The kerberos client received a KRB_AP_ERR_MODIFIED error

Due to some reconfiguration, I turned off a domain controller. Everything seemed to be working fine, until a few people complained about authentication errors on a Java-environment. Because I wanted to fix this problem quickly, I edited my DNS-record in Active Directory: I pointed my turned-off server (DC2) to the IP-address of a running DC (DC1). This seemed to be working, until a few people faced an error on the logon script: “Logon failure: the target account name is incorrect“.

When checking the eventlog of the DC1, I noticed a few Error events like this one:

Event Type: Error
Event Source: Kerberos
Event Category: None
Event ID: 4
Date:  <date>
Time:  <timestamp>
User:  N/A
Computer: DC1
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/  The target name used was . This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named  machine accounts in the target realm (domainname), and the client realm.   Please contact your system administrator.

Each time the error occurs on a client, a new event will be written in the eventlog. The problem will only occur to people who were logged on to the turned-off server previously. People already logged on to a different server, should not have this error.
Solution: don’t change the DNS-record of a Domain Controller to point to another Domain Controller. It will only result in a lot more problems than you already have 🙂

5 1 vote
Article Rating
Notify of
Inline Feedbacks
View all comments
Would love your thoughts, please comment.x