Ritenour
asked on
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/prnsrv.student.k12.mo.us. This indicates that the password used to encrypt the kerberos service ticket is different than
I can get to the server (different domain) by FQDNS or I.P. but not by name. I do have a wins server in place and a static name and I.P. for it. Any idea on how to solve the problem ? This is what event viewer shows.
so if I type \\prntsrv in the unc this is the error.
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/prnsrv.student.k12.mo .us. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named machine accounts in the target realm (STUDENT.K12.MO.US), and the client realm. Please contact your system administrator.
so if I type \\prntsrv in the unc this is the error.
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/prnsrv.student.k12.mo
Sounds like you've got a duplicate SPN. There are a number of ways of determining the offending objects. I wrote a script a while back that's designed to detect duplicate single valued attribute values but it does function for multi-valued properties as well (the attribute in question houses the duplicate value I mentioned). You can get the script from here -
ftp://falcon.msetechnology.com/scripts/addupe.cmd.txt
Rename the file to ADdupe.cmd, place it somwhere suitable and run it as follows -
C:\>addupe yourdomainhere.com servicePrincipalName
NOTE - It's possible (and quite likely) that the script will list a number of "safe" duplicates; Domain Controllers are but one example.
ftp://falcon.msetechnology.com/scripts/addupe.cmd.txt
Rename the file to ADdupe.cmd, place it somwhere suitable and run it as follows -
C:\>addupe yourdomainhere.com servicePrincipalName
NOTE - It's possible (and quite likely) that the script will list a number of "safe" duplicates; Domain Controllers are but one example.
ASKER
addupe yourdomainhere prnsrv (the problem server)
Is this right and if it is I get 0 results.
Is this right and if it is I get 0 results.
You misunderstood the syntax requirements. You're supposed to replace yourdomainhere with the DNS name of your domain, so if your domain is called mset.org, you would type the following verbatim -
addupe mset.org servicePrincipalName
... do NOT include prnsrv anywhere in the syntax. If the problem is as I suspect, it will be listed within the results alongside the conflicting account.
addupe mset.org servicePrincipalName
... do NOT include prnsrv anywhere in the syntax. If the problem is as I suspect, it will be listed within the results alongside the conflicting account.
ASKER
No, I did that just using yours as an example
OK, but I'm not still sure of your syntax since it appears that you also substituted the 2nd argument "servicePrincipalName" with your computer's name.
ASKER
addupe rsd.k12.mo.us prnsrv
rsd.k12.mo.us is the fqdns
prnsrv is the server I cannot get to using unc
If I use prnsrv.student.k12.mo.us or the I.P. it works fine
there is a trust with the other domain.
This is the only server I am having problems with in either domain.
rsd.k12.mo.us is the fqdns
prnsrv is the server I cannot get to using unc
If I use prnsrv.student.k12.mo.us or the I.P. it works fine
there is a trust with the other domain.
This is the only server I am having problems with in either domain.
ASKER
Just re-read the question. I am not sure what service principal name is....
It's an attribute used to uniquely identify computers and services.
Please type the command EXACTLY as I've provided below -
addupe rsd.k12.mo.us servicePrincipalName
Please type the command EXACTLY as I've provided below -
addupe rsd.k12.mo.us servicePrincipalName
ASKER
here are the results
servicePrincipalName: =-
CN=RSDSRV,OU=Domain Controllers,DC=rsd,DC=k12, DC=mo,DC=u s
CN=RSDSRV,OU=Domain Controllers,DC=rsd,DC=k12, DC=mo,DC=u s
CN=RSDSRV,OU=Domain Controllers,DC=rsd,DC=k12, DC=mo,DC=u s
CN=RSDDC,OU=Domain Controllers,DC=rsd,DC=k12, DC=mo,DC=u s
CN=ADMSRV,OU=Domain Controllers,DC=rsd,DC=k12, DC=mo,DC=u s
CN=ADMSRV,OU=Domain Controllers,DC=rsd,DC=k12, DC=mo,DC=u s
CN=ADMSRV,OU=Domain Controllers,DC=rsd,DC=k12, DC=mo,DC=u s
CN=just5clicks,CN=Computer s,DC=rsd,D C=k12,DC=m o,DC=us
servicePrincipalName: =-
CN=RSDSRV,OU=Domain Controllers,DC=rsd,DC=k12,
CN=RSDSRV,OU=Domain Controllers,DC=rsd,DC=k12,
CN=RSDSRV,OU=Domain Controllers,DC=rsd,DC=k12,
CN=RSDDC,OU=Domain Controllers,DC=rsd,DC=k12,
CN=ADMSRV,OU=Domain Controllers,DC=rsd,DC=k12,
CN=ADMSRV,OU=Domain Controllers,DC=rsd,DC=k12,
CN=ADMSRV,OU=Domain Controllers,DC=rsd,DC=k12,
CN=just5clicks,CN=Computer
No help for me there ... I'll have to give it some more thought.
Event Type: Error
Event Source: Kerberos
Event Category: None
Event ID: 4
is this the event id which you are noticing in your event viwer.
Event Source: Kerberos
Event Category: None
Event ID: 4
is this the event id which you are noticing in your event viwer.
ASKER
yes
if u notice the above said event error then the first posting will solve your problem ie kb321044
ASKER
I had computer accounts in both domains. Thank you all for your help. I get the best advice from this sight and the people who take the time to answer questions. Thank you again.
is the problem resolved cheers. how did it get resolved. any changes u made..?
ASKER
Yes it is solved, I took the server name out of one of the domain controllers. I have 2 domains and the computer name was in both. Once I took it out of the domain we moved it from the problem vanished. :)
Thanks again.
Thanks again.
... which explains why we couldn't locate it. The SPN wasn't duplicated within the same domain database.
C'est la vie - glad it's resolved.
C'est la vie - glad it's resolved.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Unfortunatly, the ftp link for the "addupe" script is broken - making this whole entry useless - i would have been nice if the actual txt of the script was put here.
I found the script under http://archives.devshed.com/forums/windows-107/gc-issues-9504.html
Does anyone have a copy of this script? I don't mind hosting a mirror. Please email it to me jeremy (at) fluxlabs.net
Does anyone still have a copy of this script
http://support.microsoft.com/kb/321044
for further reference you can use the following articals
http://technet2.microsoft.com/windowsserver/en/library/579246c8-2e32-4282-bce7-3209d1ea8bf11033.mspx?mfr=true