[Last Call] Learn how to a build a cloud-first strategyRegister Now


ID 1097 /  ID 4 - can not find the machine account The kerberos client received a KRB_AP_ERR_MODIFIED error

Posted on 2010-01-07
Medium Priority
Last Modified: 2012-05-08
I am getting the below event log errors,  from what I can find it is referring to a machine or user problem within the active directory, but I don't know what to do to resolve the issue.  The kerberos error seems to indicate the SERVERNAME4 is having problems connecting to the main DC SERVERNAME1.

Any suggestions on how I narrow the problem?    I have check DNS on the main dc and the offsite DC.   SERVER1 and SERVER4 are on different subnets via VPN,  I can contact both DC's from each site.

Event Type:      Error
Event Source:      Userenv
Event Category:      None
Event ID:      1097
Date:            12/24/2009
Time:            2:26:37 PM
User:            NT AUTHORITY\SYSTEM
Computer:      SERVERNAME4
Windows cannot find the machine account, The logon attempt failed .

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:      Error
Event Source:      Kerberos
Event Category:      None
Event ID:      4
Date:            11/24/2009
Time:            12:12:38 AM
User:            N/A
Computer:      SERVERNAME4
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/servername.  The target name used was cifs/SERVERNAME.domain.local This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named  machine accounts in the target realm (DOMAIN.LOCAL), and the client realm.   Please contact your system administrator.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Question by:randybell

Expert Comment

ID: 26205914
This error means that the kerberos ticket which the machine got for resource SERVERNAME, was not encrypted with the machine account password of that resource (SERVERNAME).
We need to know a few things beforehand to resolve this issue.
How many domains?
How many DCs in each domain?
Is the replication going on fine between all DCs?

Generally this issue occurs when the DCs are not replicating with each other (atleast one DC is not). The DC which is not replicating, issues a kerberos ticket for a specific resource (SERVERNAME in this scenario) to any client. But it would not have the current machine account password of that resource as it is not replicating.

Second, if this is a multi domain scenario, there can be a situation where you have machine with same name in both domains (SERVERNAME). This can also lead to this situation.

In first scenario, fix replication for the DCs which are not replicating. In second scenario, rename one of the machines.

I hope this helps you identify whats wrong in your case.



Expert Comment

ID: 26287116

Please reset the secure channel of the server with respect to PDC using the netdom command

Prior to that us a tool KLIST or KERBTRAY to purge the exsisting tickets and ryun the command from above kb and reboot the server.
Once it is back-up run "gpupdate /force"


Accepted Solution

randybell earned 0 total points
ID: 27385562
I ended up have to demote the server, removing it from the domain and re-adding back to the domain and running dcpromo again.

Featured Post

Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A hard and fast method for reducing Active Directory Administrators members.
A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question