Kerberos error

I have 3 Hyper-V hosts. Servers are Windows Server 2012 R2. All of them are reporting error in event viewer:

The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server server3$. The target name used was HTTP/ourserver.domain.com. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (domain.com) is different from the client domain (domain.com), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.



If I try to refresh page on Server Manager the error is:

Error      ourserver : Configuration refresh failed with the following error: The metadata failed to be retrieved from the server, due to the following error: WinRM cannot process the request. The following error with errorcode 0x80090322 occurred while using Kerberos authentication: An unknown security error occurred.  



Ourserver in DNS has 3 A records and IP are the same as Server1, Server2 and Server3.

I can connect with domain accounts to servers. Why is this happening?
Almantas SkarbaliusAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Casey WeaverManaged Services Windows Engineer IIICommented:
Have you checked for any time skew? Are the hosts domain joined, or using local admin accounts?
0
R@f@r P@NC3RVirtualization SpecialistCommented:
0
R@f@r P@NC3RVirtualization SpecialistCommented:
Hello,

Additional do you have a cluster?

Validate that all your hosts are connected to the cluster if you have it.

Validate the DNS name resolution, execute an nslookup to validate the resolution of names as per ip addresses.

Validate that the DNS zones are created forward and reverse with the name of the host.

Annex other links that can help you.

https://social.technet.microsoft.com/Forums/windowsserver/en-US/1712db04-0dd3-4f94-9f7c-a28daf9382c9/the-kerberos-client-received-a-krbaperrmodified-error?forum=winserverDS

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc733987(v=ws.10)

we remain attentive to your comments.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Almantas SkarbaliusAuthor Commented:
Time is ok, they are domain joined. They are joined to failover cluster. But in dns there is a record ourserver, which is pointing to 3 ip (all of three hyper-v hosts). Servercluster is on different name and IP than "ourserver".
Maybe you have an idea or from experience, why was it built this way.
0
R@f@r P@NC3RVirtualization SpecialistCommented:
Hello,

DNS resolution answers by name and ip?

Do not erase any DNS record, put your DNS zone ServerCluster is called like this?

Pointing to your Hyper-V host

I remain attentive to your comments.

Regards...
0
Almantas SkarbaliusAuthor Commented:
No there is server1, server2, server3. It's Hyper-V hosts.
The failover cluster has name Servercluster and separate IP and dns entry. Ourserver is also failover cluster name (don't know why architect made two names). In dns Ourserver has 3 A records, which are same as servers. But the guy who worked before said he remember that Servercluster and Ourserver had same one IP and A record.
In addition Server 3 and Servercluster have each the same two IP's. It was never like this before, because they have one teamed interface.
0
R@f@r P@NC3RVirtualization SpecialistCommented:
Hello,

You can create new records and validate.

Without deleting the other records, or taking note of those records, delete them and create new records.

I remain attentive to your comments.

Regards...
0
Casey WeaverManaged Services Windows Engineer IIICommented:
Proper diagnostic steps are given.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows OS

From novice to tech pro — start learning today.