Sep 11, 2014

Kerberos event 4/Target account name is incorrect/ troubleshooting

This error is reported whenever the service provider (e.g. file server) cannot decrypt a service ticket that was sent to it. This is caused by the fact that the ticket was encrypted by one machine then sent to a different machine. In this case, the second machine doesn't have the private key to decrypt the ticket.

Troubleshooting steps

- make sure there is not duplicate SPN for the service you are trying to get. For example, if you want to access \\serverName1\sharePath and get above error; or on a file server you see kerberos event 4, you want to check if there is duplicate SPN host\serverName*. In the past, it takes a little effort to find duplicate SPNs, but started Windows7/2008, you can run setspn -X to find all duplicated SPNs in your domain

- make sure you don't have duplicate DNS entries for same server to different IPs (unless the server does have multiple IP, and all DNS entries are correct).

- if access using FQDN works but not short name (e.g. \\server.FQDN.com\sharePath works but not \\server\sharePath), and you have WINS in your environment, make sure the target server register correct 20h record (File Server) in WINS

- If your target computer has multiple names (mostly added by command netdom computername), then you should make sure you add SPNs for all the alias you have. For example, if you have a server has both names as server1 and server2, you should below spn registered in AD:

  • host/server1.fqdn.com
  • host/server1
  • host/server2.fqdn.com
  • host/server2
- make sure you don't have hosts file entries that resolve to wrong IP

- Log into the system that actually owns wrong IP, make sure it's not registering wrong name. For DNS, check NIC TCP/IP stack; for WINS, check "netdom computername localhost /enum", as well as check HKLM\CCS\Services\lanmanserver\parameters\OptionalNames