The kerberos client received a KRB_AP_ERR_MODIFIED error and Failed to query SPN registration on DC 'hostname_ho.domainname.local'

We have various branches connected to our main branch, but one of the
domain controller from one of the small branches is having issue and
is not replicating with DCs in the main office. It is also generating
the event ID #4:

"The kerberos client received a KRB_AP_ERR_MODIFIED error from the
server host/name_host.domainname.local. The target name used was host2/
name.host.domainname.local. This indicates that the password used to
encrypt the kerberos service ticket is different than that on the
target server. Commonly, this is due to identically named server
accounts in the target realm (%2), and the client realm (%4). Please
contact your system administrator."

Any idea what would be the best solution for our problem or what we
need to fix?

 Below is the result I am getting when I run the the "dcdiag"
command:

Computer Name: Hostname

    DNS Host Name: hostname.domainname.local

    System info : Microsoft Windows Server 2003 (Build 3790)

    Processor : x86 Family 15 Model 2 Stepping 9, GenuineIntel

    List of installed hotfixes :

        Q147222

Netcard queries test . . . . . . . : Passed

Per interface results:

    Adapter : Local Area Connection

        Netcard queries test . . . : Passed

        Host Name. . . . . . . . . : MyServerHostName

        IP Address . . . . . . . . : 132.X.X.X

        Subnet Mask. . . . . . . . : 255.255.255.0

        Default Gateway. . . . . . : 132.X.X.X

        Dns Servers. . . . . . . . : 132.X.X.X


        AutoConfiguration results. . . . . . : Passed


        Default gateway test . . . : Passed


        NetBT name test. . . . . . : Passed

        [WARNING] At least one of the <00> 'WorkStation Service', <03>
'Messenge

r Service', <20> 'WINS' names is missing.


        WINS service test. . . . . : Skipped

            There are no WINS servers configured for this interface.

Global results:

Domain membership test . . . . . . : Passed

NetBT transports test. . . . . . . : Passed

    List of NetBt transports currently configured:

        NetBT_Tcpip_{86E69554-BF1F-420C-8B5A-A6E8473FF1AA}

    1 NetBt transport currently configured.

Autonet address test . . . . . . . : Passed

IP loopback ping test. . . . . . . : Passed

Default gateway test . . . . . . . : Passed

NetBT name test. . . . . . . . . . : Passed

    [WARNING] You don't have a single interface with the <00>
'WorkStation Servi

ce', <03> 'Messenger Service', <20> 'WINS' names defined.

Winsock test . . . . . . . . . . . : Passed

DNS test . . . . . . . . . . . . . : Passed

    [WARNING] The DNS host name 'hostname.domainname.local' valid only
on Windows

 DNS Servers. [DNS_ERROR_NON_RFC_NAME]

    PASS - All the DNS entries for DC are registered on DNS server
'132.X.X.X' and other DCs also have some of the names registered.

Redir and Browser test . . . . . . : Passed

    List of NetBt transports currently bound to the Redir

        NetBT_Tcpip_{86E69554-BF1F-420C-8B5A-A6E8473FF1AA}

    The redir is bound to 1 NetBt transport.

    List of NetBt transports currently bound to the browser

        NetBT_Tcpip_{86E69554-BF1F-420C-8B5A-A6E8473FF1AA}

    The browser is bound to 1 NetBt transport.

DC discovery test. . . . . . . . . : Passed

DC list test . . . . . . . . . . . : Passed

Trust relationship test. . . . . . : Passed

    Secure channel for domain 'DomainName' is to '\
\hostname_ho.domainname.local'.

Kerberos test. . . . . . . . . . . : Passed

LDAP test. . . . . . . . . . . . . : Passed

    [WARNING] Failed to query SPN registration on DC
'hostname_ho.domainname.local'.

    [WARNING] Failed to query SPN registration on DC
'hostname_ho.domainname.local'.

    [WARNING] Failed to query SPN registration on DC
'hostname_ho.domainname.local'.

    [WARNING] Failed to query SPN registration on DC
'hostname_ho.domainname.local'.

Bindings test. . . . . . . . . . . : Passed

WAN configuration test . . . . . . : Skipped

    No active remote access connections.

Modem diagnostics test . . . . . . : Passed

IP Security test . . . . . . . . . : Skipped

Modem diagnostics test . . . . . . : Passed

IP Security test . . . . . . . . . : Skipped

    Note: run "netsh ipsec dynamic show /?" for more detailed
information

 The command completed successfully
0
Inonino
2/9/2010 7:47:16 PM
windows.server.active_director 902 articles. 0 followers. Follow

4 Replies
3368 Views

Similar Articles

[PageSpeed] 0

Howdie!

Inonino schrieb:
> We have various branches connected to our main branch, but one of the
> domain controller from one of the small branches is having issue and
> is not replicating with DCs in the main office. It is also generating
> the event ID #4:
> 
> "The kerberos client received a KRB_AP_ERR_MODIFIED error from the
> server host/name_host.domainname.local. The target name used was host2/
> name.host.domainname.local. This indicates that the password used to
> encrypt the kerberos service ticket is different than that on the
> target server. Commonly, this is due to identically named server
> accounts in the target realm (%2), and the client realm (%4). Please
> contact your system administrator."

You may probably have machines with identical machine names/SPNs in AD 
or incorrect DNS entries in DNS. Is that only from one DC? I'd probably 
try an LDAP search for host2/name.host.domainname.local and see what it 
comes up with. My guess is that it either returns two objects or there 
are legacy DNS entries that point to different DNS objects with the same 
hostname.

Cheers,
Florian
-- 
Microsoft MVP - Group Policy
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
ANY advice you get on the Newsgroups should be tested thoroughly in your 
lab.
0
Florian
2/9/2010 8:16:09 PM
On Feb 9, 2:16=A0pm, "Florian Frommherz [MVP]"
<flor...@frickelsoft.DELETETHIS.net> wrote:
> Howdie!
>
> Inonino schrieb:
>
> > We have various branches connected to our main branch, but one of the
> > domain controller from one of the small branches is having issue and
> > is not replicating with DCs in the main office. It is also generating
> > the event ID #4:
>
> > "The kerberos client received a KRB_AP_ERR_MODIFIED error from the
> > server host/name_host.domainname.local. The target name used was host2/
> > name.host.domainname.local. This indicates that the password used to
> > encrypt the kerberos service ticket is different than that on the
> > target server. Commonly, this is due to identically named server
> > accounts in the target realm (%2), and the client realm (%4). Please
> > contact your system administrator."
>
> You may probably have machines with identical machine names/SPNs in AD
> or incorrect DNS entries in DNS. Is that only from one DC? I'd probably
> try an LDAP search for host2/name.host.domainname.local and see what it
> comes up with. My guess is that it either returns two objects or there
> are legacy DNS entries that point to different DNS objects with the same
> hostname.
>
> Cheers,
> Florian
> --
> Microsoft MVP - Group Policy
> eMail: prename [at] frickelsoft [dot] net.
> blog:http://www.frickelsoft.net/blog.
> ANY advice you get on the Newsgroups should be tested thoroughly in your
> lab.

Yes, it is from only one domain.
0
Inonino
2/10/2010 1:42:29 PM
On Feb 10, 7:42=A0am, Inonino <gilb...@gmail.com> wrote:
> On Feb 9, 2:16=A0pm, "Florian Frommherz [MVP]"
>
>
>
> <flor...@frickelsoft.DELETETHIS.net> wrote:
> > Howdie!
>
> > Inonino schrieb:
>
> > > We have various branches connected to our main branch, but one of the
> > > domain controller from one of the small branches is having issue and
> > > is not replicating with DCs in the main office. It is also generating
> > > the event ID #4:
>
> > > "The kerberos client received a KRB_AP_ERR_MODIFIED error from the
> > > server host/name_host.domainname.local. The target name used was host=
2/
> > > name.host.domainname.local. This indicates that the password used to
> > > encrypt the kerberos service ticket is different than that on the
> > > target server. Commonly, this is due to identically named server
> > > accounts in the target realm (%2), and the client realm (%4). Please
> > > contact your system administrator."
>
> > You may probably have machines with identical machine names/SPNs in AD
> > or incorrect DNS entries in DNS. Is that only from one DC? I'd probably
> > try an LDAP search for host2/name.host.domainname.local and see what it
> > comes up with. My guess is that it either returns two objects or there
> > are legacy DNS entries that point to different DNS objects with the sam=
e
> > hostname.
>
> > Cheers,
> > Florian
> > --
> > Microsoft MVP - Group Policy
> > eMail: prename [at] frickelsoft [dot] net.
> > blog:http://www.frickelsoft.net/blog.
> > ANY advice you get on the Newsgroups should be tested thoroughly in you=
r
> > lab.
>
> Yes, it is from only one domain.

Sorry! From one DC.
0
Inonino
2/10/2010 2:24:34 PM
Howdie!

Inonino schrieb:
> Yes, it is from only one domain.

So what does the failing server resolve in DNS for the target DC (check 
with nslookup)? Have you tried searching in LDAP to check whether there 
are duplicate SPNs?

Cheers,
Florian
-- 
Microsoft MVP - Group Policy
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
ANY advice you get on the Newsgroups should be tested thoroughly in your 
lab.
0
Florian
2/11/2010 6:18:55 PM
Reply:

Similar Artilces:

550 Authentication turned on in your email client
When sending an email in Outlook XP, I sometimes get this message: Your message did not reach some or all of the intended recipients. Subject: RE: by the way Sent: 11/21/2003 5:13 PM The following recipient(s) could not be reached: 'John Doe' on 11/21/2003 5:13 PM 550 Authentication turned on in your email client. That's a weird message. Do you *have* outgoing authentication turned on in Outlook (on the "Outgoing Server" tab for your mail account)? -- Jeff Stephenson Outlook Development This posting is provided "AS...

Blue screen error during shutdown
Recently I started getting the following error everytime I shutdown Windows XP (Home SP3): STOP: c000021a {Fatal System Error}. The Windows Logon Process system process terminated unexpectedly with a state of 0x00000000 ( 0x00000000 0x00000000 ) How do I go about fixing it? I've tried the following but in vain: 1. Uninstalled recently installed programs 2. Run CCleaner to clean the registry. 3. Start in safe mode & then shut down. 4. Start using last Known good configuration & then shutdown. I really appreciate if someone can help. -- Rgds, Ong On Dec 13, ...

Compilation error
I left my (working) VC++ MFC project a few weeks ago to do some InstallShield stuff and now I've come back to it, it doesn't compile! I think I managed to trash my system somewhat in the meantime so that's probably the cause but I don't know how to fix it If I do 'Go to definition' on MIIM_STRING, it takes me to WinUser.h and to code that is conditional on WINVER>=0x500. I'm running on XP so presumably that should be ok It must be something to do with precompiled headers but I don't know much about them so I'm at a loss Any suggestions where I should l...

can't repsond to links in email
can't repsond to links in email - get an error to see the adminis MFG wrote: > can't repsond to links in email - get an error to see the adminis You don't respond to links. You click on them. Impossible to diagnose an non-described error message. Usually you get one chance per potential respondent to elicit a reply from them. If they skip your post because you gave them nothing to go on (no details, no versions, no context), usually they will just move on to the next post and never return to yours. Go read: What is Usenet: http://en.wikipedia.org/wiki/Usenet http://e...

News Client
This is a multi-part message in MIME format. ------=_NextPart_000_004C_01C96E66.57790BC0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Is it possible to use Outlook as a Newsgroup client? How can I do it? Thanks ------=_NextPart_000_004C_01C96E66.57790BC0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META content=3Dtext/html;charset=3Diso-8859-1 = http-equiv=3DContent-Type&g...

Kerberos
Hello can any give me any clues on this? I have removed domain and computer names. Event Type: Error Event Source: Kerberos Event Category: None Event ID: 3 Date: 30/10/2006 Time: 10:35:03 User: N/A Computer: xxxxxxxxx Description: A Kerberos Error Message was received: on logon session Client Time: Server Time: 9:35:3.0000 10/30/2006 Z Error Code: 0x34 KRB_ERR_RESPONSE_TOO_BIG Extended Error: Client Realm: Client Name: Server Realm: xxxxxxxx Server Name: ldap/server.xxxxxxxxx/xxxxxxx Target Name: ldap/server.xxxxxxxxx/xxxxxxxxx@xxxxxxx.LOC Error Text: File: 9 L...

PSTL errors while combining sites
Whenever I try and combine 2 sites I get the following error. Violation of PRIMARY KEY constraint 'PKaz_ECLocnCode'. Cannot insert duplicate key object in 'dbo.az.ECLocnCode'. Has anyone seen this before? We are able to modify the sites fine but cannot modify them. Robert Fann Omni packaging ------=_NextPart_0001_17B56D9E Content-Type: text/plain Content-Transfer-Encoding: 7bit Hello Thank you for using online communities! The tool will use a column search that will search for all tables that contain the site column then , if needed update the record in the table. T...

client not connecting to cube
I am trying to connect GP client to cube server that is installed. In the excel pivot table setup window in GP I fill in the two fields: " Default SQL Server 2005 Analysis Server" field: DS-SRV-01\GP_Cubes " Default Analysis Server OLAP Database" field: GP Analysis Cubes I am able to connect from Excel to the Cubes. I am not able to browse from fields out to the Sql Server to pull correct field entries. I am getting a cannot connect to GP Analysis Cubes .... error. Any ideas are greatly appriciated. Did you change the default name of the Analysis Server OLAP d...

Error
While running the Redeployment Wizard - I am getting a database error. Here is the entry from the import.log file 08/25/2005 09:30:34 Database updated succesfully, row count is 46 08/25/2005 09:30:34 Backup BusinessUnitBase table. 08/25/2005 09:30:34 There is already an object named 'BusinessUnitBaseTemp' in the database. 08/25/2005 09:30:34 Microsoft OLE DB Provider for SQL Server 08/25/2005 09:30:42 Import ended Any ideas what could be the issue? Thanks Rajib Did you install CRM and click Use existing database? -- Matt Wittemann http://icu-mscrm.blogspot.com "rajibhasa...

Entourage Receiving Multiple Copies of same email
We have just loaded Entourage 2004 and the rest of the suite onto MACS. When doing a send and receive entourage receives multiple copies of the same email (2 - 6+). These are not on the server. We have tried deleting and re-installing to no avail. Does anyone know how to cure this problem? ...

Network Connection Error
Gents, I am running into Network Connection Error when trying to process a credit card. It is a visa, I know my merchant is setup for VISA, along with every other card you could think of. Is there any specific setting that I should concentrate on? Since the error is so vague. I have the gateways typed in correctly, I have my Firewalls turned off. Any suggestions ? Thanks again fellas, Sam We get this error everyday, I dont know what the cause is, but a restart of all the stations including the DB server always fixes it. "Sam Marinelli" wrote: > Gents, > I am running...

Public Folder Client Permission
I've set a user up with Publishing Editor permission to an entire public folder subtree but he can't rename a subfolder in the tree. The rename function is grayed out. I'd rather not give him owner permission which lets him change other users' permissions and even delete the folders. I can't find anything in any documentation about the rename function in public foders. Is this the way it's designed or do we have another problem? On Tue, 18 Jul 2006 09:01:02 -0700, dgeedgee <dgeedgee@discussions.microsoft.com> wrote: >I've set a user up with Publ...

Not receiving email in outlook
Help!! Pc challenged here. I'm sending mail in Outlook with no problem, but not receiving any new or return mail. Running XP, SP2. Do you get any errors when you try to receive mail? Also, you mention XP. Is that your OS or version of Outlook? "Paula" <Paula@discussions.microsoft.com> wrote in message news:BBE654FB-4900-4D6F-BC77-DFFF4F944191@microsoft.com... > Help!! Pc challenged here. I'm sending mail in Outlook with no problem, > but > not receiving any new or return mail. Running XP, SP2. Hi Vince, and thank you for responding. XP is my ...

CRM client installation
Hi, I am using CRM 3.0 and Outlook 2007. I am trying to install CRM client (offline). I am using CRM 3.0 clients for Microsoft office outlook compatibility. When CRM try to install Micrsoft SQL 2005 Express edition sp1 (CRM), it is giving me an error setup.exe with "unknow exit code 1282" Anyone can help me please!!!! can you more specify and send me log, as this error nothing mean for me. On which step of installation you got this.. is it to connect to CRM Server?? Also install Rollup update 2 on server then try for client installation -- Regards, Imran MS CRM Certified Pr...

Outlook client displaying different folders than web client
CRM 3.0 Outlook client security issue: We limited security for several users to only see certain folders. This works fine on the web client but in their Outlook client they see all the folders. We have done everything we can think of to fix this including a fresh install of the CRM Outlook client on a new machine and still have same issue. Has anyone seen this before or have any ideas? ...

Kerberos problem (NO EMAILS)
I am having a bad time here. I believe it all started when by accident the kerberos account krbtgt was deleted (it was disable before), but after I deleted no more email can be sent out and we get no email in, not even internal mail is working! So I resintalled SMTP protocol, no help. I changed the DNS server IP, no help. I rebooted the server, restart services... nothing Now I am reinstalling exchange but since I had SP2 instalelled it did not let me... Its getting worst, now I do not even recive a NDR from anywhere. PLEASE HELP ME OUT Call PSS (Microsoft Product Support Services). The New...

Cost Basis Error
This morning my portfolio in Microsoft Money is acting up ... for instance my 300 shares of Starbucks says the cost basis is $49,000 and I have lost $41,000 ... not possible. Any suggestions on fixing ... thanks. Fixed ... sorry ... in was an exchange rate issue problem. Thanks! "Joe" wrote: > This morning my portfolio in Microsoft Money is acting up ... for instance my > 300 shares of Starbucks says the cost basis is $49,000 and I have lost > $41,000 ... not possible. > > Any suggestions on fixing ... thanks. > ...

Running queries via forms
is there a good tutorial out there on how to make forms that run queries and reports? I've gotten all turned around on it all. On Thu, 22 Apr 2010 13:53:01 -0700, Dragon <Dragon@discussions.microsoft.com> wrote: >is there a good tutorial out there on how to make forms that run queries and >reports? I've gotten all turned around on it all. Well, forms don't "run" anything. You can use a reference to a form control on a Query, and base a Report on that query. Crystal's tutorial might be a good place to look, this is one of the techniques she d...

Mail sending fails on encoding the attachments
Version: 2008 Operating System: Mac OS X 10.6 (Snow Leopard) Processor: Intel Email Client: Exchange Create a new mail with attachment and before sending click on Encode for any computer button and change the encode format. then on sending that mail, Invalid MIME content error is displayed. <br><br>This problem is faced on the accounts that resides on Exchange 2007 but not for the accounts on exchange 2010. <br><br>I am using Entourage 13.0.4 This is a multi-part message in MIME format. ------=_NextPart_000_0045_01CAF79F.D3D2AAA0 Content-Type: text/plain; ...

OL07/SP1 Receiver can't see embedded pictures I send
Hi I am using Outlook 2007/SP1 and wonder if there is a setting I need to check/change at my (sending) end that will ensure the person receiving my email can view pictures embedded in the email - as opposed to attachments, which seem to be received ok. I suspect it may be something at the other end as I don't get complaints from everyone I send to. Ideas? Thanks, L Are you sending the messages in HTML format? "Lee" <no@spam.com> wrote in message news:O0e01LqWJHA.4412@TK2MSFTNGP03.phx.gbl... > Hi > > I am using Outlook 2007/SP1 and wonder if there is a s...

Append Queries
I have an Append Query which is appending data to a table. This is done when I run a Macro.The problem is, that all fields are getting transfered to the table correct, except one field. Instead of putting the value (i.e 62.000,00) in that field , the field shows (i.e.. 39.000,00). I have no idea where the table get the data from. The append query is showing the correct values. If the are getting transferred, that field gets changed.I already made the query and the table new - with the same result.Anyone knows how that can happen?ThanksKlaus The problem may be that the destination field is too...

Checking Client Status Prior to Save
I am new to VB and need to write an Excel macro that will check the other systems on a LAN in order to make sure they are alive and capable of accepting a saveas file. I written a macro to perform the saveas but it comes up with an error if one of the machines is down and will not complete the macro. Any help would be greatly appreciated. Jan ...

Exchange 2003 /w W2k3, Outlook fails to reconnect randomly
Hi, Outlook 2003 fails to reconnect randomly to Exchange 2003 Enterprise Server, OWA works well. After authenthication failure Outlook falls to offline and further attempts to Send and Receive on Outlook produce error 0x8004011D. Does anyone have similar problems? -- htp ...

winsock: fail to register to receive broad cast messages
hi, I am new to winsock programming.I am trying to create a socket to receive broadcast messages. But when i try to set the socket options as follows: setsockopt( s, IPPROTO_IP, IP_ADD_MEMBERSHIP, (const char*)&mreq, sizeof(struct ip_mreq) ) it returns error 10049 which signifies invalid address, but i am using the INADDR_ANY macro to specify the address.Does anyone have some idea what possibly could be the error. Thanks sk ...

client installation package
When I try to install this package on a client machine I get error: When upgrading, the installation target directory must match Larry, Check the installation directory path given in the package and check the installation directory for the GP installed in the client. Say, the package path is mentioned E Drive and your current Client installation directory is C Drive, this will arise. Ensure your installation package installation directory path is same as the client installation directory path -- Thanks Janakiram M.P. MCP-GP Note: If you are a Microsoft Partner, You can also Login to Dy...