We have 3 clusters that are running a combination of SQL 2000 and SQL 2005, we had a need a few weeks ago to start using account delegation in our environment which meant configuring a SPN for the account running the SQL instance, and enabling the network name resource for Kerberos authentication. Everything worked fine and using a tool like kerbtray you can now see SQL connecting using Kerberos, and indeed all the account delegation works as it should. However I noticed today that we have started receiving these errors in the event log every time you try and connect to the SQL virtual instance: (from any server)
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/node-01.domain.local. The target name used was cluster-01. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server.
So I started digging around and trying to find out what was happening – but nothing is broken. If I stop the cluster using kerberos, then the errors disappear, but obviously delegation doesn?t work. The issue is easy to replicate, just open up a drive share using the virtual server name and the error appears in the event log (access is still granted however) If you open up the same share using the active nodes network name then the error doesn?t appear.
Now I can guess at what is happening, but I have no idea why – and on all 3 clusters across different forests. I?ve checked all the DNS / WINS / SPN settings and cant find a thing wrong….
anyone have any ideas?
cheers