Cannot logon to 2012 Domain Controllers - The Kerberos client received a KRB_AP_ERR_MODIFIED
Posted on 2014-11-03
Alert me | Edit | Delete | Change type
You cannot vote on your own post
I have recently updated our domain with 2012 domain controllers. The domain is still running at 2003 level, but majority of DC's are now 2012. I have had intermittent issues where users cannot logon again once the screen locks and some servers failing to accept any password until being rebooted. This morning on one site none of my users could logon. I have 2 2012 domain controllers neither of which I could logon to. ( one carries all FSMO roles) This also prevented logon to some but not all servers.
This was fixed by rebooting the DC's but need to find out why this happened.
Checking event log I received these errors:
The dynamic registration of the DNS record '_ldap._tcp.DOMAIN.local. 600 IN SRV 0 100 389 winDC01.DOMAIN.local.' failed on the following DNS server:
DNS server IP address: 10.10.0.142
Returned Response Code (RCODE): 5
Returned Status Code: 9017
For computers and users to locate this domain controller, this record must be registered in DNS.
Determine what might have caused this failure, resolve the problem, and initiate registration of the DNS records by the domain controller. To determine what might have caused this failure, run DCDiag.exe. To learn more about DCDiag.exe, see Help and Support Center. To initiate registration of the DNS records by this domain controller, run 'nltest.exe /dsregdns' from the command prompt on the domain controller or restart Net Logon service.
Or, you can manually add this record to DNS, but it is not recommended.
Error Value: DNS bad key.
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server windc02$. The target name used was E3514235-4B06-11D1-AB04-00C04FC2DCD2firstname.lastname@example.org. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (domain.LOCAL) is different from the client domain (domain.LOCAL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.