Hello Stephan,
Thanks for posting your query.
SPN are not only registered for users accounts but are also registered to machines be it server or client.
KRB_AP_ERR_MODIFIED arises when system is unable to decrypt the ticket. This could be due to encryption type mismatch.
Verify encryption type is set same for machine and service accounts.
Check for msDS-SupportedEncryptionType attribute value in users and computers
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server - between Win10 clients

Hi everyone, i have several errors in the system log Security-Kerberos, Event 4 The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server client001$. The target name used was cifs/client002.company.local. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. ... All guidance was about servers - but there are clients - and they are different all the time. So it is not a problem of one/several clients. Anyone has seen this before? BR Stephan
Windows for business | Windows Client for IT Pros | Directory services | Active Directory
Windows for business | Windows Client for IT Pros | User experience | Other
1 answer
Sort by: Most helpful
-
Vaidish 76 Reputation points
2023-04-23T19:09:18.9366667+00:00