Kerberos error id 4

Sebastian Jesior 166 Reputation points

Hello All,

May I kindly ask you for help?
I'm trying to resolve below Kerberos error:


  1. Please correct me if I'm worng but probably some user or application is trying to get access from my server(my_server) to share on remote server1, right?
    This application or user use DNS share alias (there is DNS alias added - share) and not SPN is added for this remote server1.
    Now to resolve this issue I need to add SPN for server1, correct?
  2. How can I check which user or application is trying to get access to this share from my server for example my_server?


Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,088 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. cthivierge 4,051 Reputation points


    KRB_AP_ERR_MODIFIED is most of the time caused by a SPN that is not set on the correct AD Account.

    From your DC or any Windows 2016+, you can run the following command:
    setspn -Q CIFS/Share
    setspn -Q CIFS/

    This will query your AD Database to see if this SPN exist and on which account it is currently set.

    Please note that CIFS/Share may not be set and it is not required because the SPN HOST/Share also work for this.

    To add the CIFS/Share SPN on the Server1 account, run the following command:
    setspn -S CIFS/share Server1
    setspn -S CIFS/ Server1

    The reason why i suggest you to add the FDQN as well as the short name is because you don't know how the client could connect to your server.


    0 comments No comments