Kerberos error in system log of SBS2003

I get this error on my SBS2003 domain controller:

Event Type: Error
Event Source: Kerberos
Event Category: None
Event ID: 4
Date: 7/25/2005
Time: 9:06:23 AM
User: N/A
Computer: SBS2003
Description:
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server
host/NEWSERVER.domain.local. The target name used was
cifs/OLDSERVER.domain.local. This indicates that the password used to
encrypt the kerberos service ticket is different than that on the target
server. Commonly, this is due to identically named machine accounts in the
target realm (DOMAIN.LOCAL), and the client realm. Please contact your
system administrator.

-- In the above message, OLDSERVER is a machine that used to run 2000
Server, and NEWSERVER is the same machine wiped clean and installed with
Server 2003 SP1.
-- OLDSERVER was simply a member file server, while NEWSERVER has been
promoted to be a replica DC in my SBS2003 domain.
-- OLDSERVER and NEWSERVER have different names, but NEWSERVER is using the
same static IP that had been assigned to OLDSERVER.
-- DNS has no PTR records for OLDSERVER in the Reverse Lookup Zone, but it
does still have A records for OLDSERVER in the forward lookup zone.

Any ideas on where the reference to the old server is coming from?

Thanks in advance,

Bryan

Bryan L wrote:
> I get this error on my SBS2003 domain controller:
>
> Event Type: Error
> Event Source: Kerberos
> Event Category: None
> Event ID: 4
> Date: 7/25/2005
> Time: 9:06:23 AM
> User: N/A
> Computer: SBS2003
> Description:
> The kerberos client received a KRB_AP_ERR_MODIFIED error from the
> server host/NEWSERVER.domain.local. The target name used was
> cifs/OLDSERVER.domain.local. This indicates that the password used to
> encrypt the kerberos service ticket is different than that on the
> target server. Commonly, this is due to identically named machine
> accounts in the target realm (DOMAIN.LOCAL), and the client realm. Please
> contact your system administrator.
>
> -- In the above message, OLDSERVER is a machine that used to run 2000
> Server, and NEWSERVER is the same machine wiped clean and installed
> with Server 2003 SP1.
> -- OLDSERVER was simply a member file server, while NEWSERVER has been
> promoted to be a replica DC in my SBS2003 domain.
> -- OLDSERVER and NEWSERVER have different names, but NEWSERVER is
> using the same static IP that had been assigned to OLDSERVER.
> -- DNS has no PTR records for OLDSERVER in the Reverse Lookup Zone,
> but it does still have A records for OLDSERVER in the forward lookup
> zone.
> Any ideas on where the reference to the old server is coming from?
>
> Thanks in advance,
>
> Bryan

Kerberos cannot authenticate the Web program user because the server cannot
verify the Kerberos authentication request sent by the client. This usually
happens when there is an account in the target domain with the same name as
the server in the client's domain. If so, the ticket is issued for the
server in the client's domain and it cannot be decrypted by the recipient
server in the target domain.

Search the client domain for accounts with the same name as the target
server, and then either rename the duplicate account or remove it.
--
---
Giuseppe Nacci
Microsoft Certified System Engineer
Security Manager

--------------------------------------------------------------------
CONFIDENTIALITY NOTICE
This message and its attachments are addressed solely to the persons
above and may contain confidential information. If you have received
the message in error, be informed that any use of the content hereof
is prohibited. Please return it immediately to the sender and delete
the message. Should you have any questions, please contact us by
replying to (E-Mail Removed)
Thank you
--------------------------------------------------------------------

Thank you Giuseppe for the reply.

I have seen that suggestion in online searches. Could you add something to
make it more clear? What is the "Web program" mentioned? I am running only
one domain, and there has never been a computer account called NEWSERVER in
this domain before. Does the discussion of a "target" and "client" domain
refer to something else that I am not understanding? I am sure I do not
have two computer (or user) accounts with the same name in my domain.

Thanks,

Bryan




> Kerberos cannot authenticate the Web program user because the server
> cannot verify the Kerberos authentication request sent by the client. This
> usually happens when there is an account in the target domain with the
> same name as the server in the client's domain. If so, the ticket is
> issued for the server in the client's domain and it cannot be decrypted by
> the recipient server in the target domain.
>
> Search the client domain for accounts with the same name as the target
> server, and then either rename the duplicate account or remove it.
> --
> ---
> Giuseppe Nacci
> Microsoft Certified System Engineer
> Security Manager
>
> --------------------------------------------------------------------
> CONFIDENTIALITY NOTICE
> This message and its attachments are addressed solely to the persons
> above and may contain confidential information. If you have received
> the message in error, be informed that any use of the content hereof
> is prohibited. Please return it immediately to the sender and delete
> the message. Should you have any questions, please contact us by
> replying to (E-Mail Removed)
> Thank you
> --------------------------------------------------------------------
>
>
>

Thanks for all posts and help on this. I have not resolved this issue, but
this week has been very busy and I have not had time to work on it. I hope
to have more time next week, and will post more then.

Thanks again,

Bryan


"Bryan L" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
>I get this error on my SBS2003 domain controller:
>
> Event Type: Error
> Event Source: Kerberos
> Event Category: None
> Event ID: 4
> Date: 7/25/2005
> Time: 9:06:23 AM
> User: N/A
> Computer: SBS2003
> Description:
> The kerberos client received a KRB_AP_ERR_MODIFIED error from the server
> host/NEWSERVER.domain.local. The target name used was
> cifs/OLDSERVER.domain.local. This indicates that the password used to
> encrypt the kerberos service ticket is different than that on the target
> server. Commonly, this is due to identically named machine accounts in
> the target realm (DOMAIN.LOCAL), and the client realm. Please contact
> your system administrator.
>
> -- In the above message, OLDSERVER is a machine that used to run 2000
> Server, and NEWSERVER is the same machine wiped clean and installed with
> Server 2003 SP1.
> -- OLDSERVER was simply a member file server, while NEWSERVER has been
> promoted to be a replica DC in my SBS2003 domain.
> -- OLDSERVER and NEWSERVER have different names, but NEWSERVER is using
> the same static IP that had been assigned to OLDSERVER.
> -- DNS has no PTR records for OLDSERVER in the Reverse Lookup Zone, but it
> does still have A records for OLDSERVER in the forward lookup zone.
>
> Any ideas on where the reference to the old server is coming from?
>
> Thanks in advance,
>
> Bryan
>
>
>
>