Why is a user with valid credentials not able to login on AD domain PCs or servers?

I had this question after viewing "Incorrect Username or Password" on log in.

After setting up a new VoIP phone system from Comcast Business on our network, which required re-configuring our Dell network switch with VLANs for voice and data, we started to see issues with users not able to login to the network even though their credentials are valid. I would like to know if others have a similar experience and if so what is the best solution to avoid this kind of problems. Also, I am still trying to resolve the login problems for the users and the only way I have been able to use thus far is to have the user reboot their PC and then they are able to login again. I had similar problems with my domain admin account randomly on different servers. Why is it that on some servers my login works and others it does not?
Jaime BonillaIT SpecialistAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Shaun VermaakTechnical SpecialistCommented:
Check that the date and time is correct on these devices
LearnctxEngineerCommented:
Step #1 for any administrator is to view the security logs. The logs will tell you exactly why the logon attempt failed (via the status and sub-status codes). You can look up the event ID and relevant codes here: https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/security-auditing-overview. Just put the event code into the filter in the top left to find the relevant article.

This is assuming you have setup auditing on your end points and you're DC's.
masnrockCommented:
You might want to check your switch's configuration. Are devices ending up on the wrong VLAN sometimes?
Monitor Your Cisco ASA Like an Expert

View VPN tunnel status and get help monitoring firewall high availability, health, and readiness. Be able to automate the monitoring and management of your ASA infrastructure in a fully integrated solution with Network Insight™ for Cisco® ASA.

Jaime BonillaIT SpecialistAuthor Commented:
Thanks for the tips Shaun, Learnctx, and masnrock.

Learnctx, I looked in the event viewer security log and there was no audit failure due to login problem. However, I noticed in the system log the following error:

"The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server srv-hpe01$. The target name used was SRV-HPE01$. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain ([MyDomain]) is different from the client domain ([MyDomain]), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server."

Investigating this further I then searched my AD DC and searched for the target SPN and I found serveral services registered for the affected server (SRV-HPE01), but I am still trying to figure out how to "ensure that the target SPN is only registered on the account used by the server" as the system error log entry suggests.

I will update the post when I am able to figure this out.

Thank you!
masnrockCommented:
Exactly how did your network layout change when the phone system was put in?
Jaime BonillaIT SpecialistAuthor Commented:
Masnrock, we had to configure VLANs on the main network switch to allow for voice and data on the same switch to be able to use the VoIP phones and connect the PCs to the same ports. I didn't think this would affect the network, but it seems that ever since we did that several users complained that they could not login with their credentials, even though they were using the correct password. I actually tested this myself and it was affecting several user accounts, including my admin account on several servers. I ended up having to reboot the server in order to be able to login with the same admin account again.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Dell

From novice to tech pro — start learning today.