Jesper M. Christensen

SharePoint and Security

Troubleshooting the Kerberos error KRB_AP_ERR_MODIFIED


Important! Do not copy-paste the command-line code to your environment. Write the text yourself, as a copy-paste can give problems (I suspect the Unicode-formatting to be different on some webpages).

Update: After this blog-entry I had an article published that gives an overview of Kerberos in a Sharepoint environment

Update 23/12-2008: On Windows Server 2008 the IIS7 uses Kernel mode authentication and the kerberos tickets uses this and not the App. Pool identity. This causes KRB_AP_ERR_MODIFIED errors and the Kernel mode authentication must be switched off (check out this blog by Spence Harbar: http://www.harbar.net/archive/2008/05/18/Using-Kerberos-with-SharePoint-on-Windows-Server-2008.aspx)

This article is about troubleshooting the specific error message and is mainly written for the Microsoft Sharepoint configuration. It can give some insight for other scenarios as well.

I ran into this error message in multiple Windows Sharepoint Services 3.0 (WSS) and Microsoft Office Sharepoint Server 2007 (MOSS) installations with different solutions to it and you can use hours and days to troubleshoot this error message. Therefore I wrote this article to summarize the problem and possible solutions to the error.

Overview of what to configure for the Kerberos

Kerberos is the recommended authentication method in Sharepoint and we need to catch our breath and see through the confusing error messages that are popping up on our screen. First of all: It isn’t really difficult to configure Kerberos if you know how to do it – and more important: how not to configure it wrong. If you just try to configure it and do not really know how it is supposed to be configured and why then you can get into trouble finding and undoing the bad configuration.

We only need the following to be done

  • Get a static IP address for all our servers and make sure the DNS zone (forward & reverse) do not have duplicate entries.
  • Configure delegation trust for the Application Pool account, Frontend- and SQL servers
  • Configure http Service Principal Names (SPN) for the Frontend server NETBIOS-name and FQDN and bind it only to the Application Pool account
  • Configure the clients Internet Explorer security zone for the site to "Intranet" and permit auto-logon for this zone

You can check my blog-entry Notes on configuring Sharepoint to use Kerberos for more information.

 

The problem with event id 4: KRB_AP_ERR_MODIFIED

The error appears in the Windows system-eventlog on the client that tries to authenticate with the Sharepoint-server with an eventid 4:

Source: Kerberos
Event Type: Error
Event ID: 4

The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/wss1.domain.local.  The target name used was HTTP/wss1.domain.local. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named  machine accounts in the target realm (DOMAIN.LOCAL), and the client realm.   Please contact your system administrator.

What this means is that the encryption key that the server uses is different than the one the client uses to decrypt the authentication package. So how do you troubleshoot this issue? I searched the knowledgebase’s and forums and came up with many solutions to this error.

The problem is that the error can come from in a couple of reasons. I have tried to collect as many sources to the problem that I could find and a solution to each one starting with the one that most likely could cause the problem.

  1. Duplicate DNS entries
    Most of the configurations gives the KRB_AP_ERR_MODIFIED error because of old DNS entries on your DNS server are not removed. Simply remove these so you only have one IP address per server and one server per IP address (use the sort on the DNS Manager to find duplicates). Also check the reverse lookup zone as the Kerberos use this lookup to make the server-match. And remember the replication delay for other DNS servers and the DNS-timeout on clients before testing – better wait a couple of minutes (or up to 30 min. for auto-repl.)
  2. Multiple or missing SPN entries
    The SPN’s are configured and centrally stored in your KDC in Active Directory. You only need mapping the http-type to your Application Pool account. If you map these to more accounts/servers or do not map those correctly you get the error. Remember that the host-type is used if no http are configured. Check for multiple mappings with the command:

    ldifde -d "dc=domain,dc=local" -r "servicePrincipalName=http*" -p subtree -l "dn,servicePrincipalName" -f output.txt

 

The http/NETBIOS and http/FQDN must only appear on one of the objects. Remove the ones that are not on the Application Pool Account. And if none is configured for that account you must of course map the SPN to it.

Note: It could be that the SPN’s are case-sentitive, so check your server- and domain-names just in case! (See Shane Young’s blog entry)

  1. Computer account secure connection
    Some clients/servers fail to setup a correct secure connection with the domain. If this happens you need to reset and rebuild this. Follow this link to Microsoft Knowledgebase article KB216393 http://support.microsoft.com/kb/216393/en-us for instructions.

    If your server/client has been cloned you need to generate a new security ID (SID) and the recommended way to do this is to run the Microsoft sysprep-utility. Another way is to use the former Sysinternals, now Microsoft, utility NewSID.

  2. Issues with the MTU Size
    The network packets that are send through the wires have a certain length. If an account is member of a large number of groups this have been seen. Another way to deal with the MTU-problem is to force the Kerberos to use TCP. You can find information about this in Microsoft knowledgebase article KB244474 (http://support.microsoft.com/kb/244474/en-us)

 

  1. Other problems with Kerberos
    You can have other error-messages in your Windows eventlog, and please look all of these up before putting your servers in production. Most are related to the following
  • Time difference on the servers/clients
  • Firewall restrictions on the servers/clients

More information about troubleshooting Kerberos

Troubleshooting Kerberos Errors: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerberr.mspx

Troubleshooting Kerberos-related issues in IIS: http://support.microsoft.com/default.aspx?scid=kb;en-us;326985#XSLTH3168121122120121120120

 

Advertisements

4 responses to “Troubleshooting the Kerberos error KRB_AP_ERR_MODIFIED

  1. Murad December 5, 2008 at 23:54

    Hello All,Could someone please explain as to why I need to enable delegation on the computer accounts itself (MOSS FEW servers and SQL server). I understand that the app pool account should have this "enable for delegation" check in AD because it need to pass the ticket, but no where I can find why the computer account should also have this enabled. Is there anything internal to MOSS that runs as a local service, when does the computer account come in the picture where it needs to use delegation?I would really appreciate if someone can shed some light on this requirement and also point me to a Microsoft article that talks about this in detail.ThanksMurad Akram

  2. Marlin Bledsoe April 16, 2011 at 03:09

    As I web site possessor I believe the content material here is rattling great , appreciate it for your hard work. You should keep it up forever! Best of luck.

  3. wordpress security suite May 8, 2013 at 08:03

    I like the valuable information you provide in your articles.
    I’ll bookmark your weblog and check again here frequently. I am quite certain I’ll learn a
    lot of new stuff right here! Good luck for the next!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: