Kerberos Security Error
hi,
windows 2012 r2 forest/domain - windows 2012 r2 vm's.
i have added new server server manager on management server , 'kerberos security error'. servers have been set identically. looking in system event log security-kerberos eventid 4:
"the kerberos client received krb_ap_err_modified error server athena$. target name used http/athena.domain.local. indicates target server failed decrypt ticket provided client. can occur when target server principal name (spn) registered on account other account target service using. ensure target spn registered on account used server. error can happen if target service account password different configured on kerberos key distribution center target service. ensure service on server , kdc both configured use same password. if server name not qualified, , target domain (domain.local) different client domain (domain.local), check if there identically named server accounts in these 2 domains, or use fully-qualified name identify server."
i have tried removing , adding offending server (athena). have run setspn -q following results:
"c:\users\me>setspn -q http/athena.domain.local
checking domain dc=domain,dc=local
cn=crystal reports,ou=opsusers,ou=users,ou=mybusiness,dc=domain,dc=local
http/reports.externaldomain.com
http/athena
http/athena.domain.local
bicms/ops.crystalserver.domain.local
existing spn found!"
- how stop happening?
- on first line of error, should show athena$ - hidden server?
thanks
tony
hi,
please check below steps , verify typing , setspn checks samaccountname cannot longer 20 characters.
remove old spn
1. setspn –d <service>/<netbios name> machinename.domain.com
2. setspn –d <service>/<fqdn> machinename
add new spn:
1. setspn –a <service>/<netbios name> <your domain>\<domain user account>
2. setspn –a <service>/<fqdn name> <your domain>\<domain user account>
verifying spn's setspn
1. setspn -l <machinename> (spn should not listed)
2. setspn -l <your domain>\<domain user account> (spn listed)
best regards,
alvin wang
please remember mark replies answers if , un-mark them if provide no help. if have feedback technet subscriber support, contact tnmff@microsoft.com.
Windows Server > Server Manager
Comments
Post a Comment