Kerberos error id 4

sebastianj81 126 Reputation points
2021-11-27T17:15:41.357+00:00

Hello All,

May I kindly ask you for help?
I'm trying to resolve below Kerberos error:

152960-obraz.png

  1. Please correct me if I'm worng but probably some user or application is trying to get access from my server(my_server) to share on remote server1, right?
    This application or user use DNS share alias (there is DNS alias added - share) and not SPN is added for this remote server1.
    Now to resolve this issue I need to add SPN for server1, correct?
  2. How can I check which user or application is trying to get access to this share from my server for example my_server?

Regards,
Sebastian

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
8,184 questions
No comments
{count} votes

1 answer

Sort by: Most helpful
  1. cthivierge 3,876 Reputation points
    2022-02-09T14:35:56.42+00:00

    Correct.

    KRB_AP_ERR_MODIFIED is most of the time caused by a SPN that is not set on the correct AD Account.

    From your DC or any Windows 2016+, you can run the following command:
    setspn -Q CIFS/Share
    setspn -Q CIFS/Share.yourdomain.com

    This will query your AD Database to see if this SPN exist and on which account it is currently set.

    Please note that CIFS/Share may not be set and it is not required because the SPN HOST/Share also work for this.

    To add the CIFS/Share SPN on the Server1 account, run the following command:
    setspn -S CIFS/share Server1
    setspn -S CIFS/share.yourdomain.com Server1

    The reason why i suggest you to add the FDQN as well as the short name is because you don't know how the client could connect to your server.

    hth

    No comments