Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

The kerberos client received a KRB_AP_ERR_MODIFIED error from the server

1,153 views
Skip to first unread message

Scott Townsend

unread,
Nov 15, 2007, 6:53:11 PM11/15/07
to
I get the Following Error about 14 times a Day

Event Type: Error
Event Source: Kerberos
Event Category: None
Event ID: 4
Date: 11/15/2007
Time: 5:19:35 AM
User: N/A
Computer: EXCHANGE2003
Description:
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server
EXCHANGE2000$. The target name used was SMTPSVC/mail.domain.com. This
indicates that the password used to encrypt the kerberos service ticket is
different than that on the target server. Commonly, this is due to
identically named machine accounts in the target realm (AD_DOMAIN.COM), and
the client realm. Please contact your system administrator.


I have a Exchange 2003 server as the Primary SMTP Server and the Exchange
2000 server as a Backup. Though I think I took out all the MX References to
it. Anyway, because of issues with SPAM, RBLs and other things both servers
respond to incoming connections as mail.domain.com. So on each of the SMTP
Server Properties, Delivery, Advanced, the Fully Qualified domain name on
both is: mail.domain.com.

Is that bad? Is that is what is causing the Error?

Thanks,
Scott<-

Manfred Zhuang [MSFT]

unread,
Nov 16, 2007, 5:02:25 AM11/16/07
to
Hello Scott,

Thanks for posting in this newsgroup!

From the post, I understand that the problem to be: You received the
following Kerberos error on your DCs after replacing a DC.

Event Type: Error
Event Source: Kerberos
Event Category: None
Event ID: 4
Date: 11/15/2007
Time: 5:19:35 AM
User: N/A
Computer: EXCHANGE2003
Description:
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server
EXCHANGE2000$. The target name used was SMTPSVC/mail.domain.com. This
indicates that the password used to encrypt the kerberos service ticket is
different than that on the target server. Commonly, this is due to
identically named machine accounts in the target realm (AD_DOMAIN.COM),
and
the client realm. Please contact your system administrator.

According to my research, this behavior is issued by the broken secure
channel. Therefore, you may try the following approach to eliminate this
problem:

1. Stop the KDC on all of the DC (except for the PDC) and set it to manual.

2. Use the following command to reset secure channel on one DC (Not PDC)
at a time.

"netdom resetpwd /server:ip_address_of_PDC /userd:domainname\administrator
/passwordd:admin_password" (without the quotation marks)

3. After resetting the secure channel password, reboot this DC.

4. Repeat the process on the remaining DC's.

5. Turn the KDC back on.

You may refer to the following MS KB article for more information:

288167 Error Message "Target Principal Name is Incorrect" When Manually
http://support.microsoft.com/?id=288167

Hope the suggestion above is useful. :)

Best regards,

Manfred Zhuang(MSFT)
Microsoft Online Newsgroup Support

Get Secure! - www.microsoft.com/security

=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.
=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| Reply-To: "Scott Townsend" <scoot...@community.nospam>
| From: "Scott Townsend" <scoot...@community.nospam>
| Subject: The kerberos client received a KRB_AP_ERR_MODIFIED error from
the server
| Date: Thu, 15 Nov 2007 15:53:11 -0800
| Lines: 31
| Message-ID: <CB09DADE-EE78-459C...@microsoft.com>
| MIME-Version: 1.0
| Content-Type: text/plain;
| format=flowed;
| charset="iso-8859-1";
| reply-type=original
| Content-Transfer-Encoding: 7bit
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Windows Mail 6.0.6000.16480
| X-MimeOLE: Produced By Microsoft MimeOLE V6.0.6000.16545
| X-MS-CommunityGroup-MessageCategory:
{E4FCE0A9-75B4-4168-BFF9-16C22D8747EC}
| X-MS-CommunityGroup-PostID: {CB09DADE-EE78-459C-8249-A09FA36B6DD4}
| Newsgroups: microsoft.public.exchange.admin
| Path: TK2MSFTNGHUB02.phx.gbl
| Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.exchange.admin:51662
| NNTP-Posting-Host: TK2MSFTNGHUB02.phx.gbl 127.0.0.1
| X-Tomcat-NG: microsoft.public.exchange.admin

Scott Townsend

unread,
Nov 17, 2007, 12:41:00 PM11/17/07
to
Hmmm... I have not replaced any DCs, not for quite some time.

The Exchange2003 and the Exchange2000 servers are not DCs.

The names are are duplicated are the Fully Qualified domain name on both
SMTP Virtual Servers. There is no physical machine with that as a name.

I'll try as you suggested, though I'm not getting the error on any of my DCs

"Manfred Zhuang [MSFT]" <v-mz...@online.microsoft.com> wrote in message
news:HBjQLfDK...@TK2MSFTNGHUB02.phx.gbl...

Manfred Zhuang [MSFT]

unread,
Nov 20, 2007, 2:33:00 AM11/20/07
to
Hi Scott,

Thank you for your reply.

I understand that you will try the steps and check if it works.

If you have any further questions, feel free to let me know.

Best regards,

Get Secure! - www.microsoft.com/security

| From: "Scott Townsend" <scoot...@community.nospam>
| References: <CB09DADE-EE78-459C...@microsoft.com>
<HBjQLfDK...@TK2MSFTNGHUB02.phx.gbl>
| Subject: Re: The kerberos client received a KRB_AP_ERR_MODIFIED error
from the server
| Date: Sat, 17 Nov 2007 09:41:00 -0800
| Lines: 165
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.3790.3959
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.4133
| X-RFC2646: Format=Flowed; Original
| Message-ID: <u8tTFEUK...@TK2MSFTNGP04.phx.gbl>
| Newsgroups: microsoft.public.exchange.admin
| NNTP-Posting-Host: 204-145-245-243.enm.com 204.145.245.243
| Path: TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP04.phx.gbl
| Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.exchange.admin:51808
| X-Tomcat-NG: microsoft.public.exchange.admin

0 new messages