asked on

The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/prnsrv.student.k12.mo.us. This indicates that the password used to encrypt the kerberos service ticket is different than

I can get to the server (different domain) by FQDNS or I.P. but not by name. I do have a wins server in place and a static name and I.P. for it. Any idea on how to solve the problem ? This is what event viewer shows.

so if I type \\prntsrv in the unc this is the error.

The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/prnsrv.student.k12.mo.us. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named machine accounts in the target realm (STUDENT.K12.MO.US), and the client realm. Please contact your system administrator.

sasidhar_reddy

the following artiacal could solve your problem
http://support.microsoft.com/kb/321044

for further reference you can use the following articals

http://technet2.microsoft.com/windowsserver/en/library/579246c8-2e32-4282-bce7-3209d1ea8bf11033.mspx?mfr=true

MSE-dwells

Sounds like you've got a duplicate SPN. There are a number of ways of determining the offending objects. I wrote a script a while back that's designed to detect duplicate single valued attribute values but it does function for multi-valued properties as well (the attribute in question houses the duplicate value I mentioned). You can get the script from here -

ftp://falcon.msetechnology.com/scripts/addupe.cmd.txt

Rename the file to ADdupe.cmd, place it somwhere suitable and run it as follows -

C:\>addupe yourdomainhere.com servicePrincipalName

NOTE - It's possible (and quite likely) that the script will list a number of "safe" duplicates; Domain Controllers are but one example.

Ritenour

ASKER

addupe yourdomainhere prnsrv (the problem server)
Is this right and if it is I get 0 results.

MSE-dwells

You misunderstood the syntax requirements. You're supposed to replace yourdomainhere with the DNS name of your domain, so if your domain is called mset.org, you would type the following verbatim -

addupe mset.org servicePrincipalName

... do NOT include prnsrv anywhere in the syntax. If the problem is as I suspect, it will be listed within the results alongside the conflicting account.

Ritenour

ASKER

No, I did that just using yours as an example

MSE-dwells

OK, but I'm not still sure of your syntax since it appears that you also substituted the 2nd argument "servicePrincipalName" with your computer's name.

Ritenour

ASKER

addupe rsd.k12.mo.us prnsrv

rsd.k12.mo.us is the fqdns
prnsrv is the server I cannot get to using unc
If I use prnsrv.student.k12.mo.us or the I.P. it works fine
there is a trust with the other domain.
This is the only server I am having problems with in either domain.

Ritenour

ASKER

Just re-read the question. I am not sure what service principal name is....

MSE-dwells

It's an attribute used to uniquely identify computers and services.

Please type the command EXACTLY as I've provided below -

addupe rsd.k12.mo.us servicePrincipalName

Ritenour

ASKER

here are the results

servicePrincipalName: =-
      CN=RSDSRV,OU=Domain Controllers,DC=rsd,DC=k12,DC=mo,DC=us
      CN=RSDSRV,OU=Domain Controllers,DC=rsd,DC=k12,DC=mo,DC=us
      CN=RSDSRV,OU=Domain Controllers,DC=rsd,DC=k12,DC=mo,DC=us
      CN=RSDDC,OU=Domain Controllers,DC=rsd,DC=k12,DC=mo,DC=us
      CN=ADMSRV,OU=Domain Controllers,DC=rsd,DC=k12,DC=mo,DC=us
      CN=ADMSRV,OU=Domain Controllers,DC=rsd,DC=k12,DC=mo,DC=us
      CN=ADMSRV,OU=Domain Controllers,DC=rsd,DC=k12,DC=mo,DC=us
      CN=just5clicks,CN=Computers,DC=rsd,DC=k12,DC=mo,DC=us

MSE-dwells

No help for me there ... I'll have to give it some more thought.

sasidhar_reddy

Event Type: Error
Event Source: Kerberos
Event Category: None
Event ID: 4

is this the event id which you are noticing in your event viwer.

Ritenour

ASKER

yes

sasidhar_reddy

if u notice the above said event error then the first posting will solve your problem ie kb321044

Ritenour

ASKER

I had computer accounts in both domains. Thank you all for your help. I get the best advice from this sight and the people who take the time to answer questions. Thank you again.

sasidhar_reddy

is the problem resolved cheers. how did it get resolved. any changes u made..?

Ritenour

ASKER

Yes it is solved, I took the server name out of one of the domain controllers. I have 2 domains and the computer name was in both. Once I took it out of the domain we moved it from the problem vanished. :)

Thanks again.

MSE-dwells

... which explains why we couldn't locate it. The SPN wasn't duplicated within the same domain database.

C'est la vie - glad it's resolved.

ASKER CERTIFIED SOLUTION

Computer101

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

starmonkey

Unfortunatly, the ftp link for the "addupe" script is broken - making this whole entry useless - i would have been nice if the actual txt of the script was put here.

dbr-2001

I found the script under http://archives.devshed.com/forums/windows-107/gc-issues-9504.html

fluxlabs

Does anyone have a copy of this script? I don't mind hosting a mirror. Please email it to me jeremy (at) fluxlabs.net

0651

Does anyone still have a copy of this script