Friday, 24 July 2015

KRB_AP_ERR_MODIFIED - Event 4 - SBS11

Today I'm seeing several Security-Kerberos event id 4 messages on an SBS 2011 stand-alone server:

The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server COMPUTER1$. The target name used was RPCSS/COMPUTER2.mydomain.local. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (MYDOMAIN.LOCAL) is different from the client domain (MYDOMAIN.LOCAL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

It would appear that the IP address for COMPUTER1$ in the DNS, is actually being used by COMPUTER2...  so try to find the IP address for COMPUTER2...

Open Administrator Tools -> DNS
Navigate to DNS->servername->Forward Lookup Zones->mydomain.local
Order by the Data column... which may contain mostly IP addresses
Look down the Data column for duplicated IP addresses.  In my case COMPUTER1 and COMPUTER2 had the IP address 192.168.0.15

Run a CMD window (Windows Key+R->type 'cmd'->OK) and type: ping -a 192.168.0.15 (or whatever the duplicate IP address.  Also you can run nbtstat -A 192.168.0.15 ... this resolved to COMPUTER2...

In the DNS Forward Lookup Zones for mydomain.local, I deleted anything with an IP address of 192.168.0.15 that was not COMPUTER2 - one of them was COMPUTER1.

That should prevent this error message appearing again.

For each of these computers I was also seeing a DistributedCOM Event Id 10009

DCOM was unable to communicate with the computer COMPUTER1.mydomain.local using any of the configured protocols.

These appear every 30 minutes since the last reboot.  But not in the last 90 minutes since I deleted duplicate forward lookup entries... Problem solved?   Now to figure out why the server locked us all out earlier today... WSUS overgrowth on C drive is the first contender... the SSDB is 22 GB....

No comments:

Post a comment