Kerberos Error, Out of ideas!

Hi everyone, We are using Server 2003 on two domain controllers and have, for
about 2 months been getting the following error in our system event log on
one of our domain controllers.

The kerberos client received a KRB_AP_ERR_MODIFIED error from the server
***$. The target name used was cifs/***** This indicates that the password
used to encrypt the kerberos service ticket is different than that on the
target server. Commonly, this is due to identically named machine accounts
in the target realm (**********), and the client realm.

It happens on both DCs but not nearly as much on one as the other. I imagine
it is occuring on logon for certain machines. There is no pattern to the
machines it is happening to. Can anyone simply explain what the error means
and if there is any way i can isolate the cause. I have used Kerbtray.exe to
examine tickets on the servers and clients and they both have tickets.


GazHarle

Have you checked the system time? Are they close? within 5 mins?

Cheers

Chris

"GazHarle" wrote:

> Hi everyone, We are using Server 2003 on two domain controllers and have, for
> about 2 months been getting the following error in our system event log on
> one of our domain controllers.
>
> The kerberos client received a KRB_AP_ERR_MODIFIED error from the server
> ***$. The target name used was cifs/***** This indicates that the password
> used to encrypt the kerberos service ticket is different than that on the
> target server. Commonly, this is due to identically named machine accounts
> in the target realm (**********), and the client realm.
>
> It happens on both DCs but not nearly as much on one as the other. I imagine
> it is occuring on logon for certain machines. There is no pattern to the
> machines it is happening to. Can anyone simply explain what the error means
> and if there is any way i can isolate the cause. I have used Kerbtray.exe to
> examine tickets on the servers and clients and they both have tickets.

Hi,

Verify that DNS is functioning properly.

The client sent the authentication data to the wrong server because DNS data
was out-of-date on the client.
Two computers in different domains have the same name and the client sent
the authentication data to the wrong computer.
Verify that there are not multiple computers with the same name, including
NetBIOS names, anywhere on the network.


--
Dragos CAMARA
MCSA Windows 2003 server


"GazHarle" wrote:

> Hi everyone, We are using Server 2003 on two domain controllers and have, for
> about 2 months been getting the following error in our system event log on
> one of our domain controllers.
>
> The kerberos client received a KRB_AP_ERR_MODIFIED error from the server
> ***$. The target name used was cifs/***** This indicates that the password
> used to encrypt the kerberos service ticket is different than that on the
> target server. Commonly, this is due to identically named machine accounts
> in the target realm (**********), and the client realm.
>
> It happens on both DCs but not nearly as much on one as the other. I imagine
> it is occuring on logon for certain machines. There is no pattern to the
> machines it is happening to. Can anyone simply explain what the error means
> and if there is any way i can isolate the cause. I have used Kerbtray.exe to
> examine tickets on the servers and clients and they both have tickets.

Hi

Thanks for that information. I have checked that DNS is working correctly.
We only have one domain on site so i can't imagine there are two computers
with the same name. The system does not generate the event on all clients and
i have flushed the DNS cache on all clients aswell.

It's great to get a second opinion on this.

Thanks in advance!

"Dragos CAMARA" wrote:

> Hi,
>
> Verify that DNS is functioning properly.
>
> The client sent the authentication data to the wrong server because DNS data
> was out-of-date on the client.
> Two computers in different domains have the same name and the client sent
> the authentication data to the wrong computer.
> Verify that there are not multiple computers with the same name, including
> NetBIOS names, anywhere on the network.
>
>
> --
> Dragos CAMARA
> MCSA Windows 2003 server
>
>
> "GazHarle" wrote:
>
> > Hi everyone, We are using Server 2003 on two domain controllers and have, for
> > about 2 months been getting the following error in our system event log on
> > one of our domain controllers.
> >
> > The kerberos client received a KRB_AP_ERR_MODIFIED error from the server
> > ***$. The target name used was cifs/***** This indicates that the password
> > used to encrypt the kerberos service ticket is different than that on the
> > target server. Commonly, this is due to identically named machine accounts
> > in the target realm (**********), and the client realm.
> >
> > It happens on both DCs but not nearly as much on one as the other. I imagine
> > it is occuring on logon for certain machines. There is no pattern to the
> > machines it is happening to. Can anyone simply explain what the error means
> > and if there is any way i can isolate the cause. I have used Kerbtray.exe to
> > examine tickets on the servers and clients and they both have tickets.

Hi

It appears we may have fixed this by removing a little piece of software
called UserLock. It allows us to control how many simultaneous logons certain
user accounts can have. However we are now getting,

"The Kerberos subsystem encountered a PAC verification failure."

in the system event log on some clients. I have scheduled an overnight
reboot of the Domain Controller since it has not been restarted since the
uninstall of UserLock so hopefully this should fix it.


"GazHarle" wrote:

> Hi
>
> Thanks for that information. I have checked that DNS is working correctly.
> We only have one domain on site so i can't imagine there are two computers
> with the same name. The system does not generate the event on all clients and
> i have flushed the DNS cache on all clients aswell.
>
> It's great to get a second opinion on this.
>
> Thanks in advance!
>
> "Dragos CAMARA" wrote:
>
> > Hi,
> >
> > Verify that DNS is functioning properly.
> >
> > The client sent the authentication data to the wrong server because DNS data
> > was out-of-date on the client.
> > Two computers in different domains have the same name and the client sent
> > the authentication data to the wrong computer.
> > Verify that there are not multiple computers with the same name, including
> > NetBIOS names, anywhere on the network.
> >
> >
> > --
> > Dragos CAMARA
> > MCSA Windows 2003 server
> >
> >
> > "GazHarle" wrote:
> >
> > > Hi everyone, We are using Server 2003 on two domain controllers and have, for
> > > about 2 months been getting the following error in our system event log on
> > > one of our domain controllers.
> > >
> > > The kerberos client received a KRB_AP_ERR_MODIFIED error from the server
> > > ***$. The target name used was cifs/***** This indicates that the password
> > > used to encrypt the kerberos service ticket is different than that on the
> > > target server. Commonly, this is due to identically named machine accounts
> > > in the target realm (**********), and the client realm.
> > >
> > > It happens on both DCs but not nearly as much on one as the other. I imagine
> > > it is occuring on logon for certain machines. There is no pattern to the
> > > machines it is happening to. Can anyone simply explain what the error means
> > > and if there is any way i can isolate the cause. I have used Kerbtray.exe to
> > > examine tickets on the servers and clients and they both have tickets.