Apr 19, 2007

Kerberos Event ID 4 - draft

Event Type: Error

Event Source: Kerberos

Event Category: None

Event ID: 4

Date: 4/18/2007

Time: 2:01:16 AM

User: N/A

Computer: computer1


The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/njmail01.corpdomain.com. The target name used was COMPUTER2. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named machine accounts in the target realm (CORPDOMAIN.COM), and the client realm. Please contact your system administrator.

Theory that needs more study to verify:

A client requested service/resource from COMPUTER2, it got ticket that had been encrypted with COMPUTER2's key. But somehow it sent the ticket to COMPUTER1, who couldn't decrypt the ticket because it didn't have correct key.

Cause: 1. DNS or other name resolution error causes the client sending ticket to wrong machine. Check if there is any wrong/duplicate A/PTR records for COMPUTER1 and COMPUTER2

2. Computer2 didn't have one of its SPNs registered. When a request for that service with respective ticket comes in, the ticket then is sent to the local computer account, which has host/SPN(or cifs/SPN) automatically created. In this case, host/SPN isn't the service that is expected, therefore the error generated.

Example: COMPUTER2 is a sql server, it should have had a sql/SPN registered for its service account, but it didn't. When a client asks for sql service from computer2, ideally the ticket should be sent to sql service but since there isn't sql/SPN record in AD, the ticket is sent to local machine account(computer2) instead. The local computer tries to use its automatically generated cifs/SPN(host/SPN) to decrypt the ticket and fails.

Microsoft Link

(search on keyword KRB_AP_ERR_MODIFIED)