Admin Tool Kit Click here and download it now
July 26th, 2015 7:52pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics