Share via

unable to connect VM

Schifter, Gabriela 255 Reputation points
2024-07-15T18:37:44.92+00:00

We are unable to connect to one of our VMs (MT-01). We get the error message below

Error code: 0x516

Extended error code: 0x0

Activity ID: {50aacf50-deec-4736-bb63-61f97ef20000}

There are a few errors that we see in the Even logs,

A fatal error occurred when attempting to access the TLS server credential private key. The error code returned from the cryptographic module is 0x8009030D. The internal error state is 10001.

And

The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server microsoft. The target name used was host/GPSQL-01. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (BCEW.COM) is different from the client domain (BCEW.COM), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

Azure Virtual Machines
Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
9,013 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Manu Philip 20,206 Reputation points MVP Volunteer Moderator
    2024-07-15T18:55:53.35+00:00

    Hi,

    It looks like a wrongly registered SPN issue. I am posing the resolution found from Microsoft reference as below:

    To resolve this issue, the service principal name must be searched for and removed from the alternative account, and then it must be added to the correct account in Active Directory. To do that, follow these steps:

    1. At an elevated command prompt and using Enterprise Administrator credentials, run the command setspn -Q <SPN>. This will return a computer name. SetSPN.exe is installed with the Active Directory Directory Services role or with RSAT.
    2. Remove the incorrectly registered SPN by going to the command prompt and running the command setspn -D <SPN> <computername>.
    3. Add the SPN to the correct account at the command prompt by running the command setspn -A <SPN> <computername of computer which had the System event 4>.
    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.