ID 1097 /  ID 4 - can not find the machine account The kerberos client received a KRB_AP_ERR_MODIFIED error

Posted on 2010-01-07
Last Modified: 2012-05-08
I am getting the below event log errors,  from what I can find it is referring to a machine or user problem within the active directory, but I don't know what to do to resolve the issue.  The kerberos error seems to indicate the SERVERNAME4 is having problems connecting to the main DC SERVERNAME1.

Any suggestions on how I narrow the problem?    I have check DNS on the main dc and the offsite DC.   SERVER1 and SERVER4 are on different subnets via VPN,  I can contact both DC's from each site.

Event Type:      Error
Event Source:      Userenv
Event Category:      None
Event ID:      1097
Date:            12/24/2009
Time:            2:26:37 PM
User:            NT AUTHORITY\SYSTEM
Computer:      SERVERNAME4
Windows cannot find the machine account, The logon attempt failed .

For more information, see Help and Support Center at

Event Type:      Error
Event Source:      Kerberos
Event Category:      None
Event ID:      4
Date:            11/24/2009
Time:            12:12:38 AM
User:            N/A
Computer:      SERVERNAME4
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/servername.  The target name used was cifs/SERVERNAME.domain.local This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named  machine accounts in the target realm (DOMAIN.LOCAL), and the client realm.   Please contact your system administrator.

For more information, see Help and Support Center at
Question by:randybell
    LVL 7

    Expert Comment

    This error means that the kerberos ticket which the machine got for resource SERVERNAME, was not encrypted with the machine account password of that resource (SERVERNAME).
    We need to know a few things beforehand to resolve this issue.
    How many domains?
    How many DCs in each domain?
    Is the replication going on fine between all DCs?

    Generally this issue occurs when the DCs are not replicating with each other (atleast one DC is not). The DC which is not replicating, issues a kerberos ticket for a specific resource (SERVERNAME in this scenario) to any client. But it would not have the current machine account password of that resource as it is not replicating.

    Second, if this is a multi domain scenario, there can be a situation where you have machine with same name in both domains (SERVERNAME). This can also lead to this situation.

    In first scenario, fix replication for the DCs which are not replicating. In second scenario, rename one of the machines.

    I hope this helps you identify whats wrong in your case.


    LVL 7

    Expert Comment


    Please reset the secure channel of the server with respect to PDC using the netdom command

    Prior to that us a tool KLIST or KERBTRAY to purge the exsisting tickets and ryun the command from above kb and reboot the server.
    Once it is back-up run "gpupdate /force"


    Accepted Solution

    I ended up have to demote the server, removing it from the domain and re-adding back to the domain and running dcpromo again.

    Featured Post

    IT, Stop Being Called Into Every Meeting

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Join & Write a Comment

    Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
    A quick step-by-step overview of installing and configuring Carbonite Server Backup.
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
    This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

    730 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now