The kerberos client received a KRB_AP_ERR_MODIFIED

By ben.owen ·
We have 3 clusters that are running a combination of SQL 2000 and SQL 2005, we had a need a few weeks ago to start using account delegation in our environment which meant configuring a SPN for the account running the SQL instance, and enabling the network name resource for Kerberos authentication. Everything worked fine and using a tool like kerbtray you can now see SQL connecting using Kerberos, and indeed all the account delegation works as it should. However I noticed today that we have started receiving these errors in the event log every time you try and connect to the SQL virtual instance: (from any server)

The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/node-01.domain.local. The target name used was cluster-01. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server.

So I started digging around and trying to find out what was happening - but nothing is broken. If I stop the cluster using kerberos, then the errors disappear, but obviously delegation doesn?t work. The issue is easy to replicate, just open up a drive share using the virtual server name and the error appears in the event log (access is still granted however) If you open up the same share using the active nodes network name then the error doesn?t appear.

Now I can guess at what is happening, but I have no idea why - and on all 3 clusters across different forests. I?ve checked all the DNS / WINS / SPN settings and cant find a thing wrong....

anyone have any ideas?


This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -

Service Principal Name

by BFilmFan In reply to The kerberos client recei ...

You mentioned SPN, but did you search the entire domain?

See and

If you cannot find a duped SPN, then call Microsoft, because I have never seen that error when it wasn't a duped SPN.

Collapse -

Still an issue

by ben.owen In reply to Service Principal Name

Thanks for the response but unfortunately no there is no duplicate SPN. I'm not actually getting any duplicate SPN errors on the DC?s and strangely enough nothing has stopped working, but it's a persistent error on any machine that tries to connect to the virtual server.

I've even managed to duplicate the error on a completely separate domain / forest. Where I didn't even add the additional SPN, but as soon as you enable Kerberos for the clustered network name resource then the error appears.


Related Discussions

Related Forums