Article ID: 2706695 - View products that this article applies to.
A System event log has shown at least one Kerberos event 4. This an event on a server indicating that a client has given the server a ticket for access to a resource which the server cannot decrypt.
The true symptom is that a user failed to get access to a resource. The most likely error they received was an access denied or error 5.
Kerberos service tickets are obtained by a client and passed to a server in order to gain access to resources on that server. They are signed using a secret which only that server which has the resouce being requested can decrypt. When the SPN is on the wrong account in Active Directory the secret which is used is the one of the account the SPN is on instead of the one of the server.
As a result the server cannot decrypt the ticket and gives back an error to the client.
To resolve this issue the service principal name must be searched for and removed from the alternative account and then it must be added to the correct account in Active Directory. To do that follow these steps:
When a client requests a service ticket that it can pass along the DC issues it. The client then sends it to the remote host it is trying to authenticate to.
This problem may appear in a network trace with an error response from the resource server showing the error KRB_AP_ERR_MODIFIED.
In this scenario the remote server cannot decrypt the ticket the client sent to it since the password used to encrypt it is not the right one. That, in turn, is the result of the SPN for that service and ticket being on the incorrect object in AD. It is that other obkects password that is used instead.In this scenario the server who cannot decrpyt the ticket responds to the client. The client then puts Kerberos event 4 (example below) in its System event log. Less commonly this is caused by network problems between client and server where the ticket is truncated.
KERBEROS Event ID 4
Event Type: Error
Event Source: Kerberos
Event Category: None
Event ID: 4
Time: 1:30:00 PM
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server
host/machinename.childdomain.rootdomain.com. The target name used was
cifs/machinename.domain.com. This indicates that the password used to encrypt the
kerberos service ticket is different than that on the target server. Commonly, this
is due to identically named machine accounts in the target realm
(childdomain.rootdomain.COM), and the client realm. Please contact your system
(http://go.microsoft.com/fwlink/?LinkId=151500)for other considerations.
Article ID: 2706695 - Last Review: August 8, 2012 - Revision: 3.0