Important! Do not copy-paste the command-line code to your environment. Write the text yourself, as a copy-paste can give problems (I suspect the Unicode-formatting to be different on some webpages).
Update: After this blog-entry I had an article published that gives an overview of Kerberos in a Sharepoint environment
Update 23/12-2008: On Windows Server 2008 the IIS7 uses Kernel mode authentication and the kerberos tickets uses this and not the App. Pool identity. This causes KRB_AP_ERR_MODIFIED errors and the Kernel mode authentication must be switched off (check out this blog by Spence Harbar: http://www.harbar.net/archive/2008/05/18/Using-Kerberos-with-SharePoint-on-Windows-Server-2008.aspx)
This article is about troubleshooting the specific error message and is mainly written for the Microsoft Sharepoint configuration. It can give some insight for other scenarios as well.
I ran into this error message in multiple Windows Sharepoint Services 3.0 (WSS) and Microsoft Office Sharepoint Server 2007 (MOSS) installations with different solutions to it and you can use hours and days to troubleshoot this error message. Therefore I wrote this article to summarize the problem and possible solutions to the error.
Overview of what to configure for the Kerberos
Kerberos is the recommended authentication method in Sharepoint and we need to catch our breath and see through the confusing error messages that are popping up on our screen. First of all: It isn’t really difficult to configure Kerberos if you know how to do it – and more important: how not to configure it wrong. If you just try to configure it and do not really know how it is supposed to be configured and why then you can get into trouble finding and undoing the bad configuration.
We only need the following to be done
- Get a static IP address for all our servers and make sure the DNS zone (forward & reverse) do not have duplicate entries.
- Configure delegation trust for the Application Pool account, Frontend- and SQL servers
- Configure http Service Principal Names (SPN) for the Frontend server NETBIOS-name and FQDN and bind it only to the Application Pool account
- Configure the clients Internet Explorer security zone for the site to "Intranet" and permit auto-logon for this zone
You can check my blog-entry Notes on configuring Sharepoint to use Kerberos for more information.
The problem with event id 4: KRB_AP_ERR_MODIFIED
The error appears in the Windows system-eventlog on the client that tries to authenticate with the Sharepoint-server with an eventid 4:
Event Type: Error
Event ID: 4
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/wss1.domain.local. The target name used was HTTP/wss1.domain.local. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named machine accounts in the target realm (DOMAIN.LOCAL), and the client realm. Please contact your system administrator.
What this means is that the encryption key that the server uses is different than the one the client uses to decrypt the authentication package. So how do you troubleshoot this issue? I searched the knowledgebase’s and forums and came up with many solutions to this error.
The problem is that the error can come from in a couple of reasons. I have tried to collect as many sources to the problem that I could find and a solution to each one starting with the one that most likely could cause the problem.
- Duplicate DNS entries
Most of the configurations gives the KRB_AP_ERR_MODIFIED error because of old DNS entries on your DNS server are not removed. Simply remove these so you only have one IP address per server and one server per IP address (use the sort on the DNS Manager to find duplicates). Also check the reverse lookup zone as the Kerberos use this lookup to make the server-match. And remember the replication delay for other DNS servers and the DNS-timeout on clients before testing – better wait a couple of minutes (or up to 30 min. for auto-repl.)
Multiple or missing SPN entries
The SPN’s are configured and centrally stored in your KDC in Active Directory. You only need mapping the http-type to your Application Pool account. If you map these to more accounts/servers or do not map those correctly you get the error. Remember that the host-type is used if no http are configured. Check for multiple mappings with the command:
ldifde -d "dc=domain,dc=local" -r "servicePrincipalName=http*" -p subtree -l "dn,servicePrincipalName" -f output.txt
The http/NETBIOS and http/FQDN must only appear on one of the objects. Remove the ones that are not on the Application Pool Account. And if none is configured for that account you must of course map the SPN to it.
Note: It could be that the SPN’s are case-sentitive, so check your server- and domain-names just in case! (See Shane Young’s blog entry)
Computer account secure connection
Some clients/servers fail to setup a correct secure connection with the domain. If this happens you need to reset and rebuild this. Follow this link to Microsoft Knowledgebase article KB216393 http://support.microsoft.com/kb/216393/en-us
If your server/client has been cloned you need to generate a new security ID (SID) and the recommended way to do this is to run the Microsoft sysprep-utility. Another way is to use the former Sysinternals, now Microsoft, utility NewSID.
- Issues with the MTU Size
The network packets that are send through the wires have a certain length. If an account is member of a large number of groups this have been seen. Another way to deal with the MTU-problem is to force the Kerberos to use TCP. You can find information about this in Microsoft knowledgebase article KB244474 (http://support.microsoft.com/kb/244474/en-us)
- Other problems with Kerberos
You can have other error-messages in your Windows eventlog, and please look all of these up before putting your servers in production. Most are related to the following
- Time difference on the servers/clients
- Firewall restrictions on the servers/clients
More information about troubleshooting Kerberos
Troubleshooting Kerberos Errors: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerberr.mspx
Troubleshooting Kerberos-related issues in IIS: http://support.microsoft.com/default.aspx?scid=kb;en-us;326985#XSLTH3168121122120121120120