This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Hi everyone, i have several errors in the system log Security-Kerberos, Event 4 The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server client001$. The target name used was cifs/client002.company.local. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. ... All guidance was about servers - but there are clients - and they are different all the time. So it is not a problem of one/several clients. Anyone has seen this before? BR Stephan
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(204.8, 86%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EV%3C/text%3E%3C/svg%3E)
Hello Stephan,
Thanks for posting your query.
SPN are not only registered for users accounts but are also registered to machines be it server or client.
KRB_AP_ERR_MODIFIED arises when system is unable to decrypt the ticket. This could be due to encryption type mismatch.
Verify encryption type is set same for machine and service accounts.
Check for msDS-SupportedEncryptionType attribute value in users and computers
It is a DNS issue - the DHCP lease is to short so that the DNS scavenging did not tidy up the old entries. So client002.company.local returns the IP adress of client001 Now i just have to examine who is trying to access the admin shares all the time ;) Thanks for your help.
